Thursday, November 4, 2021

We’re from the government, and we’re here to protect you

In a speech last Friday, CISA Director Jen Easterly said “her agency has kicked off an effort to identify “primary systemically important entities” to be protected from threats, often those critical to national continuity. ‘We are prototyping a variety of different approaches in our National Risk Management Center … to try and start identifying those entities that are in fact systemically important, and we are doing it based on economic centrality, network centrality, and logical dominance in the national critical functions.’” She specifically pointed to ransomware as the type of attack she’s most concerned about. Whether or not she mentioned Colonial Pipeline, you can be sure that was what was first and foremost in people’s minds.

Of course, I’m all for protecting “primary systemically important entities”. I’m also all for protecting children and small animals, Mom, the flag and apple pie. However, I’d also like to see the big money she’s evidently planning on spending do some good. And I fear that this looks like just another way for DHS to waste lots of money trying to combat imaginary threats, while the real ones aren’t even considered. A great example of that is the recent TSA pipeline security directive.

As I pointed out in a recent post, that directive requires pipeline companies to spend lots of money addressing a set of threats that seem to have been dreamed up in somebody’s Master’s thesis, but have never been seriously discussed in the real world, let alone been observed to…you know…actually happen. Meanwhile the real cause of the Colonial Pipeline outage – the fact that the loss of the billing system on the IT network required the OT network to be shut down – is nowhere even mentioned. It’s the classic “The light is better here” syndrome.

So what’s Ms. Easterly proposing? The very fact that she’s talking about “protection” of critical infrastructure industries (although she didn’t use the term “Critical Infrastructure industry”, since there are so many industries – all except dry cleaners and golf courses, I believe – that have been deemed critical in recent years. So now she seems to be talking about “really critical critical industries”. Next, it will be “really really critical critical industries”) and talking about Russia and China as the sources of the threats, makes me believe that she’s thinking about more protections against frontal assaults on critical networks. An example of that thinking is Project Einstein, which was put in place to protect government agencies from cyberattacks, especially those coming from abroad.

How did that work? I’d say perfectly. It protected government agencies from frontal assaults on their networks, especially coming from abroad. However, did it protect those agencies from cyberattacks in general? It did that too, if you don’t take into account SolarWinds, which was neither a frontal attack nor launched from abroad. Of course, it was a supply chain attack, so it came in through an unguarded back door, not the front door. And the Russians knew all about Project Einstein, so they launched and controlled the whole attack from US-based cloud providers, not servers in Moscow or St. Petersburg. Our government protectors never saw this one coming, and many of them ended up being among the biggest victims of the attack.

Then there was Kaseya. That was a supply chain attack that launched ransomware. It ultimately compromised 1500 organizations. Once again, there was no frontal assault to defend against. Just as with SolarWinds, because the poison came from a trusted supplier, the victims cheerfully drank it.

So here’s an idea: Why doesn’t CISA start focusing on the real threat of our times, which is supply chain attacks? Sure they’re doing some good work in that area now, but rather than waste their (check that, our) money adding another lock to the 17 that are already on the front door of critical infrastructure industries, why not see what they can do to mitigate (“prevent” is probably out of the question) supply chain attacks, which always come through the back door?

The fact is that the supply chain security problem is a couple orders of magnitude bigger than the standard cybersecurity problem that CISA and other cybersecurity agencies excel at solving. Just think of it: In order to really secure Company A, you have to secure every one of their suppliers; the same goes for Companies B, C and D. Why doesn’t CISA reach out to all the suppliers to critical infrastructure industries, and find out what’s the best way to help them protect themselves from being the vector for the next big supply chain attack? And then help them put in place whatever’s required.

Of course, what’s needed will probably be different for each supplier, so this can’t be accomplished with a single big effort like Project Maginot…excuse me, Project Einstein.

But unlike Project Einstein, this might actually do some good.

 Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the CISA’s Software Component Transparency Initiative, for which I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment