In a speech last Friday, CISA Director Jen Easterly said “her agency has kicked off an effort to identify “primary systemically important entities” to be protected from threats, often those critical to national continuity. ‘We are prototyping a variety of different approaches in our National Risk Management Center … to try and start identifying those entities that are in fact systemically important, and we are doing it based on economic centrality, network centrality, and logical dominance in the national critical functions.’” She specifically pointed to ransomware as the type of attack she’s most concerned about. Whether or not she mentioned Colonial Pipeline, you can be sure that was what was first and foremost in people’s minds.
Of course, I’m all for protecting “primary
systemically important entities”. I’m also all for protecting children and
small animals, Mom, the flag and apple pie. However, I’d also like to see the
big money she’s evidently planning on spending do some good. And I fear that this
looks like just another way for DHS to waste lots of money trying to combat
imaginary threats, while the real ones aren’t even considered. A great example
of that is the recent TSA pipeline security directive.
As I pointed out in a recent post,
that directive requires pipeline companies to spend lots of money addressing a
set of threats that seem to have been dreamed up in somebody’s Master’s thesis,
but have never been seriously discussed in the real world, let alone been
observed to…you know…actually happen. Meanwhile the real cause of the
Colonial Pipeline outage – the fact that the loss of the billing system on the IT
network required the OT network to be shut down – is nowhere even mentioned. It’s
the classic “The light is better here” syndrome.
So what’s Ms. Easterly proposing? The
very fact that she’s talking about “protection” of critical infrastructure industries
(although she didn’t use the term “Critical Infrastructure industry”, since
there are so many industries – all except dry cleaners and golf courses, I believe
– that have been deemed critical in recent years. So now she seems to be
talking about “really critical critical industries”. Next, it will be “really
really critical critical industries”) and talking about Russia and China
as the sources of the threats, makes me believe that she’s thinking about more
protections against frontal assaults on critical networks. An example of that
thinking is Project Einstein, which
was put in place to protect government agencies from cyberattacks, especially
those coming from abroad.
How did that work? I’d say
perfectly. It protected government agencies from frontal assaults on their networks,
especially coming from abroad. However, did it protect those agencies from
cyberattacks in general? It did that too, if you don’t take into account
SolarWinds, which was neither a frontal attack nor launched from abroad. Of
course, it was a supply chain attack, so it came in through an unguarded back
door, not the front door. And the Russians knew all about Project Einstein, so
they launched and controlled the whole attack from US-based cloud providers,
not servers in Moscow or St. Petersburg. Our government protectors never saw
this one coming, and many of them ended up being among the biggest victims of
the attack.
Then there was Kaseya.
That was a supply chain attack that launched ransomware. It ultimately
compromised 1500 organizations. Once again, there was no frontal assault to defend
against. Just as with SolarWinds, because the poison came from a trusted
supplier, the victims cheerfully drank it.
So here’s an idea: Why doesn’t CISA
start focusing on the real threat of our times, which is supply chain attacks? Sure
they’re doing some good work in that area now, but rather than waste their (check
that, our) money adding another lock to the 17 that are already on the
front door of critical infrastructure industries, why not see what they can do to
mitigate (“prevent” is probably out of the question) supply chain attacks,
which always come through the back door?
The fact is that the supply chain
security problem is a couple orders of magnitude bigger than the standard
cybersecurity problem that CISA and other cybersecurity agencies excel at
solving. Just think of it: In order to really secure Company A, you have to
secure every one of their suppliers; the same goes for Companies B, C and D. Why
doesn’t CISA reach out to all the suppliers to critical infrastructure
industries, and find out what’s the best way to help them protect themselves
from being the vector for the next big supply chain attack? And then help them
put in place whatever’s required.
Of course, what’s needed will
probably be different for each supplier, so this can’t be accomplished with a
single big effort like Project Maginot…excuse
me, Project Einstein.
But unlike Project Einstein, this
might actually do some good.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the CISA’s Software Component Transparency Initiative, for which I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment