With attacks on US critical infrastructure on the rise, ransomware has become a leading threat in national security.

In the past year, bad actors have taken our hospitals offline, prevented us from accessing oil and gas resources, and disrupted our food supply chain. After May 2021’s Colonial Pipeline attack – a cyber threat ending in the payment of a $4.4 million ransom – two things became abundantly clear:

  1. These attacks are as severe as they are swift, and
  2. US public and private sector companies are ill-equipped to defend themselves in the increasingly prevalent cyber war  
 
In response to these attacks, the President Biden recently administered an Executive Order aimed directly at tackling the cybersecurity challenges facing the United States.
 
But what does the EO do in practice? Does it have any implications for the private sector? Does it signal incoming change with regard to compliance mandates? 
 
To understand the latest executive order, it’s important to understand the context in which it was created. In order to that, we must examine the recent cyber incidents and their implications on critical infrastructure. 
 

Recent Ransomware Attacks on US Infrastructure

 

Solarwinds Orion Attack – December 2020

What Happened in the Solarwinds Cyber Attack

During the SolarWinds’ Orion attack, the inclusion of a few seemingly harmless lines of code in a single DLL file posed a major threat to companies in both the private and public sector and eventually led to breaches for many who leveraged the application. The widely-used IT management software application is leveraged across verticals such as the US government and the security industry.

Solarwinds Impact

The backdoor, which was hidden in the DLL and consisted of approximately 4,000 lines of code, allowed the threat actor behind the attack to operate freely in compromised networks.

 

Colonial Pipeline Attack – May 2021

What Happened in the Colonial Pipeline Attack

According to cybersecurity experts, Colonial may not have used cutting-edge safeguards, such as software agents that actively scan networks for irregularities and are configured to detect known threats. As a result, the ransomeware group known as DarkSide leveraged penetration tools to initiate a ransomware attack on the Colonial Pipeline.  

DarkSide’s Colonial Pipeline Attack Impact

The Colonial Pipeline transports around 45 percent of the petroleum consumed along the Eastern seaboard. Because of this attack, this vital US pipeline was shut down for days, impacting millions of people who could not get gas for days. 

 

Kaseya Attack – July 2021

What Happened in the Kaseya Attack

REvil, the notorious ransomware-as-a-service gang, used the forthcoming July 4th holiday weekend to launch a crippling supply chain attack against Kaseya and the MSPs that utilize the software to monitor their customers’ infrastructure, together with the end customer organizations themselves.

According to reports from customers and others, endpoints managed by Kaseya’s VSA on-premises software were acting abnormally. Following that, customer reports confirmed that ransomware was being executed on endpoints. 



What the Biden Executive Order on Cybersecurity Covers

 

Transparency & Reporting between Sectors

This is a good thing, as this reporting to/from the private and public sector will increase visibility to these attacks. What this could mean is that the tactics, techniques, and procedures (TTPs) exposed could lead to better protection mechanisms in security controls. It will also lead to speed and accuracy in the remediation of potential attacks.

Establishment of New Cybersecurity Safety Board

The new cybersecurity safety board will be co-led by private and public sector individuals.  This group will meet after significant cyber events or breaches to learn from these and make recommendations to the public on how to avoid future events. These lessons learned could provide information to strengthen security software code, or change how security analysts interpret events and hunt for malware in the future.

Improvement of the Software Supply Chain via Approved Software Ratings Program

This will result in better coded, more secure software. It also mandates a pilot program to create a certification (comparable to the “energy star” badge) type of label so the government and the private sector can determine whether the software was developed securely, instilling some degree of confidence for the parties investing in the software.

With this program in place, software shouldn’t be shipped with the sometimes “built-in vulnerabilities” we’ve all become used to over time. Of course, this will reduce – not eliminate – cyber incidents in the future. 

If this order were passed sooner, it’s possible that the “approved software” rating program might have kept an event like the Solarwinds attack from happening at some point in the future. 

Related Reading: Does CMMC Immunize You to Ransomware?

 

Where the Executive Order Falls Short 

Lacks Private Sector Mandates

There are a few suggestions in the EO, but no real teeth (or enforcement) for the private sector. Therefore, so long as private sector SecOps teams are treated as Cost Center vs. Profit Centers, it’s likely not much will change. 

That said, with the increasing public focus on cybersecurity, companies who make cybersecurity a priority could differentiate themselves in their respective markets. With the rise of third-party risk, partners might feel better about doing business with, and customers having their data stored with companies they knew were more secure.

Congressional Gridlock

The other option could be in extending the EO to the private sector. The only caveat here is if the feds mandate something on this side of the fence, they’d most likely have to subsidize those efforts. 

While this seems like great idea in theory, a nationwide mandate to enhance our collective cybersecurity hygiene, would be difficult to get passed amidst the partisan gridlock in the US Congress.

 

 

Future Implications of the Executive Order

 

Enhanced Security in the Software Supply Chain, Mitigating 3rd-Party Risk

With this EO, any vendor supplying software to the public sector will have to raise their game. There will be new security standards in place, and “eliminate” indolent code that leads to security vulnerabilities. There will be a badge or rating for approved vendors letting the public (and private) sector know this software was developed using approved vendors and new standards. If private sector entities purchase from this program, they can be reasonably sure the code will be safe (i.e. not like the recent REvil – Kaseya’s VSA codebase ransomware incident). 

Preparing for this shift

Utilizing security frameworks such as the NIST Cybersecurity Framework or CMMC Certification among others to improve your cybersecurity hygiene, you could Lessen ransomware and other malware attacks within your organization. You can also engage with a third-party expert such as Avertium to get an unbiased opinion about your current security posture and remediation roadmap.

Possible Private-Sector Mandates 

The Feds providing mandates and some financial assistance could bring everyone’s security hygiene up to par.

Even for larger corporations who might be able to afford it, the request for SecOps breaks down even in the face of mandates, as no company wants to affect their bottom line. They, like smaller companies, have a finite budget to work within, and enhancing their security posture would possibly go over that budget.

Unfortunately, smaller companies represent low-hanging fruit for the RaaS Gangs and Botnet Operators… so, unless they’ve been very savvy with their security spend, it’s almost not if they’ll get attacked, but when they’ll get attacked.  

Government Cybersecurity: Working Towards Prevention & Not Response 

XDRZero Trust, Information Sharing, Enhanced Monitoring and Logging, End-user awareness training, Pen Tests, Scanning – These are but a few steps that can be implemented to increase Cyber Readiness in both the public and private sectors.

Related Reading: A Zero Trust Network Architecture (ZTNA) POV with Appgate

 

 

To Finish…

Whether the motives behind cyberattacks are revenue-driven, to steal intellectual property (IP), or to cause disruption within a nation-state, one thing is certain: these attacks will continue for the foreseeable future. 

The name of the game in 2021 is prevention.  If we don’t get out in front of these attacks, we’ll continue to see cybersecurity breaches flood news headlines, have our critical infrastructure and supply chains disrupted, and pay exorbitant amounts of money in the form of ransoms.

We have the means to reduce these attacks. So, do we want to invest in prevention? Is the price of inaction high enough yet? If not, what’s it going to take? There have been some 21,000 “reported” malware attacks so far in 2021 and we’re just now over halfway through the year. What does the rest of the year hold in store?

If the expertise within your company does not exist, or you simply do not have the cycles to implement, manage, and monitor the proper security controls, Avertium, a Trusted Advisor, can assist with Managed Security and Professional Services to plan and stand up the environment. In addition, Extended Detection and Response (XDR), and Managed Zero Trust Networking can eliminate any complexities to afford protection against ransomware and other malware attacks.

 

ransomware-trends

 

To learn more about the latest ransomware tactics and what businesses can do to stay secure, download our eBook on “Ransomware Trends in 2021“.