EOs, Ransomware, and Critical Infrastructure: Q&A with Ryan Weeks
The Ransomware Task Force (RTF) was originally announced in December 2020 as a broad coalition of more than 60 experts in the cybersecurity industry, government, law enforcement and international organizations coming together in the fight against ransomware.
Recently, RTF released a report that revealed that MSPs do not commonly provide comprehensive security coverage or ransomware mitigations, but if they did so, it would create a widespread positive impact for SMBs. Ryan Weeks, CISO at Datto, a founding member of the task force, talked with Security Boulevard about the recent ransomware attack on Colonial Pipeline, the risk to critical infrastructure and actions by the federal government to address cybersecurity concerns.
Security Boulevard: President Biden has announced a number of cybersecurity initiatives. Could you discuss what they are, including the new Executive Order (EO)?
Ryan Weeks: There are a number of initiatives outlined in the executive order, including multifactor authentication, end-to-end encryption, zero-trust, creation of new standards, review boards and much more. While some initiatives outlined, like multifactor authentication and end-to-end encryption, are table-stakes and likely past due, other initiatives outlined will be game-changers for our nation. For example, the order calls for the need to implement more rigorous and predictable mechanisms for ensuring that products function securely and as intended. Pending guidance, the Secretary of Commerce will identify practices that enhance the security of the software supply chain, a critical step in hardening the protection of our IT infrastructure.
Under the new guidance, any organization contracted by the government will be required to publish a software bill of materials (SBOM). This means that if an organization builds a product leveraging dozens of other components and libraries, it will need to detail each individual item in a machine-readable format to help automatically inform other organizations of their dependencies and how that may affect the software users’ risk due to supply chain vulnerabilities. In my opinion, this is the most innovative idea coming out of the executive order and could potentially change the way software is developed in the U.S. and globally.
SB: How will the EO strengthen the federal stance on cybersecurity?
Weeks: While there are a number of benefits, what stands out to me is the implementation of a Cybersecurity Incident Review Board, which could help assure faster response to cyber breaches and could enforce detailed assessments to uncover the root cause of these incidents.
Additionally, mandating certifications to ensure that the software contractors deliver has not been infected with malware, or does not contain exploitable vulnerabilities, makes for a good addition to existing certifications that place less focus on application security and more on infrastructure security. As a result, software vendors should be taking steps now to work on software security maturity models to ready themselves for this change in our current ecosystem.
SB: What is lacking in the EO and where does the government need to step up?
Weeks: It doesn’t go far enough on the specific recommendations for organizations to strategically meet the expectations. The devil is in the details, and that is what is lacking from the executive order. Like most EOs, this is simply a directional project plan and the initiatives outlined are merely objectives. While it is headed in the right direction, we need a detailed tactical plan to understand the impact radius and reach the desired results.
There is one initiative outlined that I strongly disagree with – the idea that organizations should minimize dependencies on enterprise products that are part of the environments used to develop, build and edit software. This is an overreaction by the government as a result of the recent SolarWinds attack. Rather than encouraging organizations to cut ties with enterprise software organizations, they should focus on strategies to secure their configurations, not eliminate them. Eliminating them would only cause more problems, as the alternative is for each individual organization to build their own tools and delivery pipelines for software, which would likely result in a wider array of more serious vulnerabilities.
SB: The ransomware attack on Colonial Pipeline has put the security of the critical infrastructure front and center. What can the government do to ensure the nation’s critical infrastructure is protected from cyberattacks and nation-state threat actors?
Weeks: The ability to mitigate ransomware requires cooperation from all parties at risk. Organizations, public and private, must prioritize the importance of prevention, detection, assessment and remediation of cybersecurity incidents, which is essential to national and economic security.
As for the Colonial Pipeline attack specifically, there is no one right way to handle a ransomware attack. To state ransom must never be paid ignores the nuances of each individual case and the victim’s ability to handle the situation in the manner most suitable to it and its customers. Without knowing all the details of the attack and ransom request, we can speculate that Colonial Pipeline paid the ransom because it was not in a position to enact an alternate recovery strategy that would have allowed for the resumption of services in an acceptable time frame. It took action to mitigate the damage and get operations back online as quickly as possible. This situation underscores the importance of testing and validating recovery strategies regularly to ensure when an attack does arise, you are in a position of strength versus playing defense.
SB: What are the biggest cybersecurity threats facing our critical infrastructure and what do we need to know about those risks?
Weeks: Simply put, ransomware. It is very clear that the federal government currently doesn’t have the ability to respond to cybersecurity threats at the scale and speed that is needed. To combat the evolving threat landscape impacting critical infrastructure, the federal government needs a more coordinated approach, internally and externally, from a private sector perspective. When an organization is forced to shut down its network, it impacts them financially. However, when we are talking about situations like the cyberattack on the largest pipeline system for refined oil products in the U.S, or ransomware attacks on health care networks, these situations can become life-threatening and become a matter of national security interest. The ability to quickly respond when, not if, an attack occurs is essential when we are managing critical infrastructure.
