Cyberattacks have been in the news more in the last year than the previous decade, and for good reason: they are becoming more serious. On Sunday, Energy Secretary Jennifer Granholm warned that adversaries could “shut down” the U.S. power grid. FBI Director William Wray said there were parallels between cyberattacks and the challenge posed after the September 11, 2001 attacks on the United States.
These comments came on the heels of the cyberattack that temporarily halted the Colonial Pipeline that delivers fuel from Texas through New Jersey. That assault was not particularly sophisticated but was a watershed: the gasoline shortages it produced attracted national attention. They served as a wake-up call with the government and public now increasingly aware that cyberattacks are getting worse, not better.
Moreover, the government is now taking action with an executive order and proposals to spend more. But how we implement changes being discussed will make the difference between a less or more secure digital world for Americans.
The Colonial hack was a ransomware attack launched when DarkSide, an extortion group that law enforcement agencies believe is located in Eastern Europe or Russia, encrypted Colonial’s network, which disrupted communications. The company paid the ransom for a key to free up its system—some of which the government has reportedly recovered.
However, extortion through ransomware, while a growth business, is not even the most sophisticated form of cyberattack, such as those demonstrated by the recent compromise of SolarWinds by Russian hackers and users of Microsoft email servers by Chinese hackers. The relatively quick remedy of the Colonial crisis and partial recovery of extorted funds should not provide comfort to people: compromises of systems are becoming more sophisticated and devastating. In the future, we should expect the impact on our lives will become more pronounced.
Amid the Colonial attack, the Biden administration last month issued an executive order to take defenses to a higher level. Among the many provisions were requirements for companies to report attacks promptly when they could impact government systems, establishing standards for developing software with a higher priority for security, and giving consumers the information and choices they need to opt for better security. Another requirement is for agencies across the government to use second-factor authentication for users accessing systems, end-to-end encryption for communications, and “zero-trust” practices in developing and using software.
Some background is warranted on what gave rise to these new requirements. Since the dawn of contemporary software, the emphasis of production has been on creating more features for users, not necessarily security. In fact, more features and complexity often mean more vulnerabilities for hackers to exploit. There is always an impetus to get to market fast with new software, even it is flawed, with bug fixes and security updates coming later. This speed of business has undoubtedly helped the software business and the broader economy grow. You’ve probably heard the saying, “The perfect is the enemy of the good.” But as the danger of flawed software increases dramatically, a reevaluation is necessary.
That is where the consumer choice provision of the executive order can come in. Instead of placing an onerous or one-size-fits-all regulatory burden on software programmers and companies, the idea is to reward those who put more emphasis on security and empower consumers to choose more secure products. This step could be the beginning of shifting the incentives of software development from speed to quality in the areas that are more susceptible to cyberattack.
Zero trust, which is also part of the emerging plan, is an approach to securing organizations which focus on compartmentalization of data and computer services. It allows for enhanced detection of attackers and helps reduce the scope of damage when a comprise occurs.
End-to-end encryption is another component of the administration’s plan. What it means is that any time data is in transit between sender and recipient, it is always scrambled into content that is indecipherable to someone who does not have a decryption key. For example, we as a company have enormous quantities of data that organizations have entrusted to us for backup. We can read none of it because we utilize end-to-end encryption and employ zero trust principles.
While the administration’s executive order is a good start, it is only a start. Hundreds of details of implementation need to be worked out, and there are always questions of what can be implemented in an executive order versus legislation passed by Congress. Who will assess the safety and quality of software to grade it for consumers? How will standards change to adapt to new technology and threats?
Whether through this order or future action, we need incentives to remove old software and for new software to have high assurance controls. Law enforcement must have tools to address adversaries at a national level and we must stop treating hacking as a thing that happens “at” an address like traditional criminal activities. Fundamentally, we must realize that the environment has changed. National borders matter little, dangerous hacking tools and methods are proliferating, and attackers around the world target us with low risk to themselves. There is much work to do.
Jonathan Moore is the chief technology officer of SpiderOak, a secure communications data and aerospace company.