Skip to Content

Cybersecurity is critical to our path forward

Cybersecurity is critical to our path forward Steel Root’s Sam May looks at how to implement policy and programs to help thwart cyber attacks

Cybersecurity is critical to our path forward

YARMOUTH, Maine—You’ve read the news. Cyberattacks have crippled the United States at such a rapid pace over the past year. Beginning with SolarWinds in 2020, hackers from other countries have penetrated IT systems of major companies and perpetrated ransomware attacks and data breaches that have devastated our nation’s critical infrastructure.

In May, Colonial Pipeline was the victim of a ransomware attack at the hands of cybercriminal group DarkSide in what was arguably the largest cyberattack against critical infrastructure in U.S. history. The ransomware attack shut off the country’s largest fuel pipeline - delivery of an estimated 45 percent of fuel consumed on the East Coast - for nearly one week before resuming fuel delivery.

Later that month, another ransomware attack crippled the world’s largest meat supplier, JBS USA, affecting servers supporting its North American and Australian IT systems. The cyberattack, which the FBI announced was orchestrated by Russian-based hacker group REvil, forced JBS to suspend operations at all U.S. plants until it was able to resume operations.

Other major companies like Microsoft and Kaseya, as well as schools and hospitals across the United States, and countless other businesses and organizations, have all been victims of cyberattacks in recent months, and the number of incidents keeps growing, with no end in sight.

The question now becomes, what can be done to stop this wave of cybercrime? Sam May, CISSP, Senior Compliance Advisor, Steel Root, consults with Defense Industrial Base (DIB) clients on cybersecurity regulatory and technical compliance, and plays a lead role in driving forward technical implementation, documentation, and process maturity projects to help the client achieve a compliance-ready state. This includes conducting gap assessments, scoping a system boundary for handling Controlled Unclassified Information (CUI), building a project roadmap for achieving compliance, and acting as project manager on IT implementation projects to execute on that roadmap.

In this exclusive interview, May talks with Security Systems News about why there has been such a rash of cyberattacks in our country, and what should be done on a federal level to prevent these threats from attacking our nation’s critical infrastructure.

SSN: We’ve seen a slew of ransomware attacks occur quite frequently over the past year (SolarWinds, Colonial Pipeline, JBS Foods, just to name a few). Why has there been such an increase in the number of cyberattacks that have crippled our nation’s critical infrastructure in recent months?

MAY: I think there’s a couple of things happening. First of all, you have to understand the nature of cyberattacks, especially in 2021. Most attacks that people and organizations suffer are not a human being sitting behind a terminal and having a directed focus attack against infrastructure. There are computers out there that are constantly scanning every IP address and every space on the Internet looking for vulnerabilities. As they find that vulnerability, it gets passed to another bucket of computers that then tries to exploit that vulnerability. It eventually gets to a point where they identify a system that has an exploitable and penetrable vulnerability to it, and then they make a determination as to whether this is going to be prosecuted or not, whether there is potential revenue behind it.

APTs [Advanced Persistent Threats] aren’t just a group of kids in their basement playing war games back in the 80s; these are professionally run organizations with training pipelines and budgets and the whole nine yards.

If you’re an organization that is being directly targeted – there’s an APT or there’s a hacktivism or some other organization out there that is trying to get something specific from your organization – chances are they’re going to get that. The ability to defend against that kind of threat is almost impossible.

What I think you’re seeing is a combination of more systems getting compromised because there’s more bots out there scanning the IP space. What is perhaps a greater threat is that if there is no consequence to the action, if there’s no perceived consequence, you’re going to get more and more of this type of behavior, maybe not from the A-list APTs, but there’s a whole host of other similar organizations – cyber terrorism, hacktivism and whatever else out there – that are just trying to exploit systems for just the joy of exploiting systems. When it comes to ransomware, it’s so easy to implement. It’s so easy to send someone a file or a link that’s been compromised or has a payload built into it. You don’t always know the unintended consequences of you distributing this payload out there. You could go to your targeted organization or your HVAC provider or end up shutting down a pipeline. You didn’t intend to shut down a pipeline, but that’s just where your little animal wandered off to.

I think that there’s a combination of unintended consequence, like when some organization ransoms a hospital, I think at this point they’re in it. If they didn’t intend to shut down the hospital, but they shut down the hospital, now they’re in it to get their money and run away with it because they’re probably not going to do this again and get away with it.

I don’t know that there’s an uptick in directed crime focusing on American critical infrastructure, but I do believe that what we’re seeing is just going to increase until the United States reacts in a way that disincentivizes this type of behavior.

It’s easy to say, “Yeah, there’s somebody going after our pipelines and our food production systems,” but I don’t think they are. What I think you’re seeing is second and third order unintended consequences - events left over from an attack that had no intention of shutting JBS down, but they ended up doing it, and now it’s like, “Well, we’ve got to get our revenue out of this because they’re going to come after us, so get whatever we can in bitcoin and run for the hills.”

At the same time, we do have advanced, A-list APTs penetrating our system, doing things like the Solar Winds attack. That’s a different attack. That’s not just ‘spray and pray,’ this is a directed, thoughtful, advanced attack onto our systems that was potentially for a result that we don’t understand, that nobody actually knows.

Typically, when hackers are attacking targets, they attack a whole bunch to hide the one that they’re actually after – spread it out to half the world to hide the one or two actual targets. That’s the kind of thing that I would be afraid of when you look at SolarWinds – what were the one or two organizations that this APT was definitely interested in penetrating, and how deep did they penetrate? That’s a different story. That’s the type of thing that you do when you’re not afraid of the consequence.

You’re not afraid that anyone is going to come back and do something against you. Then go for it, see what happens because what’s the U.S. going to do? Nothing. There has to be some reaction.

SSN: With the growing threat that ransomware and digital extortion has posed to our nation, please talk about the importance of cybersecurity and the role it plays in ensuring that U.S. critical infrastructure is protected.

MAY: Cybersecurity is critical. About 10, 15 years ago, there was a burgeoning cybersecurity industry, and there were obviously certifications that had been around forever. With the Internet of things and our lives becoming purely digital, you realize how interconnected our lives actually are, how little you can actually function without all of these interconnected data streams.

As that is the case, there is nothing that we do that isn’t touched by metadata, so the security of this data becomes ever more important. The idea that ransomware exists is a problem for everyone because the curators of it, the people who release this ransomware have no real way of ensuring it only hits their target. You release this into the world, it can go anywhere.

The original worms, they just went everywhere. The first computer viruses just kind of went wherever they wanted, and that’s where ransomware is today, so when you look at cybersecurity, it is really important to have all the technical controls in place; that is critically important. There is list after list after list of technical control requirements.

What I don’t think is talked about enough are all the policies and programs that are required around them. You can build the biggest wall, but if you don’t have a system in place of manning that wall and defending that wall, if you don’t have operational orders and battle plans around all that, you can do all the thinking and have all the paper that tells you exactly how you’re going to use that wall, it doesn’t matter if you have the wall.

This is where the focus in the security industry has been of late – implementing technical controls and not focusing on all the other responsibilities that surround a successful cybersecurity program, like policy and programs, repeatable behaviors.

The point of the Cybersecurity Maturity Model Certification [CMMC] is demonstrating your ability to do this in a mature way and get better at it every year. It’s not just good enough to say, “I was good at it in 2006, so I should be good at it now,” like a static certification. “I passed my CISSP years ago, which means I don’t need to learn anymore. I got my cert in 2004, I’m good, I never need to learn another thing again.”

SSN: What types of technical controls should the security industry implement?

MAY: You have to look at your environment and say, “Look, what is the sensitivity of my data? How much would it cost my organization if this data was exposed, or if the control surface was to be exposed or shut down, like Colonial Pipeline?” Then you have to put protections in place that are equal to that criticality of the data or control surface. You don’t want to go above it; you don’t want to go below it. To say specific controls, that really depends on the environment that you’re in.

For access control, you need to have an idea of understanding of who gets access to your system, how they get access to your system, what are the rules around access to your system. Then you could put technology on top of that to help make that system more efficient. Now that we understand the roles of everyone in the organization – who gets access to what media – now we can put role-based access control into place. Hey, Microsoft has products that help us make that decision a little bit easier and speed that process up, but you have to have the underlying process first, and I think that’s the part of cybersecurity that gets lost on the majority of enterprises, small and large. They don’t focus on those underlying processes, and they forget that they need to have that and needs to be robust. There has to be robust policy enforcement before you just throw technical controls at it and say, “That’s it.”

The idea behind cybersecurity is you have to have a plan, the plan has to be thoughtful, you have to have policy and programs that instruct the employees as to what they’re allowed to and what they’re not allowed to do in a way that they understand. You can’t just have policy; you have to have thoughtful policy, curated policy to your organization.

You can’t just have disaster recovery plans; you have to have ones that have been tested and tried and know that they work, incident response plans that you know that they work. These are the things that companies have a difficult time doing, not because they don’t want to, but because they don’t have the people who can understand how to put these documents together. This is where small businesses, and even large businesses suffer because they don’t have the people to help them with these situations.

In cybersecurity, you’re going to figure out where your risks are, where your threats are, where your vulnerabilities are. Then you’re going to target defenses, and in some cases, offenses, you’re going to build your vulnerability management program and your threat assessment and risk programs around those assessments.  Just like you can’t defend what you don’t know, if you don’t know what’s in your infrastructure, you can’t defend it. If you don’t understand where your threats and your risks and your vulnerabilities are, you can’t do anything about that either. That’s another part of it that often gets lost.

What are your threats? What are your risks? Is anything actually attacking your on-premise infrastructure, or should that money have gone to anti-phishing training or email malware analysis, which is probably more bang for your buck?

SSN: In response to the recent wave of cyberattacks, a Ransomware and Digital Extortion Task Force was formed in Washington, President Biden signed an Executive Order Executive Order to improve the nation’s cybersecurity and protect Federal Government networks, and the U.S. Department of Justice (DOJ) issued a memo to U.S. attorneys’ offices on to elevate ransomware attack investigations to the same level of priority as terrorism. Are these actions in Washington enough to quell these attacks on our critical infrastructure, and if not, what else should be done? 

MAY: It was a step in the right direction. The executive administrations can only offer high-level statements like this. Nobody wants the Biden Administration making directed decisions and prescriptive things like ‘Everyone shall implement these controls.’ First of all, if you build a wall, someone’s job is to get over the wall. The more visibility that is brought to this as a problem, the more we elevate the idea that cybercrime is a crime.

There also has to be continuity across jurisdictions as to what constitutes a cybercrime, and what the consequences of violating these laws and regulations and government-wide policies are.

Then the government itself, the executive branch, has to be held to the same standards as everybody else. If you’re looking at CMMC and some of the other regulatory compliance frameworks coming out of the executive branch, if the executive branch itself is getting waivers because the technology is getting too old or whatever else, what you end up having is this gap of understanding between what the private sector is supposed to be doing and what the public sector understands about that.

What I’d like to see the government do is figure out a way to increase the number of trained and knowledgeable cybersecurity, and specifically, GRC [Governance, Risk Management, and Compliance] people who could speak to what compliance requirements actually exist in the world, what the Defense Industrial Base [DIB] is required by law to do, what is good to do, what is measured and unmeasured. There’s nobody out explaining to companies what level of security they need to be at. The government said, “You guys figure it out.’ What I think more energy needs to be put into is helping contractors out where they fit into this, helping contractors figure out where CUI is, where it is not, who needs to have it, being very clear who needs to have CUI, and then when you need to have CUI, where exactly it is.

The Department of Defense and the State and Justice Departments need to say, “This is Controlled Unclassified Information, you’re going to get this, you’re going to have this for x amount of time and then you’re going to do what we tell you to do with it.” That will help our industry immeasurably because most companies are preparing for an assessment they don’t need to have because they don’t understand what is and is not CUI because their contracting officers don’t understand what is and isn’t CUI, so they’re just going to label everything as CUI.

The other thing that the federal government needs to do is try to figure out to at least alleviate the 500,000-person shortage of cybersecurity people in this country. It is a critical thing to us. This is the same level of criticality as doctors, nurses, prosecutors and truck drivers. I don’t know whether it’s through funding centers of excellence, or whether it’s through making educational grants, it seems to me if the shortage is this critical, this should be a heavily subsidized degree pipeline. It seems like something that should be subsidized by the federal government, or at least if you graduate from a university with a degree in cybersecurity, and go into cybersecurity, there should be a way for the federal loans to be forgiven. 

SSN: What cybersecurity measures should public and private sector entities implement to make themselves less vulnerable to incidents such as Colonial Pipeline and JBS Foods?

MAY: The Biden Administration pointed out in its Executive Order that there has to be more information and intelligence sharing.

There’s two parts to this – there are organizations like InfraGard that exist nominally as a public-private venture between the federal government and private industry. But InfraGard is largely dysfunctional, at least in the cyber world. There are a lot of wonderful people who work really hard to try to drive things forward, but at the core of InfraGard, it’s not an intelligence-sharing, action-oriented group. It’s mostly a bunch of people who sit around and have monthly training on mostly physical security, but there’s not a lot of sharing going on.

What I’d like to be able to see is when there is intelligence in the world that affects the security of a member of the Defense Industrial Base, it affects the security of every member of the Defense Industrial Base. The DIB has to think of itself as an organism, and not necessarily as a bunch of people competing against each another who are going to take information, hold it close to their chest, and not share that information with anybody else.

The federal government really needs to take charge and put much more emphasis on information sharing between the federal government and the DIB, and within the DIB itself.

We need to do a much better job at helping each other out. There has to be more work between organizations. Cybersecurity professionals need to start looking at each other, sharing information and helping each other out.

These are the things that industry and the federal government need to be focusing on, with no prescriptive cybersecurity controls. We can do loans, we can do grants, we can do tax relief. I need something that I can say, “If I do this, it’s not going to kill my finances to the point where I’d have to question whether I can do business anymore.”

These are the programs that the government should be focusing on. Provide me with some sort of resources, don’t tell me everything I need to do.

We have this long-term systemic issue of cybersecurity that is not being addressed on the federal level. People aren’t talking about it, even though it’s costing the government billions. Over time, we’re going to lose our competitive advantage. It’s going to cost the U.S. infinitely more over time than any acute pandemic.

We’re not getting the same level of visibility, other than somebody slamming their fist on the table from time to time saying, “We should have been able to prevent this.”


To comment on this post, please log in to your account or set up an account now.