There are many US citizens outside the cyber industry who only pay attention to cybersecurity incidents when they are affected by them. It can be argued that every data breach directly affects those whose personally identifiable information (PII) was accessed by an unauthorized party, but the ever-growing number of data breaches appears to fall on the deaf ears of consumers, given the lack of universal US data privacy laws and standard playbook responses to offer credit monitoring. Further, media outlets all too often choose to promote a single incident over another, which may not correlate with true impact. After all, of the 15 largest data breaches of the 21st century,1 few, if any, amounted to anything but a blip in the 24-hour news cycle.
However, the recent Colonial Pipeline ransomware attack took center stage in US news coverage during the month of May 2021.2 This ransomware attack was personal to a sizeable portion of the United States, as it disrupted the flow of fuel along the Eastern Seaboard down to the Gulf Coast. High gas prices and electricity outages are 2 prominent areas of concern among US citizens and, unsurprisingly, consumers did what they often do—they panicked.
The Colonial Pipeline hack was not surprising given its many security failures dating back at least 3 years, and while subsequent security spending reportedly was in the “tens of millions of dollars,” it calls into question the effectiveness—and perhaps appropriateness— of the company’s cyber investments.3 A comparative analysis of all independent audits conducted since 2017 would be interesting. Initially, many believed the pipeline itself was attacked, however, it has since been confirmed that the pipeline operational technology was not attacked.4 Within days, it became known that Colonial itself shut down the pipeline, but the damage was already done, resulting in a trickle-down effect quickly felt by consumers. Emergency declarations5, 6 were invoked due to widespread shortages of fuel. The silver lining for consumers, if there is one, is that this did not occur any closer to the Memorial Day US holiday weekend, which symbolically marks the beginning of summer for many in the United States.
For whatever reason, organizational leaders have not gotten the message that cybersecurity is, at its core, a people problem.
Not surprisingly, US lawmakers responded with the usual legislative activities. There are some perpetual optimists out there who believe Presidential Executive Orders and legislation may finally have some magical effect; I am not one. Martin Luther King, Jr. wrote, “It may be true that morality cannot be legislated, but behavior can be regulated.7 While the context of most of King’s work is anchored in civil rights, I believe his words resonate anywhere people are involved. For whatever reason, organizational leaders have not gotten the message that cybersecurity is, at its core, a people problem. Technology is all too often considered a panacea, but at the end of the day, it is people who design, develop and deploy technical countermeasures which amount to safeguards for an imperfect society.
The overarching problem plaguing the United States is a pervasive lack of personal accountability and integrity. This sentiment is not expressed lightly, but is sadly reinforced by countless headlines that run the gamut of US politicians occupying the highest levels of public office breaking laws, down to failures in US public education. So, although many well-intentioned laws do shape public policy and can regulate behavior, there remains an issue: Laws will not prevent bad actors from breaking laws, let alone committing cybercrime, which is largely believed to be a low-risk, high-reward activity.
When cybersecurity incidents occur, headlines typically begin with what happened and shift to naming the bad actor before disappearing from the news cycle. Those of us in the information security industry understand that attribution in cyberspace is difficult. While it may seem as though attribution is happening faster, the growing databases of known patterns, signatures or other indicators, coupled with industry-specific sharing mechanisms, are surely beneficial. But what happens when actors start copying others to shift blame? Copycat crime is not new and should be expected in the digital realm.
Conclusion
A merry-go-round is defined as a continuous cycle of activities or events, especially when perceived as having no purpose or producing no result.8 The phrase “cybersecurity merry-go-round” seems fitting given the exhaustive cycle of hacks, legislative activities and funding increases with no apparent end in sight. Technology alone will not solve these issues, and if anything, has compounded problems exponentially.
Colonial Pipeline reportedly relies on the exchange of information between operational technology (OT) and IT networks to know how much fuel is distributed for billing.9 Given its decision to cease operations, one can infer that leadership was not confident that controls between the two were sufficient. This should be a wake-up call for all enterprise owners to re-evaluate business continuity for core business operations and supporting systems such as billing.
Lastly, security practitioners must demand more with regard to reporting. Details matter, and whereas the average person may not know nor care about the intricacies of IT and OT, society could benefit from a greater understanding. Unless someone has followed Colonial reporting as it was covered by the 24-hour media networks, they are unlikely to know the pipeline itself was not hacked (although it could have been). Although cybersecurity is a technical risk, there is a human component as well, and if, in fact, a poorly crafted phishing email caused this particular attack as some are suggesting, we have a long way to go to bolster the human firewall.
Endnotes
1 Swinhoe, D.; “The 15 Biggest Data Breaches of the 21st Century,” 8 January 2021
2 Osborne, C.; “Colonial Pipeline Attack: Everything You Need to Know”, Zero Day, 13 May 2021
3 Bajak, F.; “Tech Audit of Colonial Pipeline Found ‘Glaring’ Problems,” AP News, 12 May 2021
4 Zetter, K.; “Ransomware Infection on Colonial Pipeline Shows Potential for Worse Gas Disruption,” 8 May 2021
5 Commonwealth of Virginia–Office of the Governor, Executive Order Number Seventy-Eight, Declaration of a State of Emergency Due to the Shutdown of the Colonial Pipeline, 11 May 2021, USA
6 Federal Motor Carrier Safety Administration, Regional Emergency Declaration Under 49 CFR § 390.23, 9 May 2021, USA
7 King, Jr., M. L.; Draft of Chapter III, "On Being a Good Neighbor," The Papers of Martin Luther King, Jr. Volume VI: Advocate of the Social Gospel, September 1948 – March 1963, 12 March 2007, USA
8 Oxford Dictionary, “Merry-go-round”
9 Ibid.
Jonathan Brandt, CISM, CDPSE, CCISO, CISSP, CPI, CySA+, PMP
Is a senior information security practice manager in ISACA’s Content Development department. In this role, he contributes thought leadership by generating ideas and deliverables relevant to ISACA’s constituents. He serves ISACA® departments as a subject matter expert on information security projects and leads author management teams whenever external resources are necessary. Brandt is a highly accomplished US Navy veteran with more than 25 years of experience spanning multidisciplinary security, cyberoperations and technical workforce development. Prior to joining ISACA, Brandt was a project manager for classified critical infrastructure projects across the globe.