The saga of the Colonial Pipeline hack continues. Colonial says that there is fuel flowing through the pipeline again but it will take time to get all of the tributary lines operational.
But more importantly, many sources are reporting that Colonial paid $5 million in cryptocurrency to the Russian hackers on Friday, contradicting earlier reports that the company did not plan on paying the ransom. They paid the ransom, it is being reported, immediately. Even though Treasury said that paying terrorists a ransom violated OFAC and could land you in jail for 20 years, in this case the government, apparently knew about the payment and, well, we don’t know what the conversation was. My guess is they said, oh, in the case of critical infrastructure, the law doesn’t actually apply.
Next, it is being reported that the decryption tool was so slow that Colonial is restoring from backups in parallel with decrypting their servers.
The White House did a “no comment” on whether they knew about the ransom, which, of course, in political talk means, of course we knew.
One pundit pointed out that if the lack of security had been going on for years, paying the ransom was way cheaper than actually protecting the network.
Next comes some more bad news for Colonial. Three years ago Colonial hired an outside auditor. The auditor said that they found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,”
“We found glaring deficiencies and big problems,” said Robert F. Smallwood, whose consulting firm delivered an 89-page report in January 2018 after a six-month audit. “I mean an eighth-grader could have hacked into that system.”
In response, the company said that they had hired four independent firms and increased their spending by 50%, whatever that means. They said they have spent tens of millions of dollars. So, for one of the largest oil companies in the country, possibly this means that they spent $10 mil/4 years = $2.5 million a year. Hmmm. We don’t know, but it doesn’t seem impressive.
On the other hand, this is likely wonderful ammunition for the plaintiffs’ attorney.
Credit: The Washington Post
Finally, likely in response to this mess, the White House released its much talked about and long waited for cybersecurity executive order. Think of an EO as an inter-departmental memo. All the President can do is make some changes in how the executive branch interacts with vendors. On the other hand, they spend tens of billions of dollars a year, so if a company wants to continue to do business with the government, they will have to follow the EO’s procurement rules. And, they likely cannot have two sets of rules, one for government sales and one for commercial sales.
Here are some of the things that the EO covers:
- Removes contract barriers between the government and IT providers to information sharing and requires providers to share breach information.
- Moves the government towards secure cloud, zero trust and multifactor authentication.
- Makes a baseline security standard for software sold to the government a requirement and requires developers to make security information public.
- Establishes a Cybersecurity Safety Review Board that will operate like the NTSB after a plane crash (Colonial definitely fits into that category).
- Creates a standardized playbook and set of definitions for cyber incident response by federal departments and agencies.
- Creates standards for endpoint protection in government systems, incident response and improves incident detection.
- Creates a standard requirement for agency security event logs to better analyze incidents.
There is lots more (the EO is over 30 pages; many EOs are 1-2 pages). Commerce (NIST) gets to create #3 and apparently, it even requires SBOM – Software Bill of Materials.
The devil is in the details, but this is only about 25 years overdue.
More to come on the EO, but this is turning into a PR nightmare for Colonial. I am guessing the vultures, err, lawyers, have already started circling over the carcass.