Hacks Drive Growing Calls For Mandatory Cyber Data Sharing

WASHINGTON: A growing chorus is building across Washington to compel private sector reporting and information sharing on cyber incidents that have national security implications. The first substantial salvo came in yesterday’s cyber executive order, but several lawmakers are exploring additional legal requirements.

The timing of Biden signing the EO yesterday appears to have been prompted, in part, by the recent cyberattack on Colonial Pipeline, according to a source. It is said to have been planned for release on May 17.

The government is said to still be responding to the Colonial incident, although Colonial said this afternoon it has “restarted our entire pipeline system and that product delivery has commenced to all markets we serve.”

Bloomberg reported today that Colonial paid the $5 million ransom “within hours after the attack,” according to its sources. This likely expedited the recovery. The US government generally discourages paying ransoms.

With operations restored, attention now to turns to two questions: How can these types of cyberattacks be minimized in the future, and who conducted the Colonial hack?

One revelation in the Colonial incident is that CISA, the federal agency central to domestic cyber defense of networks, did not receive the “technical information” it needed and wanted to communicate to federal agencies, industry, and the public, CISA Acting Director Brandon Wales said. That technical information often includes threat intelligence about cyber actors and their methods, including indicators of compromise (IoC) that help to detect and mitigate similar cyberattacks against others.

The EO is a first step toward mandatory cyber incident reporting, and indeed, the first goal covered is “Removing Barriers to Sharing Threat Information.”

The EO will build the new mandates into federal contract requirements and language by changing the Federal Acquisition Regulations (FAR).

Notably, federal contractors will be compelled to share information with both the agency(ies) they are directly working for and with CISA, the latter acting as a central hub for collection and management. 

The new information sharing requirements are varied, multitiered, and applicable to both government and contractors. They include how federal contractors will collect, preserve, and share data, information, and reporting with various government entities. 

Separately, multiple government entities are charged with figuring how to disseminate information gathered to the various government audiences that need to know.

The EO “properly emphasizes info sharing,” Tom Gann, chief public policy officer at cybersecurity company McAfee, told me. “There are gaps that need to be filled. Really strong info sharing combines government and private data. It is more than IoC. It includes getting more data — ideally, additional contextual data to pinpoint the bad guys.”

Meanwhile, Sen. Gary Peters and Sen. Rob Portman, chair and ranking member of the Homeland Security and Government Affairs committee, each suggested they support updating the Federal Information Security Management Act (FISMA) to compel sharing. Doing so will entail private sector cyber incident reporting requirements to ensure the federal government gets timely information on cyberattacks with national security implications. Details on Sens. Peters and Portman’s proposal are sparse, since no draft bills have been submitted yet.

FISMA “clearly needs some adjustment… so there is no ambiguity” about what constitutes a “major incident,” Peters said during a hearing earlier this week.

Sens. Peters and Portman join Sen. Mark Warner, chair of the Senate Intelligence Committee, who has said he is drafting legislation likely to include mandatory cyber incident reporting and information sharing. No draft bills have been released yet.

On Monday, Federal Energy Regulation Commission Chair Richard Glick and Commissioner Allison Clements called for examining mandatory cyber standards in the wake of the Colonial cyberattack.

“It is time to establish mandatory pipeline cybersecurity standards…” the statement reads. “Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors. Mandatory pipeline security standards are necessary to protect the infrastructure on which we all depend.”

Asked for comment on the FERC statement, American Petroleum Institute Manager of Operations Security and Emergency Response Suzanne Lemieux said, “Our industry remains committed to protecting America’s critical oil and natural gas infrastructure from growing cyber threats, and we are updating our cybersecurity standards industry-wide as these threats continue to evolve. …We have robust coordination efforts in place, and when it comes to cyberattacks, the technology often outpaces the regulation, which is why we believe new regulatory measures are premature until we learn more about the specifics of the Colonial malware attack.”

Many IT systems and operational technologies — the latter which control physical pipeline components such as valves — used in the energy industry have been in place for a long time. The NSA very recently observed that OT security is exacerbated by “stagnant OT assets and control systems installed and used throughout the US and [defense industrial base], many of which are past end-of-life and operated without sufficient resources.” Colonial’s OT networks were not compromised in this hack, according to CISA.

There has also been movement this week on three pieces of cyber legislation, none of which directly focus on public-private cyber info sharing. These include:

• S.1316 – Cyber Response and Recovery Act of 2021, sponsored by Peters and co-sponsored by Portman.
• S.1097 – Federal Rotational Cyber Workforce Program Act of 2021, sponsored by Peters.
• S.1350 – National Risk Management Act of 2021, sponsored by Sen. Margaret Wood Hassan.

As to the other major question — who’s responsible for the Colonial cyberattack — likely to get more attention now: The Mandiant unit of cybersecurity company FireEye published a detailed analysis of DarkSide, the cybercriminal group whose ransomware was used to attack Colonial. DarkSide is a ransomware-as-a-service (RaaS) provider that has “affect[ed] organizations in more than 15 countries and multiple industry verticals.” As previously reported, RaaS complicates attribution.

“Beginning in November 2020, the Russian-speaking actor ‘darksupp’ advertised DarkSide RaaS on the Russian-language forums. In April 2021, darksupp posted an update for the ‘Darkside 2.0’ RaaS that included several new features and a description of the types of partners and services they were currently seeking,” FireEye notes. “Based on forum advertisements, this percentage starts at 25 percent for ransom fees less than $500,000 USD and decreases to 10 percent for ransom fees greater than $5M USD.”

The report also says, “A recent update to their underground forum advertisement also indicates that actors may attempt to [distributed denial of service] victim organizations.” This could prove remarkable in coming days, given Colonial’s website was down for much of Tuesday before returning online again Tuesday night. The website issue could have been unrelated to a DDoS.

Mandiant said it “currently tracks multiple threat clusters that have deployed this ransomware,” which could complicate attribution. There has been widespread speculation about the group’s potential ties to the Russian government. Both the criminals and Russian government have denied any affiliation. Interestingly, Mandiant notes, “Affiliates are also prohibited from targeting organizations in Commonwealth of Independent States (CIS) nations,” which is a regional intergovernmental organization of nine members that was formed after the collapse of the Soviet Union in 1991. As previously reported, DarkSide’s malware checks IT system language settings to ensure Russian entities are not attacked.

Mandiant concluded, “We believe that threat actors have become more proficient at conducting multifaceted extortion operations and that this success has directly contributed to the rapid increase in the number of high-impact ransomware incidents over the past few years.”

New York Times reporter Nicole Perlroth on Tuesday tweeted an excerpt from what appears to be a security assessment report on Colonial Pipeline. The excerpt, self-attributed to cybersecurity and insurance company Coalition, said in part, “The most likely culprit is vulnerable Microsoft Exchange services” at Colonial.

Breaking Defense contacted Coalition for comment. The company said, through a spokesperson, it is not involved in digital forensics and incident response for Colonial. The report is based on “Internet data and [Coalition’s] own ASM report.” The spokesperson provided the following statement from Jeremy Turner, head of the company’s threat intelligence:

“Coalition evaluated Colonial Pipeline and found numerous potential risks that could have led to the breach: The most likely culprit is vulnerable Microsoft Exchange services, but the organization also exposed [Simple Network Management Protocol], [Network Time Protocol], and [Domain Name System] services, which indicates an overall lack of cybersecurity sophistication, unfortunately. Other possibilities include the numerous network protocols exposed on the Internet publicly, as well as targeted virtualization software or [Secure Sockets Layer Virtual Private Network] access with names that imply [industrial control system] network access — also with an invalid certificate — could be culpable vulnerability points.”

“Overall,” the statement continued, “Colonial Pipeline likely did not have the awareness needed to protect themselves. It could be as simple as a lack of two-factor authentication on their VPN — one of the most common threats to an organization’s cybersecurity — or even just an indirect victim of the general and widespread targeting of Exchange servers.”

If an Exchange server was, in fact, the initial threat vector for this hack, that means Colonial’s Exchange servers were still unpatched more than two months after Microsoft disclosed four zero-day vulnerabilities that were being actively exploited. Microsoft and CISA released detailed guidance on the campaign, which was widely reported in the media. Microsoft released patches and a free online tool to assess Exchange exposure to the vulnerabilities.

Reflecting on the Colonial incident, Phil Quade, a former NSA cyber task force chief and now CISO at Fortinet, noted, “Ransomware exploits have recently taken a more disturbing turn, increasingly being used to disrupt essential government services.”

Quade said these incidents “merit a strong federal role stopping such exploits, through policy, law, and cybersecurity operations.”