With help from Christian Vasquez of POLITICO’s E&E News and Martin Matishak
Editor’s Note: Weekly Cybersecurity is a weekly version of POLITICO Pro’s daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— The Colonial Pipeline hack is the latest urgent alarm bell pointing to cybersecurity weaknesses in U.S. infrastructure.
— This hack is creating jitters about gasoline prices, but an attack on a big natural gas pipeline could be a real nightmare scenario, POLITICO’S E&E News points out.
— EXCLUSIVE: Brett Goldstein, head of the Defense Digital Service, is stepping down next month.
HAPPY MONDAY and welcome to Morning Cybersecurity! Your MC host was pleasantly surprised by how much he enjoyed “The Bad Batch,” the new “Star Wars” series on Disney+. Much like “The Mandalorian,” it takes characters who might seem two-dimensional and throws them a very interesting curve ball. Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
Maintaining America’s Technological Edge Report: Top national defense experts detail the critical, long-term national security consequences that the United States faces if it relinquishes its technology leadership role. The report warns that forfeiting the U.S. competitive edge to foreign entities puts the safety, privacy, and economic prosperity of Americans at risk.
PUT THAT IN YOUR PIPE AND HACK IT — The disruptive hack of major U.S. fuel supplier Colonial Pipeline last weekend represents the convergence of two dangers that keep U.S. officials up at night: the increasing aggression of ransomware operators and the persistent vulnerabilities in the country’s critical infrastructure. But the cyberattack, apparently the work of the criminal ransomware gang “Darkside,” also presents a golden opportunity for digital security experts who are frustrated that policymakers don’t seem to be making cybersecurity a priority as they gear up to debate President Joe Biden’s massive infrastructure plan.
“Incidents like this reinforce why it is so important that the infrastructure that supports our way of life is secured,” said Scott Aaronson, vice president of security and preparedness at the Edison Electric Institute. So far, however, only a few lawmakers seem focused on that point. On Saturday, as news of the breach trickled out, Sen. Ben Sasse (R-Neb.) joined that bipartisan chorus. “If Congress is serious about an infrastructure package,” he said in a statement, “at front and center should be the hardening of these critical sectors — rather than progressive wishlists masquerading as infrastructure.”
Cyber specialists began unpacking the hack’s lessons even as Colonial struggled to recover from it. On Sunday, the company said it had restarted some ancillary systems but was still developing a plan to safely reactivate its main lines. To avoid fuel supply shortages, the Transportation Department relaxed certain rules for trucking companies transporting fuel. On financial markets, meanwhile, wholesale gasoline prices rose Sunday night to their highest level in three years.
The White House has promised that cybersecurity will factor into any projects that receive funding from Biden’s bill, but his plan doesn’t specifically mention the issue. That omission, combined with Biden’s monthslong delay in nominating a national cyber director and a director for DHS’ Cybersecurity and Infrastructure Security Agency, underscores how an administration swamped with other priorities — from pandemic recovery to climate change to racial justice — has done little to publicly stress the importance of protecting U.S. computer networks.
The Colonial Pipeline hack occurred just days after DHS Secretary Alejandro Mayorkas touted his department’s focus on ransomware, an increasing menace that has crippled hospitals, schools and small businesses across the country. Cyber criminals are increasingly turning to ransomware because it offers easy profits, exploiting the dangerous overlap between the United States’ lack of sweeping government cyber aid and many victims’ dire need to keep operating no matter the cost. As a Justice Department task force scrambles to identify innovative solutions to the ransomware crisis, the Colonial breach, with its potentially serious consequences for regular Americans, underscores that Biden and his cyber advisers have no time to waste.
E&E INSIGHT: BE GLAD THIS WASN’T NATURAL GAS — From our colleague Christian Vasquez, who covers cybersecurity for POLITICO’S E&E News: The Colonial hack is bad, but could it have been even worse? Just imagine if this breach had involved one of the nation’s natural gas pipelines, which are critical to keeping the lights on. Shutting down one of those lines could subject much of the country to a repeat of Texas’ electricity crisis in February, when a deep freeze left millions shivering in the dark.
Unlike gasoline, which can be stored in huge tanks, natural gas is often delivered on a “just-in-time” basis to power plants. Natural gas is expected to account for over a third of total U.S. electricity generation this year.
Regulators have taken note of the danger. In February 2019, Federal Energy Regulatory Commissioner Neil Chatterjee warned about the grid’s dependence on natural gas during a Senate hearing, expressing worries that “a successful cyberattack on the natural gas pipeline system could have a significant impact on the electric grid.”
One year later, DHS issued a rare alert about a ransomware attack that shut down an unidentified natural gas pipeline’s compression facility for two days.
Colonial hasn’t said whether the ransomware touched its operational networks but did say it deactivated them as a precaution. But would a natural gas pipeline operator make the same call if it meant risking the steady operation of parts of the power grid? That’s no doubt a scenario that the Biden administration doesn’t want to test in real life.
FIRST IN MC: BRETT’S EXIT — Brett Goldstein, who steered the Pentagon’s Defense Digital Service, will step down at the end of June, Martin reports. “I quickly realized that serving as DDS Director would be the most important job I’d ever have,” Goldstein, who became the unit’s second chief in 2019 and will become consultant on cybersecurity and emerging technology for the Defense Department, said in a statement. Katie Olson, who joined DDS in 2019 as chief of staff and was promoted to deputy director in early 2020, will become the unit’s acting chief.
DDS more than doubled in size under Goldstein’s watch and expanded its portfolio beyond bug bounty programs like “Hack the Pentagon,” incorporating counterdrone operations and launching several efforts to boost DoD’s fight against the Covid-19 pandemic. The group played a lead role in protecting coronavirus research from hackers, with the side benefit of launching “Project Groot” (named after a character from Marvel’s “Guardians of the Galaxy” movies) to fix a vulnerability that let the department’s emails to outsiders travel the internet unprotected against snooping.
“While unexpected, joining DDS has been so rewarding because of the outsized impact we’ve been able to have as a team,” Goldstein said. Pros can read the full story here.
FORGET THE OLD WAYS — The Pentagon needs to be more open about its weapons systems and collect more data about how the software for those systems is developed and tested in order to protect them from hackers, the Atlantic Council said in a report out this morning. The report, “Mission Resilience: Adapting Defense Aerospace to Evolving Cybersecurity Challenges,” argues that DoD and its contractors have become too secretive and too hidebound, relying on traditional and flawed contracting processes. “Issues ranging from faulty acquisition practices to a failure-fearing organizational culture have plagued [DoD] and hindered its ability to develop and maintain resilient systems,” the reports’ authors write.
The Pentagon must become comfortable with the concept of “failing open,” or “operating to some extent under conditions of failure,” by introducing resilience into its systems so that a partial failure doesn’t doom the entire project, the report says. And it should relax its classification rules so that flawed components can “be tested, fail, be honed, and be improved outside of highly choreographed evaluations.” The military should also “measure everything,” the report says — not just the performance of weapons systems, but also the development practices of the contractors who build them.
To catch up to the private sector, the report says, the military should embrace concepts previously seen as anathema in taxpayer-funded projects, including an “iterative design philosophy” that reflects how quickly technology is evolving. “Greater speed in the development, acquisition, and adaptation of defense aerospace technology is needed to leverage faster evolution of available capability and counter threats adopting and changing their technology,” the report says.
KEEP AN EYE OUT FOR THAT ONE — The Russian hackers responsible for the SolarWinds cyber espionage campaign also scanned the internet for unprotected Microsoft Exchange email servers, American and British intelligence agencies said on Friday. In a report documenting the tactics of the “Cozy Bear” hacking team, the FBI, CISA, the NSA, and the U.K.’s National Cyber Security Centre wrote that “the group has … scanned for Microsoft Exchange servers vulnerable to” a bug that Microsoft patched in March. The revelation marks the first indication that the cyber actors behind the year’s biggest digital security headache also tried to take advantage of the year’s second-biggest digital security headache.
In several cases, Cozy Bear has shifted gears after Western agencies exposed its operations. After British and Canadian authorities alerted the world to Cozy Bear’s use of custom “WellMess” and “WellMail” malware, the hackers began using the open-source red-teaming toolkit Silver. The new report said that this was “likely an attempt to ensure access to a number of the existing … victims was maintained following the exposure of those capabilities.”
TWEET OF THE DAY — Supply chain attacks for me, but not for thee!
— Following the Colonial breach, U.S. officials wonder if President Joe Biden’s forthcoming cyber executive order goes far enough. (New York Times)
— To spy on Iranian military leader Qasem Soleimani before his assassination, the CIA reportedly planted spyware on phones that it expected Soleimani’s courier to buy for him. (Yahoo News)
— Lawmakers in both parties are pushing appropriators to increase funding for CISA and other cybersecurity priorities. (The Hill)
— Four Eastern European nationals pleaded guilty to charges stemming from their operation of multiple “bulletproof hosting” services for cyber criminals.
— The Energy Department is seeking assistance from the private sector in developing technology to protect manufacturers from cyberattacks.
— A trial over the video game Fortnite has revealed the scope of a massive iPhone hacking campaign. (Vice)
Maintaining Cybersecurity in the Private and Public Sectors
The American Edge Project recently released a paper outlining the importance of securing American digital power in the wake of increasing cyberattacks. The paper focused on two key components of mitigating cyber threats: Incentivizing the private sector to maintain and invest in cyber protections, and, conversely, ensuring that the public sector is ready and able to respond to cyberattacks.
That’s all for today.
Stay in touch with the whole team: Eric Geller ([email protected], @ericgeller); Bob King ([email protected], @bkingdc); Martin Matishak ([email protected], @martinmatishak); Sam Sabin ([email protected], @samsabin923); and Heidi Vogt ([email protected], @heidivogt).