A hack of a major pipeline, the latest evidence of the nation’s vulnerabilities to cyberattacks, prompted questions about whether the administration should go further.
By David E. Sanger, Nicole Perlroth and Julian E. Barnes
WASHINGTON — A pipeline that provides the East Coast with nearly half its gasoline and jet fuel remained shuttered on Sunday after yet another ransomware attack, prompting emergency White House meetings and new questions about whether an executive order strengthening cybersecurity for federal agencies and contractors goes far enough even as President Biden prepares to issue it.
The order, drafts of which have been circulating to government officials and corporate executives for weeks and summaries of which were obtained by The New York Times, is a new road map for the nation’s cyberdefense.
It would create a series of digital safety standards for federal agencies and contractors that develop software for the federal government, such as multifactor authentication, a version of what happens when consumers get a second code from a bank or credit-card company to allow them to log in. It would require federal agencies to take a “zero trust” approach to software vendors, granting them access to federal systems only when necessary, and require contractors to certify that they comply with steps to ensure that the software they deliver has not been infected with malware or does not contain exploitable vulnerabilities. And it would require that vulnerabilities in software be reported to the U.S. government.
Violators would risk having their products banned from sale to the federal government, which would, in essence, kill their viability in the commercial market.
“That is the stick,” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. “Companies will be held liable if they’re not telling the truth.”
The order, which is expected to be issued in the coming days or weeks, would also establish a small “cybersecurity incident review board.” The board would be loosely based on the National Transportation Safety Board, which investigates major accidents at air or sea.
The measures are intended to address the fact that the software company SolarWinds made for such an easy target for Russia’s premier intelligence agency, which used its software update to burrow into nine federal agencies as well as technology firms and even some utility companies. (Despite SolarWinds’ incredible access to federal networks, an intern had set the firm’s password to its software update mechanism to “SolarWinds123.”)
But federal officials, who caution that the draft of the order is not final, concede that the regulations would still almost certainly have failed to thwart the most skilled nation-state intrusions and disruptions that have rocked the government and corporate America in recent months, given their sophistication. That includes the more recent Chinese hacks of American businesses and military contractors that used a series of unknown holes in Microsoft email systems.
Theoretically, it could be more effective against the kind of criminal ransomware attack that took over Colonial Pipeline’s headquarters networks last week. That attack — the second to shut down a pipeline in a little over a year — did not appear to involve the kind of highly sophisticated steps that Russia and China are known for: Rather than directly try to take over the pipelines, the attackers went after what officials say was poorly protected corporate data, stealing it on such a large scale that it forced the company to shutter the pipeline rather than risk a spreading attack.
But it was unclear whether Mr. Biden’s executive order would apply to Colonial Pipeline. It is a privately held firm that oversees the distribution of much of the East Coast fuel supplies — just as 85 percent of America’s critical infrastructure, from power grids to communications networks to water treatment plants, is controlled by private firms.
Source: Read Full Article