“Cyber Pearl Harbor,” Cybersecurity Executive Order, Pipeline Security Directive, and More

Privacy Plus+

Privacy, Technology and Perspective

“Cyber Pearl Harbor,” Cybersecurity Executive Order, Pipeline Security Directive, and More.  This week, let’s consider the latest information security developments:

“Cyber Pearl Harbor”: In a 2012 speech that many considered hyperbolic, then-Secretary of Defense Leon Panetta warned of the very real, very urgent possibility of a “Cyber Pearl Harbor” – a large-scale coordinated attack on critical infrastructure that “would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.”

Since then, we’ve watched the lights go out in Ukraine, an increasing pace and deadliness of attacks on friendly countries and businesses all over the world, and now a series of attacks take place on our own shores related to our grid—most recently, the attacks on the Colonial Pipeline and the Greenley meatpacking plant.  The consequences of attacks on our grid (over 80% of our infrastructure is operated by private companies) are being felt almost by the minute with new ransomware attacks actually striking targets, including hospitals, every eight (8) minutes. FBI Director Christopher Wray is making public comparisons of the current wave of ransomware attacks to the terrorist attacks on 9-11:

https://www.wsj.com/articles/fbi-director-compares-ransomware-challenge-to-9-11-11622799003?mod=hp_lead_pos10

If you’re skeptical (or complacent) about just how vulnerable our critical infrastructure really is, then we commend to you the following article by Nicole Perlroth of the New York Times, as well as her book, “This is the Way They Tell Me the World Ends,” links to which respectively follow:

https://www.nytimes.com/2021/06/05/business/leon-panetta-cyber-attacks.html?searchResultPosition=2

https://www.amazon.com/This-They-Tell-World-Ends/dp/1635576059

Important New Responses:  Recent attacks appear to have propelled ransomware onto the top of the national security agenda. It’s a start, but the present crisis is about more than “just” ransomware and will require determined effort and investment from everybody, civilian, military, and government alike. 

Executive Order on Improving the Nation’s Cybersecurity.  On May 12, 2021, President Biden issued an executive order requiring all federal agencies to use basic information security measures, like multi-factor authentication and encryption, and to enhance the security of the software supply chain by requiring new security standards for software providers that contract with the federal government. A link to the order follows:

https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

DHS Issues Pipeline Cybersecurity Directive:  Two weeks later, on May 27, 2021, the Department of Homeland Security’s Transportation Security Administration (TSA) issued mandatory cybersecurity rules for pipeline companies. Under this security directive, critical pipeline owners and operators must designate a cybersecurity coordinator with 24-hour availability and report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).  Those affected must also prepare gap assessments covering all information security risks to both information technology (IT) and operational technology (OT) systems and present remediation plans to TSA and CISA. A link to the news release regarding the directive follows:

https://www.dhs.gov/news/2021/05/27/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators

A Final Note: Without information security, data privacy cannot exist.  But take it from us – as Texans who lived through the recent “snow-pocalypse” in which most of Texas’s power grid went down:  without power, privacy isn’t as high of a priority. 

So while our government works on our cyber defenses, what we’d like to see are (1) a prepared, defense-minded citizenry, which means serious education and enthusiastic dedication to basic cyber-hygiene (multi-factor authentication, immediate patching, no re-used passwords, etc.); (2) a nationwide emphasis on cybersecurity which is treated as a matter of citizenship and patriotism, and transcends party or personality;  and (3) a parallel effort by the government to formulate a comprehensive response and disaster recovery plan covering not weeks, but the years it would take to recover from a true Cyber Pearl Harbor. 

---

Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.