I'm surprised at how dismissive the comments are. We need many angles of defense against these criminals. Dismissing this because companies should do better security is like dismissing doctors because people should get more exercise. That's silly. We need preventative care and treatment.
I'm not surprised by this announcement because the way that the pipeline-company ransomware hackers beat a hasty retreat was noticeably unusual, and already seemed to telegraph that the state was getting involved more...actively. Good.
Agreed. I'm a bit tired of the victim blaming with security. It's physically impossible to build a house that can't be broken in to, and even harder for computer systems. Crime is a social problem, we can't rely on a dream world of mathematically perfect zero trust security.
> I'm surprised at how dismissive the comments are.
I've gotta ask: has the US's stance on terrorism been effective? Or did they merely use it as an excuse to militarize the police and erode human rights? Because I want the government to take effective action around ransomware, but "similar priority to terrorism" just doesn't fill me with hope.
The HN crowd can sometimes have an issue with pragmatism. Sure, I'd love to live in a world where everyone follows best security practices 100% of the time, but this ain't it. Arguing how your imaginary perfect world should be gets us nowhere.
>> Dismissing this because companies should do better security is like dismissing doctors because people should get more exercise. That's silly. We need preventative care and treatment and everything in between.
Not exactly.
Executives are choosing to hire el-cheapo offshore middlemen to manage security, software development and to save money (latter is more important - more money in their own pockets) - and we all are on a hook for this behavior.
Criminals and hackers are like viruses - they are always there.
But we need to maintain the health of the whole body (country and it's entities) to make sure we're resilient.
Execs and politicians selling our security and freedoms for profits and bribes need to be dealt with appropriately.
I think this is an unfair false choice. I blame security "experts" who store private keys on public facing web servers or allow for SQL injection in the same way as I blame doctors who over-prescribed Oxycontin for way longer than was safe to avoid dependence. Sure, there will always be procedural mistakes and zero days, but gross dereliction of even basic level expertise deserves scorn.
IT security is hard, very hard, and a lot of the commercial products used by most companies are terribly insecure. The fact is our IT infrastructure has grown much faster than the global pool of talent who know how to effectively secure it.
So faced with a deficit of expertise, and a constantly changing IT security landscape, it makes perfect sense for governments to support and co-ordinate cyber security efforts. We need to get maximum benefit from the resources we do have and that mans pooled effort, clear best practices, strong security standards, etc.
Personally I see an additional significant benefit coming out of all of this. If governments and politicians skill up in understanding the seriousness of cyber security at a national level, hopefully they will come to understand the deep folly of insisting on backdoors and secret keys to everyone's systems for security and law enforcement agencies. Politicians keep talking some really dumb crap on this topic, but if we can get them to take the security of businesses and citizens seriously, I'm hopeful this will change.
The problem is our govt money is subsidizing private company security policies instead of more directly helping people. This money should go to healthcare, infrastructure, or even be redistributed before it's used here.
It is an absurd argument up to the point of "reasonableness" that it's the responsibility of the company to defend against 100% of theoretical security vulnerabilities, in my opinion.
There will always be a vulnerability, unless some truly secure-by-design technology exists .. airgap, not vulnerable to social engineering .. ?
Most these hacks where done using leaked tools from the same alphabet peoples tools to fight terrorism in the first place. Horrible idea. We need companies to get their act together. Personal responsibility.
> I'm surprised at how dismissive the comments are. We need many angles of defense against these criminals. Dismissing this because companies should do better security is like dismissing doctors because people should get more exercise.
No it is like increasing price of cigarettes and giving those money to the health system.
>That's silly. We need preventative care and treatment and everything in between.
No, we need secure by default. These things are already criminalised, this does not seem to stop anybody.
Why is a child on a default Windows 10 account able to install a program by clicking a link ? Why is this program able to install itself as a service ? This is not security.
> do better security is like dismissing doctors because people should get more exercise
Not dismissing doctors but making fat people (or drug users etc) pay more is not that silly and happens.
There need to be standards (ISO, PCI) for all companies. And if you get hacked, you get fined if you did not adhere to the standards.
And yes, go after the criminals as well, but bit to easy to just ignore ancient Windows installs and users with passwords 1234 who have admin access etc. All these issues are stated in both ISO and PCI compliance: we just need to have all companies comply, not just banks etc.
> the way that the pipeline-company ransomware hackers beat a hasty retreat was noticeably unusual, and already seemed to telegraph that the state was getting involved more...actively.
Uh, there was no retreat - the company paid the ransom the day after the hack.
IMO the first step to fixing is to add liability. If a breach happens through a piece of software, then the vendor is liable. Same way cars get recalls. (sometimes)
> We need preventative care and treatment and everything in between.
Not to mention the fact that the cybercriminals who do these attacks also get involved with state-sponsored offensives. The ransomware stuff might just be "training wheels" or resume bullet-points for something far worse in the future.
If we're going to get serious about stopping the state-sponsored stuff and even bother to have the "US cyber-command" it makes sense to go after the relatively petty criminal elements as well. If they can't make a dent with these, why should we think that can go up against the FSB?
Corporations can only ever view cybersecurity as yet another compliance exercise (and all the incurious checkbox tickers that entails). The smart ones will play "cops and robbers" (red-team/blue-team games) but they can't offensively go after cyber criminals. Unfortunately, that's what needs to be done to get ahead of this stuff.
Usually people here want government to stay out of the way of business, or especially not to compete with business. I agree with you, but it isn't necessarily entirely a pure-business perspective.
the zeitgeist the past 10 to 20 years heavily biases people to think government cant work and if it can, its too expensive, and if it does, it infringes someones right to profit at others expense.
Not exactly: their behaviour is more akin to a storage facility with faulty security cameras and sleepy guards (and cheap locks).
They have a duty towards their customers (contracts to be honored) and this requires security.
Sure, but terrorism has always been the blanket "fuck it, max charge it, we can't be bothered to ACTUALLY come up with legislation" so maybe don't fuck it and work out a proper set of laws.
Anytime you can let a group of criminals get away with impunity it's going to run out of control until we get... the current situation.
It's getting close to having China and Russia either start cooperating with us to flush these guys out, or we start having "fleet exercises" in their seas again. I think it would be prudent of said nation states to wash their hands of these folks.
Would it be reasonable to demand every company hire a team of armed guards? No? So why is it reasonable to demand they each hire a cybersecurity team?
It’s reasonable to tell companies to lock the doors. It’s reasonable to tell them to follow accepted best practices in tech too, but not that they be experts prepared for everything.
What about the other side of this? Instead of seeking backdoors and using them to spy on Americans, the NSA should be stepping up their game and securing vital infrastructure and domestic businesses against these attacks.
I think this is needed because the security industry seems to be well on the way to adopting paying off these people as a routine cost of business. That is going to lead to an absolute disaster if it is allowed to continue and grow.
It needs to be a double edged sword though where companies are just as afraid of facilitating ransomware attacks as they would be of the consequences of facilitating terrorists. In other words, this will only work if it means company's are taking the threat more seriously, not less.
This is just DOJ, so far. If ransomware gets defined as terrorism for the US anti-terrorism community, it could become very dangerous to be in the ransomware business.
The US has a huge anti-terrorism operation in being, and it's not that busy. Islamic terrorism against the US has been confined to minor local nuts since the US wiped out Bin Laden. And, before that, being "#2 in Al Queda" meant having a rather short life expectancy.
Now, all those people in northern Virginia and southern Maryland may be getting new targets.
They fucked up by targeting infrastructure. If they stuck with small companies they could keep doing it till the cows came home. But now they have governments against them so now they will be hunted down.
> penetrated the pipeline operator on the U.S. East Coast, locking its systems and demanding a ransom. The hack caused a shutdown lasting several days
This rings a little disingenuous, since (IIRC) the shutdown wasn't caused by the hack, the interruption of service was a deliberate choice by Colonial because (in brief) they wouldn't be able to charge their customers until they got their accounting systems working again.
The company, providing arguably an essential service, chose to stop the flow instead of estimating / approximating / using past averages to bill their customers. They likely lost much more revenue this way.
> a cyber criminal group... penetrated a pipeline operator on the U.S. East Coast, locking its systems and demanding a ransom. The hack caused a shutdown lasting several days...
I expect more precise language than this from Reuters. This makes it sound like the ransomware was responsible for shutting down the pipeline. The billing system was compromised. Colonial shut the pipeline down themselves so they wouldn't have billing inaccuracies.
“Colonial Pipeline decided to pay the hackers who invaded their systems nearly $5 million to regain access, the company said.”
That is the problem right there. Someone just made 5MM tax free. Time to make paying ransomware illegal and that will stop the potential criminal market for ransomware attacks apart from political motivations.
If it was illegal to pay the hackers back, and the Colonial Pipeline ransomware attack still happened, what would the options be? We'd have to turn the systems back on some way right?
I find it wild that the "run government like a business" crowd now wants government to run business. No one in this thread is really discussing what, if anything, the government can really do. Meanwhile, business is more than happy to be a toddler wielding a gun of computer security literacy, or to take the money of such companies and not truly helping.
All this talk about software (in)security within companies reminds me of a typical conclusion after a data leak. When it's a large company, the conclusion is they may, and should, have done better, but it's inherently impossible for a large company to secure everything well enough. When it's a small company, the conclusion is they should have done better, but it's inherently impossible for a small company to, well, do better, they are too small.
Now, I'm all for treating ransomware, and generally all the large scale and/or state-sponsored hacks with a much higher priority, send the drones and whatnot. But this MUST be accompanied by more accountability on the commercial entities.
You're too small to secure sensitive data of hundreds of millions of people? Maybe you shouldn't have amassed this data in the first place. You're too big to secure everything? Well, did you secure ANYTHING? Did you follow reasonable procedures, did you, crazy idea, make sure you can't access critical systems from the internet and/or with a default password, etc.?
And if you fail, and fail you will, there's no perfect system, I believe there should be penalties not for failing, but for not doing enough to prevent it. To refer to all the plane analogies, if your wings are made of cardboard and everybody knew but pretended it's OK, because otherwise it would slightly diminish shareholder value, well, there will be consequences.
In aviation, you could go to jail for signing off on something that you know is not secure, if it causes an accident and people die. Specifically not for accidents, but for neglecting your duty to make sure that you've done all you could. For lying, deceiving, ignoring, faking, for being too lazy or too greedy to do things properly. Sounds familiar?
With large scale infrastructure under constant attacks, people dying because someone couldn't be bothered to do things properly is not an "if" any more. And better hope those autonomous trucks are very, very hard to hack.
Would a nationalized bug bounty program help here? Along with some compliance enforcement that the bounty is actually addressed, fulfilled, and payed by the vulnerable entity or the government (funded through some form of corporate tax). I haven't really thought out the details, but likely some kind of practical and effective threshold exists where a business entity in the US enters into mandatory participation.
Genuinely curious, would love to see others' thoughts.
Bruce Schneier, our country needs you! If you—or someone with your mindset—isn’t in authority and we get the technical equivalent of the TSA, we’re in for a world of hurt and trouble.
If we don't get ahead of this we'll regulatory capture ourselves into oblivion and the enemy will win anyway. As long as state-sponsored-actors are indistinguishable from black-market criminals this will never escalate beyond the perpetual cat and mouse game. We simply have to be better, and we can't have oversight committees and regulatory boards managing it. Infosec is ripe for being revolutionized.
US Constitution empowers Congress to issue "Letters of Marque and Reprisal" - to wit grant permission for private entities (people, companies) to wage war on other private entities. Enacted to help shipping companies deal with pirates, applies today for the likes of ransomware perpetrators.
Finally we going to get security research paid properly and companies punished for not fixing their zero-day-sponges. Oh, its just another monstrous deterrence Three letter agency.
But yeah, in a game-theory sense, its the cheapest option, to have a nuclear counter strike, instead of building all cities like underground bunkers. Security, by strike team. That would actually work, if all countries agreed on that.
Or the internet is expected to break into allegiance-sized parts. The server only connects to country, who will extradite cyber-criminals and adhere to this connection contract.
Curious if this will result in extraterritorial enforcement. For example, it's clear Moscow is either unwilling or unable to prosecute cyber criminals within its border.
That's one possible reading. Another is that the US will start working on their own Great Firewall, such that your packets need to be cleared by a metaphorical digital TSA to enter the country.
This article reminds me about another published by The Harvard Gazette, Government can't keep up with the technology. The article argues that big techs are keeping larger and larger for government to keep up with the pace. In case of ransomeware, government and the Supreme Court are trying to keep up but in my opinion, it will be long before government and bureaucracy could address the problem. Same happened in case of Bitcoin. Sure now everyone wants regulations around Cryptocurrency but it seems governments are investing in lost causes of catching up with these growing uncertainties.
I don't mean that government shouldn't be engaging in these talks and try to regulate these markets, my only concern is the pace of these two entities. Instead of using the same old frameworks of regulations and same old mentalities, unorthodox approaches can better address these issues.
[+] [-] blast|4 years ago|reply
I'm not surprised by this announcement because the way that the pipeline-company ransomware hackers beat a hasty retreat was noticeably unusual, and already seemed to telegraph that the state was getting involved more...actively. Good.
[+] [-] tracerbulletx|4 years ago|reply
[+] [-] klyrs|4 years ago|reply
I've gotta ask: has the US's stance on terrorism been effective? Or did they merely use it as an excuse to militarize the police and erode human rights? Because I want the government to take effective action around ransomware, but "similar priority to terrorism" just doesn't fill me with hope.
[+] [-] 2OEH8eoCRo0|4 years ago|reply
[+] [-] Trias11|4 years ago|reply
Not exactly. Executives are choosing to hire el-cheapo offshore middlemen to manage security, software development and to save money (latter is more important - more money in their own pockets) - and we all are on a hook for this behavior. Criminals and hackers are like viruses - they are always there. But we need to maintain the health of the whole body (country and it's entities) to make sure we're resilient.
Execs and politicians selling our security and freedoms for profits and bribes need to be dealt with appropriately.
[+] [-] lr4444lr|4 years ago|reply
[+] [-] simonh|4 years ago|reply
So faced with a deficit of expertise, and a constantly changing IT security landscape, it makes perfect sense for governments to support and co-ordinate cyber security efforts. We need to get maximum benefit from the resources we do have and that mans pooled effort, clear best practices, strong security standards, etc.
Personally I see an additional significant benefit coming out of all of this. If governments and politicians skill up in understanding the seriousness of cyber security at a national level, hopefully they will come to understand the deep folly of insisting on backdoors and secret keys to everyone's systems for security and law enforcement agencies. Politicians keep talking some really dumb crap on this topic, but if we can get them to take the security of businesses and citizens seriously, I'm hopeful this will change.
[+] [-] antonzabirko|4 years ago|reply
[+] [-] ncr100|4 years ago|reply
It is an absurd argument up to the point of "reasonableness" that it's the responsibility of the company to defend against 100% of theoretical security vulnerabilities, in my opinion.
There will always be a vulnerability, unless some truly secure-by-design technology exists .. airgap, not vulnerable to social engineering .. ?
[+] [-] pibechorro|4 years ago|reply
[+] [-] hulitu|4 years ago|reply
No it is like increasing price of cigarettes and giving those money to the health system.
>That's silly. We need preventative care and treatment and everything in between.
No, we need secure by default. These things are already criminalised, this does not seem to stop anybody.
Why is a child on a default Windows 10 account able to install a program by clicking a link ? Why is this program able to install itself as a service ? This is not security.
[+] [-] tluyben2|4 years ago|reply
Not dismissing doctors but making fat people (or drug users etc) pay more is not that silly and happens.
There need to be standards (ISO, PCI) for all companies. And if you get hacked, you get fined if you did not adhere to the standards.
And yes, go after the criminals as well, but bit to easy to just ignore ancient Windows installs and users with passwords 1234 who have admin access etc. All these issues are stated in both ISO and PCI compliance: we just need to have all companies comply, not just banks etc.
[+] [-] Izkata|4 years ago|reply
Uh, there was no retreat - the company paid the ransom the day after the hack.
https://www.theguardian.com/technology/2021/may/19/colonial-...
[+] [-] maerF0x0|4 years ago|reply
[+] [-] crispyambulance|4 years ago|reply
If we're going to get serious about stopping the state-sponsored stuff and even bother to have the "US cyber-command" it makes sense to go after the relatively petty criminal elements as well. If they can't make a dent with these, why should we think that can go up against the FSB?
Corporations can only ever view cybersecurity as yet another compliance exercise (and all the incurious checkbox tickers that entails). The smart ones will play "cops and robbers" (red-team/blue-team games) but they can't offensively go after cyber criminals. Unfortunately, that's what needs to be done to get ahead of this stuff.
[+] [-] th0ma5|4 years ago|reply
[+] [-] cyanydeez|4 years ago|reply
[+] [-] demadog|4 years ago|reply
[+] [-] pfortuny|4 years ago|reply
[+] [-] TheRealPomax|4 years ago|reply
[+] [-] fnord77|4 years ago|reply
[+] [-] virtue3|4 years ago|reply
It's getting close to having China and Russia either start cooperating with us to flush these guys out, or we start having "fleet exercises" in their seas again. I think it would be prudent of said nation states to wash their hands of these folks.
[+] [-] notsureaboutpg|4 years ago|reply
[deleted]
[+] [-] grumple|4 years ago|reply
It’s reasonable to tell companies to lock the doors. It’s reasonable to tell them to follow accepted best practices in tech too, but not that they be experts prepared for everything.
[+] [-] chongli|4 years ago|reply
[+] [-] zmmmmm|4 years ago|reply
It needs to be a double edged sword though where companies are just as afraid of facilitating ransomware attacks as they would be of the consequences of facilitating terrorists. In other words, this will only work if it means company's are taking the threat more seriously, not less.
[+] [-] Animats|4 years ago|reply
The US has a huge anti-terrorism operation in being, and it's not that busy. Islamic terrorism against the US has been confined to minor local nuts since the US wiped out Bin Laden. And, before that, being "#2 in Al Queda" meant having a rather short life expectancy.
Now, all those people in northern Virginia and southern Maryland may be getting new targets.
[+] [-] ping_pong|4 years ago|reply
[+] [-] btbuildem|4 years ago|reply
This rings a little disingenuous, since (IIRC) the shutdown wasn't caused by the hack, the interruption of service was a deliberate choice by Colonial because (in brief) they wouldn't be able to charge their customers until they got their accounting systems working again.
The company, providing arguably an essential service, chose to stop the flow instead of estimating / approximating / using past averages to bill their customers. They likely lost much more revenue this way.
Do correct me if I got this story wrong.
[+] [-] chickenpotpie|4 years ago|reply
[+] [-] Igelau|4 years ago|reply
I expect more precise language than this from Reuters. This makes it sound like the ransomware was responsible for shutting down the pipeline. The billing system was compromised. Colonial shut the pipeline down themselves so they wouldn't have billing inaccuracies.
[+] [-] ixacto|4 years ago|reply
That is the problem right there. Someone just made 5MM tax free. Time to make paying ransomware illegal and that will stop the potential criminal market for ransomware attacks apart from political motivations.
[+] [-] rodneyg_|4 years ago|reply
[+] [-] virtue3|4 years ago|reply
Continuing to let them do this with impunity is going to lead to escalated attacks.
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] th0ma5|4 years ago|reply
[+] [-] fangorn|4 years ago|reply
Now, I'm all for treating ransomware, and generally all the large scale and/or state-sponsored hacks with a much higher priority, send the drones and whatnot. But this MUST be accompanied by more accountability on the commercial entities.
You're too small to secure sensitive data of hundreds of millions of people? Maybe you shouldn't have amassed this data in the first place. You're too big to secure everything? Well, did you secure ANYTHING? Did you follow reasonable procedures, did you, crazy idea, make sure you can't access critical systems from the internet and/or with a default password, etc.?
And if you fail, and fail you will, there's no perfect system, I believe there should be penalties not for failing, but for not doing enough to prevent it. To refer to all the plane analogies, if your wings are made of cardboard and everybody knew but pretended it's OK, because otherwise it would slightly diminish shareholder value, well, there will be consequences.
In aviation, you could go to jail for signing off on something that you know is not secure, if it causes an accident and people die. Specifically not for accidents, but for neglecting your duty to make sure that you've done all you could. For lying, deceiving, ignoring, faking, for being too lazy or too greedy to do things properly. Sounds familiar?
With large scale infrastructure under constant attacks, people dying because someone couldn't be bothered to do things properly is not an "if" any more. And better hope those autonomous trucks are very, very hard to hack.
[+] [-] kiadimoondi|4 years ago|reply
Genuinely curious, would love to see others' thoughts.
[+] [-] ian_lotinsky|4 years ago|reply
[+] [-] solutron|4 years ago|reply
[+] [-] ctdonath|4 years ago|reply
[+] [-] hfjfirkrkrj|4 years ago|reply
What's the current official policy, is this still on the table (probably only for massive attacks)?
[+] [-] PicassoCTs|4 years ago|reply
But yeah, in a game-theory sense, its the cheapest option, to have a nuclear counter strike, instead of building all cities like underground bunkers. Security, by strike team. That would actually work, if all countries agreed on that.
Or the internet is expected to break into allegiance-sized parts. The server only connects to country, who will extradite cyber-criminals and adhere to this connection contract.
It was a nice dream, while it lasted.
[+] [-] rho4|4 years ago|reply
[+] [-] JumpCrisscross|4 years ago|reply
[+] [-] ocdtrekkie|4 years ago|reply
[+] [-] thereare5lights|4 years ago|reply
https://en.wikipedia.org/wiki/Extraterritorial_jurisdiction#...
In fact, I would be surprised if we *didn't* have extraterritorial enforcement of any ransomware laws.
[+] [-] sharken|4 years ago|reply
https://www.goodreads.com/book/show/41436213-sandworm
And here's an interview with the author
https://www.theverge.com/21344961/andy-greenberg-interview-b...
[+] [-] valprop1|4 years ago|reply
I don't mean that government shouldn't be engaging in these talks and try to regulate these markets, my only concern is the pace of these two entities. Instead of using the same old frameworks of regulations and same old mentalities, unorthodox approaches can better address these issues.
P.S Link to The Harvard Gazette article: https://news.harvard.edu/gazette/story/2019/02/government-ca...