When I heard that this pipeline company started advertising a job opening for CyberSecurity Advisor in the last few days, and heard today the ransom of about $5 million was paid, my first reaction was to say "I bet the salary for that position is a lot less than $5 million, and I bet the budget for that department will be less, too..."
I think you're spot-on here - the ransom is seen as a "cost of doing business", and until recently security was seen as "a problem that happens to other people".
Sadly my experience is that organisations like this will take their $5m ransom (or other remediation cost), assume it's a one-off, then divide it by their number of ransom-free years, and proclaim it was better value for money than hiring 2 or 3 senior security gurus on $300k /yr with 60 vacation days, and letting them bring in a team to deliver meaningful security.
Beyond taking security out of the hands of bean-counters though, I'm not sure how you address this. Pursuing organisations that pay ransoms and prosecuting senior CEO/CFO-type executives for conspiracy to commit money laundering (and pushing for criminal convictions) could discourage paying ransoms. If it's left to businesses as something they can write down as a "cost", I don't see it getting better - there has to be a risk to the liberty of the CEO/CFO before they'll take security seriously in my experience. 90 days in federal prison would certainly sharpen their focus in future.
Well, sometimes they're right. The hit company will likely call in some consultancy to institute a bunch of newer and better security protocols, then call it a day. If they really aren't hit again for another decade and staffing a department would cost $500k a year or more, were they wrong?
It's a gamble. It's easy to point fingers at the company that was caught out, but for the hundreds or thousands that aren't ransomed and aren't paying the extra money for security, they took that gamble and so far they've come out ahead not having spent all that money on prevention.
I'm not advocating that these companies to have less security or not do better on security, but the fact is a lot of them have made the objectively correct decision for themselves, which will continue to be correct right up until they're hit, if they ever are. The whole situation is analogous to health insurance in a way, and the same incentives are at play, along with similar consequences for individual companies and all of us as a whole, as providing easy targets for these groups allows them to thrive and grow and target others.
They paid $5 million, if "it was cheaper for them," that's solid math that ignores some really important stuff though, LOL. What is the externalized cost of this crisis on the entire country? The $5 million dollar ransom is a worse deal if you can convince your board to consider that externality.
The criminal penalties for executives in leadership and board positions (and I'm not saying this is my preferred approach) would certainly go a long way toward changing the calculus of this exchange.
> What is the externalized cost of this crisis on the entire country?
One natural solution would be to subsidize cyberdefense. The political difficulty is that a rational subsidy would be proportional to the harm of an attack, which would mean giving the most money to the biggest corporations.
The best solution would be for the firm to raise their prices the very small amount necessary to cover the expense, and for consumers to tolerate the expense because they know it's worth it. But a pipeline is a natural monopoly, presumably charging a monopoly-optimal price that (correctly) assumes a populace ignorant of such concerns until it's too late.
> If a business externalizes the cost, does it matter to them?
I mean, yes? Maybe not before next quarter's revenue statement, but eventually it will have to start to matter?
If your dog goes and craps in the yard every day, you eventually have to clean it up or you will get flies in the yard, and if you have to open the door or leave the house at all then sooner or later you will have flies in the house, it matters, yes. It's really not any more complicated than that.
If you are responsible for dumping toxic waste out the back door of your factory, it's only a matter of time before it's in your drinking water at your house, a couple of miles down the road. Externalizing a problem doesn't really get rid of it, just makes it someone else's problem (for now at least.) Those other people are real people, and they will find you.
But if you're a monopoly (a competing pipeline isn't likely to spring into existence any time soon) and the courts aren't inclined to impose particularly harsh penalties, business as usual will remain your optimal moneymaking strategy.
SOX. SOX mandates that you have reasonable controls to secure financial information and it appears they didn't. Every SOX audit I've been through has a IT security portion.
Interestingly, it looks like (some) insurers may be responding to this.
> In an apparent industry first, the global insurance company AXA said Thursday it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.
And DarkSide has stated they target businesses with that insurance. It's smart. They were hosed the moment Colonial's infosec (or whomever) recommended closing the valves on the pipelines. Until that moment they'd been doing reasonably well (for criminal scum).
The cost of shutting down this pipeline for a week is a lot more than 5 million. At 3 million barrels per day going through it, in 6 days that's 18 million barrels. At $65/barrel that's 195 million worth of oil that didn't transit and it probably has huge knock-on effects throughout the affected regions (things that didn't ship, trips not taken, etc).
I know you're saying this in jest, but that's the calculus.
The outcome here shows that executives made the right call. The $5MM fee was easily paid, less than the costs of security, and the insurance company will probably cover it anyway. And the government/people were so outraged that the attackers were met with fucking swift justice.
The company will probably get some grants or something to cover the cost of "securing their infrastructure." Never let a good crisis go to waste.
I wasn't really saying it in jest. The ";)" was more of an "oh, the horror" signifier, meaning I don't really think it's great that the cost-benefit analysis here is so short-sighted.
Any employee choosing to spend millions to avoid the cost of a heretofore unencountered cyberattack would be making a strategic decision, while probably not being empowered to make decisions at that level. So they do not take action.
Bureaucracies do not take visionary action. They stay the course.
This is why it's a problem. What's the point is the business side, but when taken as a whole, this type of infrastructure is too important to the country as a whole.
Everyone want's to make the calculation and hope it's not them, but if it's everyone at once, or there is no ransom option it's a completely different ball game. This is a situation where we are asking private companies to take responsibility for something outside of a profit motive and the results are some what less than surprising.
Until the attacks get more expensive. Some companies never settle law suits even when it is obvious they will lose in court. As a result they only have to deal with courts in cases where it is obvious they will lose since no lawyer will bother a with a case that isn't obvious. (the end result is about the same lost overall - when they lose they tend to be punished in court for not settling)
They did get some free help from the US amplifying all of this and the media essentially tying DarkSide to the pipeline shutdown (even though they likely only set out for the business side).
Maybe now utilities going to the US for a similar reason will be in everyone's DR/IR plan (even if Colonial didn't reach out to the US admin).
I think you're right - as I said on a sibling comment, if beans are all you count, and bean-counters rule the roost, you can write this off as a one-off, and point out you had 30 years without a ransomware, and therefore we don't need to do anything...
That's surely how it would be represented in order to retroactively justify negligence.
But a more precise calculus would take into account that (1) the proliferation in ransomware is recent and explosive, and (2) getting hit by one ransomware group doesn't mean a second group won't strike soon. (Although I'm guessing the second wouldn't be allowed to use the same ransomware-as-a-service platform, as that would harm the platform's reputation.)
Now that they've outed themselves as an easy mark, should be simple to hit them again and demand more money. At some point it'll be less expensive to improve their security infrastructure.
Their stuff may have been seized, but their business model has not to my knowledge been invalidated. Ransomware is not a capital-intensive business. A new generation of ransomware groups will quickly spring up to replace DarkSide.
Or, so they say... We really don't know enough to say anything here. It might just as well be that whoever controls the funds at Darkside pulled an exit scam.
"OK, now that you have our attention, and the eyes of the entire international media apparatus are on us, here's how we're going to do this. We're going to send some integer number of million money dollars down this pipe, and you're going to turn that gas pipe back on like you said you would.
Then here's what happens next... we're going to give you an integer number of minutes running head start before the drone strikes start raining down on these 12 sites we've identified as likely candidates for your location, ... now how many millions was it that you were asking for from us again?"
Doesn't really matter how much it was, either, if it has really been seized already in less than 24 hours. Was it enough to convince the boss guy or gal to take the bait and risk revealing themselves? (Probably not, but IMHO that wasn't likely to happen anyway, at least not since the heat started getting turned up on them all.)
It's easy to say "basically zero chance" when we're armchair quarterbacks and not the ones in the hot seat.
I'm inclined to agree that our cyber-security apparatus is not up to the task, but it's also true that nobody has perfect OpSec, (and I'd guess there are few out there have deeper pockets to track down and make sure the perpetrators regret this, than the combination of US government + oil companies.)
This isn't the first such attack. You can bet the big agencies worldwide have been aware of ransomware and investigating. They have been putting evidence together. It only takes a few of the right mistakes on the part of the criminals for them to be figured out. In the long run the advantage is to the police because they can keep looking.
If you want to be a criminal who gets away with it you really need exactly one big action, and at most a few tiny practice runs before the big one. Choose your target well because once the big one is done you have to be done. (and don't do anything copycat - investigations to get the first guy might find you instead)
Yep. Compromised people on the inside, informants, "intensive interrogation" etc. are more likely the way, as has always been the case.
Also the agencies that would know who these people are would not want to reveal what they know in order to save random XYZ Corp's bacon. With this being seen as a "critical infrastructure" attack and something closer to an act of war/terrorism, the stakes got higher.
