The ransomware attack on the U.S. oil pipeline sounded the alarm for the protection of critical information infrastructure around the world. At present, ransomware attacks have become the main threat to the network security of various countries, and show a trend of spreading to the field of critical information infrastructure. Since the outbreak of the WannaCry ransomware virus in 2017, large-scale ransomware attacks have occurred frequently, and the victims, harm consequences, and ransom demands have been constantly updated. The recent ransomware attack on the U.S. refined oil supplier Colonel has drawn much attention for triggering the so-called “national emergency”.
After the incident, the United States reflected on the insufficiency of existing critical infrastructure protection, and intensively introduced or promoted more than ten policies and legislations, trying to change the passive situation. Recently, the “Regulations on the Security Protection of Critical Information Infrastructure” (hereinafter referred to as the “Regulations”) were officially released, pushing my country to enter a new stage of critical information infrastructure protection. Implement the “Regulations” to fully respond to emerging cybersecurity threats such as ransomware attacks, adhere to the concept of active defense, strengthen risk identification and emergency response, attach importance to data security and supply chain security, strengthen the crackdown on ransomware attacks, and comprehensively improve the security of critical information infrastructure protective ability.
1. The realistic response to the ransomware attack on the U.S. oil pipeline
On May 7, 2021, Colonial Pipeline, one of the most important refined oil suppliers in the United States, suffered a ransomware attack, which affected 45% of the fuel supply in the East Coast region of the United States (hereinafter referred to as “Petroleum Ransomware Attack”). event”). In order to effectively respond to and mitigate the impact of the incident, Colonial and various departments of the U.S. federal government have successively taken a number of measures.
In terms of emergency response, given that the attackers deployed ransomware against the IT network after gaining initial access to the Colonel network, the company immediately launched an emergency response to proactively disconnect certain OT systems to mitigate the incident. influence. But the company’s CEO later admitted to paying the hackers a bitcoin ransom worth $4.4 million.
On May 11, the White House issued a briefing on the incident, stating that the Biden administration has launched a whole-of-government effort to resolve the incident and ensure the security of key energy supply chains. The White House established an interagency response team to monitor and mitigate the impact of the incident and ensure continued fuel flow to affected areas. A multi-agency waiver has been issued to allow multiple states to temporarily use non-compliant fuels and provide greater flexibility for fuel shipping. At the same time, the Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security is also working with the Department of Energy and communicating with industry to make recommendations on protecting critical infrastructure and reducing ransomware attacks.
In terms of crime fighting, on May 10, the FBI confirmed that the hacking group DarkSide carried out the attack. On May 13, DarkSide stated that due to law enforcement actions, they have now been unable to access its infrastructure through the Secure Shell Protocol (SSH), including data breach servers, ransom payment servers, host interfaces, etc.; DarkSide will be terminated due to pressure from the United States extortion campaign. On June 7, the U.S. Department of Justice said it had recovered about $2.3 million worth of bitcoin ransoms paid by Colonial to DarkSide.
2. Legislative reflections of the United States on the blackmail attack on oil pipelines
After the incident, the White House stated that nearly 90% of the critical infrastructure in the United States is owned or operated by the private sector, but the United States currently lacks coordinated requirements at the strategic level in the protection of critical infrastructure cybersecurity. Although the relevant legislation is being adjusted piecemeal, it is not sufficient to support the United States in responding to the current threats to critical infrastructure. Legislation is urgently needed to change this situation. In response, the federal government and Congress have adopted a series of legislative measures, involving presidential executive orders, memoranda, departmental directives, and more than a dozen congressional legislative proposals, to strengthen the protection of critical infrastructure and combat blackmail attacks.
1. Legislative Response
One is the federal government. On May 12, Biden signed Executive Order No. 14028 “Executive Order to Enhance National Cybersecurity” (hereinafter referred to as the “Executive Order”), which clarified that the government prioritizes the prevention, detection, assessment and remediation of cyber incidents. All federal information systems should meet or exceed cybersecurity standards and requirements. On July 28, Biden again signed the “National Security Memorandum to Improve the Cybersecurity of Critical Infrastructure Control Systems”, pointing out that cybersecurity threats to critical infrastructure control and operation systems are one of the most important and growing problems at present.
The second is the departmental level. The Transportation Security Administration (TSA) issued two security directives (the “TSA Directives”) requiring critical pipeline owners and operators to report confirmed and potential cybersecurity incidents, develop and implement a cybersecurity emergency recovery plan, and Review current cybersecurity practices and take remedial actions, etc.
The third is the parliamentary level. After the incident, relevant legislative proposals being pushed by Congress include the “American Infrastructure Defense Act of 2021”, “Pipeline Security Act”, “Cyber Incident Notification Act of 2021”, “Supply Chain Security Training Act of 2021”, and “Research on Cyber Attack Response Act” “International Cybercrime Prevention Act” and other more than ten books, involving regulatory responsibilities, information sharing, emergency response, security assessment, supply chain security, critical infrastructure crimes, cyber attack countermeasures, etc. Energy, electricity and other sub-sectors have comprehensively improved security assurance capabilities.
2. Legislative concerns
One is to strengthen risk identification. Proposals argue that the federal government’s lack of adequate cybersecurity readiness and funds to invest in critical areas prevents the government from incorporating its understanding of risk into strategies, planning, and actions to advance critical infrastructure security at the heart of it The goal should be to fundamentally change the way the federal government invests in cybersecurity, shifting the focus of investment from passive cybersecurity disaster spending to risk-driven and proactive investments in strengthening cyber resilience. At the same time, there are proposals to develop a national cyber exercise plan, which should be simulated as a scenario in which the government or critical infrastructure is partially or completely incapacitated by a cybersecurity incident. A cloud-based information-sharing environment established by CISA to consolidate federal government cybersecurity risk information to help it fully understand cyber threats to the federal government and critical infrastructure.
The second is to strengthen incident reporting. The executive order requires ICT providers that contract with federal agencies to report cybersecurity incidents in products, services, and support systems provided to federal agencies immediately to federal agencies. Proposals to provide penalties for violations of incident reporting obligations suggest that federal agencies, federal contractors, and organizations deemed critical to U.S. national security should report security incidents to CISA within 24 hours of discovery. A daily civil penalty not exceeding 0.5% of the prior year’s gross revenue may be imposed on the entity, as appropriate, for violations of this reporting requirement or violations. The TSA directive requires critical pipeline owners and operators to designate a 24/7 cybersecurity coordinator to report on existing and potential security incidents, and to develop and implement a cybersecurity contingency and recovery plan.
The third is to strengthen supply chain management. The executive order believes that the security of the software used by the federal government is essential for the federal government to perform key functions, and thus proposes the concept of “critical software”, requiring the federal government to improve the security and integrity of the software supply chain, and give priority to solving “critical software”. software” problem. In a white paper issued by NIST in response to the executive order, it is recommended that “critical software” be defined in the initial implementation phase of the executive order as self-contained, native software that focuses on security-critical functions or that can cause significant harm when compromised. Involves other categories of software. There are proposals to establish and operate a voluntary national cybersecurity certification and labelling program for critical information and communications technologies, create standardized training programs, and help critical infrastructure owners and operators better understand the security of the technologies and products they use.
The fourth is to strengthen the crackdown on cases. The DOJ’s “Guiding Opinions on Ransomware and Digital Extortion Investigations and Cases” memorandum states the need to intensify and centralize internal investigations and prosecutions of ransomware gangs, including extortion attacks, digital extortion, as well as antivirus services, botnets The infrastructure that supports ransomware attacks, such as cryptocurrencies, are included in the scope of the attack. In addition, several proposals propose to amend the Computer Fraud and Abuse Act by adding a new section after Section 1030, “Computer-Related Fraud and Related Activities,” that “severely harms critical infrastructure computers,” which would “know or attempt to causing substantial damage to critical infrastructure computer operations” is a crime punishable by a fine and/or imprisonment for a term not exceeding 20 years. There are also proposals to study allowing private entities, under the supervision of designated federal agencies, to counteract illegal cyber intrusions.
3. Implications for the protection of my country’s critical information infrastructure
The Cybersecurity Law establishes the basic framework of the critical information infrastructure protection system, and specifies the protection requirements from the three dimensions of prevention, control and strike. Since the implementation of the “Cybersecurity Law”, cybersecurity and informatization, public security and industry competent regulatory authorities have actively promoted the identification, security protection, supervision and inspection of critical information infrastructure, and have taken the lead in launching security protection pilot projects in some key industries and fields based on national standards. . In 2020, the Ministry of Public Security issued the “Guiding Opinions on Implementing the Network Security Classified Protection System and the Critical Information Infrastructure Security Protection System”, specifying that the public security organs should guide and supervise the security protection of critical information infrastructure. The recently promulgated “Party Committee (Party Group) Network Security Work Responsibility System Implementation Measures” identifies specific situations in which critical information infrastructure encounters cyber attacks as behaviors that seriously endanger network security, requiring a step-by-step investigation and accountability. In August 2021, the “Critical Information Infrastructure Security Protection Regulations”, which took five years to formulate, were officially announced. The “Regulations” are a summary of the previous experience of my country’s attempts and explorations in the protection of critical information infrastructure. By optimizing the regulatory system, adjusting the identification rules, and strengthening security requirements, it provides guidelines for the subsequent implementation of the security protection of critical information infrastructure.
In this oil pipeline ransomware attack, the U.S.’s handling and legislative reflection on incident reporting, supply chain security, and case strikes have reference value for the implementation of my country’s critical information infrastructure protection system after the implementation of the Regulations.
1. Adhere to active defense and strengthen risk identification
The asymmetry of ransomware attacks continues to grow. Many proposals in the United States emphasize ex-ante risk identification and information sharing, and propose to shift the focus of federal investment from passive disaster recovery to risk-driven active investment. The protection of my country’s critical information infrastructure should strengthen the concept of active defense, and fully understand and recognize the “criticality” of critical information infrastructure.
Both the Cybersecurity Law and the Regulations emphasize the establishment of a monitoring and early warning mechanism. The “Regulations” further entrust the responsibility of carrying out the unit’s network security monitoring, testing and risk assessment to specialized security management agencies. With the help of the network security inspection and risk assessment conducted by operators at least once a year, and the network security inspection and detection work of relevant departments, risk identification can be strengthened, and the risk identification of network security service agencies, third-party security platforms, and information security testers can be brought into play. It should pay attention to the risks that may be introduced by the deployment of new technologies and applications such as the Internet of Things and artificial intelligence and their value in security assurance, and make good use of the established emergency drills, monitoring and early warning and information reporting mechanisms.
2. Strengthen emergency response and form synergy among multiple departments
After the oil pipeline ransomware attack, Colonel, the U.S. federal government’s transportation, energy, homeland security, FBI and other departments participated in the disposal to ensure energy supply and eliminate the impact of the incident. The Ministry of Public Security’s “Guiding Opinions on Implementing the Network Security Graded Protection System and Critical Information Infrastructure Security Protection System” has clearly required public security organs, network security industry authorities and other subjects to perform their duties in accordance with the law to form a joint force in network security protection work.
In the face of cybersecurity incidents, public security organs, protection departments, key information infrastructure operators, and network product and service providers that may be involved should participate in incident handling within their respective powers and obligations, and coordinate with each other. The protection work department should take measures to maintain the normal operation of critical information infrastructure, give priority to ensuring the safe operation of energy, telecommunications and other fields, and minimize the impact of the incident. At the same time, the ability of public security organs, emergency response centers including CNCERT and other departments in early warning notification and traceability should be brought into play. The application of Articles 57 and 58 of the Cybersecurity Law in the incident handling process. Operators should earnestly assume primary responsibility, implement cybersecurity incident/threat reporting obligations, and make good use of existing incident classification and emergency response regulations to transform them into their own cybersecurity incident response capabilities.
3. Pay attention to data security and connect classification and classification
Encrypting data and threatening to reveal it is a common threat in ransomware attacks. As a national basic strategic resource, data security has become an important link in the protection of critical information infrastructure. The degree of harm that may be caused by data leakage in network facilities and information systems is also one of the basis for determining critical information infrastructure. The basic legislation in the field of data security The “Data Security Law” clarifies that my country has established a data classification and hierarchical protection system. On this basis, the concepts of “important data” and “national core data” are proposed, and the key information infrastructure is re-defined through Article 31. The operator’s important data export security management requirements.
The network security graded protection system and critical information infrastructure protection system of the Cybersecurity Law and the data classification, important data, and national core data of the Data Security Law are all manifestations of graded protection and emphasis on key concepts. In the field of critical information infrastructure, attention should be paid to the data classification and classification, identification and protection requirements of important data under the Data Security Law, and the establishment of a sound personal information and data security protection system by the specialized security management agency required by the Regulations is the key to the implementation of the main responsibility of operators. , take the protection of critical information infrastructure security as one of the ways to ensure data security, and promote the data security in the protection of critical information infrastructure from static security to dynamic security.
4. Extend the security perspective and attach importance to supply chain security
Given that the cascading effects of a single supply chain attack can have widespread impacts, supply chain attacks have become one of the security issues that cannot be ignored in the field of cybersecurity. Examples include the SolarWinds supply chain attack, and the recent US ransomware attack on customers in its supply chain using managed service provider Kaseya. The United States has emphasized strengthening supply chain security in executive orders and numerous proposals to help critical infrastructure operators identify and manage supply chain risks.
In order to fully protect the security of critical information infrastructure, the security perspective should be extended, and various entities in the supply chain should be included in the protection of critical information infrastructure. Improve the formulation of network product and service management methods, and implement systems such as network security review, cloud computing service security assessment, network product security vulnerability management, and the national mandatory standard “General Requirements for Security of Critical Network Equipment.” Prioritize the purchase of safe and reliable network products and services, and take network security and anti-risk capabilities as one of the factors to consider; establish and maintain a supplier list, clarify direct and indirect suppliers, strengthen the management of supply chain personnel and institutions, and clarify technology Support and security confidentiality obligations, require timely reporting of cybersecurity incidents and risks, and include suppliers in the cybersecurity incident emergency response mechanism. At the same time, accelerate the localization and replacement of key information infrastructure, and encourage the development of core technologies and underlying technologies.
5. Strengthen legal responsibility and strengthen case crackdown
Ransomware attacks are getting harder to hit. Cross-border attacks, with the help of encrypted currency, encrypted communication and other tools, the prevalence of the “ransomware-as-a-service” model has further lowered the threshold for ransomware attacks and made it more difficult to trace the source. In the oil pipeline extortion attack, the United States destroyed the DarkSide server through law enforcement operations, successfully recovered part of the ransom paid, and severely cracked down on the blackmail attack criminal gang; at the same time, the legislative proposal proposed to increase the charge of “severe damage to critical infrastructure computers”.
Since the implementation of the “Cybersecurity Law”, my country’s public security organs have continuously strengthened law enforcement in the field of cybersecurity through special actions such as “cleaning the Internet” and routine supervision and inspection, and severely cracked down on illegal and criminal activities such as cyberattacks and online black and gray production, and achieved remarkable results. The “Regulations” require public security organs and national security organs to strengthen the crackdown on illegal and criminal activities carried out against and using critical information infrastructure. In order to promote law enforcement in the field of critical information infrastructure into a new stage, my country needs to make preparations in the identification of crimes, means of crackdowns, and cross-border crackdowns.
First, consider the coverage of existing crimes in the Criminal Law, study the addition of special crimes in the field of critical information infrastructure, and consider the adaptation between the legal liability of existing computer-type crimes and the harmful consequences caused by network security incidents of critical information infrastructure sex. Secondly, my country’s current laws do not have specific provisions on ransomware, but the legal provisions on the production and dissemination of computer viruses, extortion, information network technical support and assistance, etc. that endanger network security are quite complete. Flexible use of existing regulations and the “double investigation in one case” mechanism to strengthen administrative law enforcement and cut off the upstream and downstream interest chains of extortion attacks. Finally, both the Cybersecurity Law and the Regulations make it clear that my country has the right to deal with cybersecurity risks and threats originating at home and abroad; if foreign entities engage in activities that endanger my country’s critical information infrastructure and cause serious consequences, my country has the right to pursue legal action in accordance with the law. responsibility and impose sanctions. In the face of cross-border extortion attacks, we should promote international cooperation and call on countries to strengthen their own capabilities and potential deterrence, and make good use of reciprocal sanctions while combating extortion attacks within their jurisdictions.