What will change in the wake of another critical infrastructure attack
Not too long ago I dove into the big cyberattacks like SolarWinds and Colonial Pipeline to emphasize the reality of infrastructure attacks. Topping it off like an unholy trifecta was the JBS cyberattack, a strike aimed at one of the world’s large meat supplier companies.
JBS is a meatpacking enterprise with its primary operations housed in Brazil, and a chain enterprise across the world. The attack targeted US and Australian servers. Since it’s no mystery people enjoy meat as a primary source of food, this attack was primed to set up some serious shortages. The company, then, was faced with a critical decision like so many affected with ransomware were such: pay the ransom or watch the fallout. JBS, ultimately, decided to pay the ransom of $11 million.
Post-fallout and investigation, the FBI stated REvil, a notorious ransomware gang was responsible. That name should sound familiar, as I’ve covered them a few times before with similar circumstances. They were also responsible for the Colonial Pipeline strike, though the FBI managed to recover most of the ransom paid.
Once again, it signals a red flag scenario, in that we’re approaching a potential “new normal” of attacks aimed at critical infrastructure.
The response
Naturally, the Biden administration is taking a stern approach towards ramping up cybersecurity efforts across the board. Primarily, the goal is to set up new security standards and guidelines for companies in the US, many of which involve reporting cyberattacks and maintaining rules put out by the FBI and CISA. These are voluntary standards, however, and businesses won’t be forced to follow them. Although given the severity of the attacks, it would be exceptionally incompetent not to renovate an enterprise’s cybersecurity policy.
The rules are part of a National Security Memorandum, which details plans, guidelines, and goals to curtail future cyberattacks of this caliber. Since a majority of the US tech infrastructure is owned by the private sector (ninety percent, give or take), they’ll shoulder the burden of making sure their cybersecurity strategies are up to snuff.
If possible, legislative action could be pursued to assure companies have the appropriate technology and infrastructure to maintain cybersecurity defenses.
It is, however, good to see cybersecurity put in the mainstream focus. Arguably, up until these major breaches, the concept of cybersec was a niche topic contained in the IT-sphere. Leaving it up the private sector to maintain healthy defense practices, though, is a real toss-up, and we’ll have to see just how well they follow the mandated guidelines.
-Douglas James
