FT Exposes the “Dirty Secrets” on Infrastructure Cybersecurity

By Day Keeps the Free Market Working
By Night Redeems Children's Teeth for Cash

In this weekend’s FT Myles McCormick and Hannah Murphy wrote: “Pipeline ransom attack exposes vulnerability of American infrastructure to cyber threats”

At first glance this seemed to be “Sun rises in the East, sets in the West” article as the vulnerability of American infrastructure to cyber threats has been repeatedly “exposed”.

The Colonial Pipeline incident is not the first cyberattack rodeo in the USA as the authors note:

Since 2019, US critical infrastructure targets have suffered about 700 ransomware attacks, including 100 this year, according to data from Temple University in Philadelphia.

As I read on, it seemed more properly that the article exposed two key reasons why incidents like these occur and, thus, why infrastructure is insecure. 

Key reasons outlined below in bold. Quotes from the article in the list below each “point”.

Woefully and Criminally Unprepared

1. Just a quarter of companies in traditional infrastructure businesses, including oil and gas, utilities and healthcare, were properly braced for an attack, estimated Matias Katz, chief executive of the cyber security group Byos.

2. The oil and gas sector has been criticised for lax cyber security regulation.

Governments have responsibility for being asleep at the switch on regulation. 

Though as Milton Friedman would tell you, if he could, there is no need for government regulation as the “Free” Market solves problems like this all on its own.

It’s all about the Benjamins.

1. But reconfiguring traditional security systems to account for the ever-changing nature of cyber threats is costly.

2. Pipeline infrastructure is largely operated by private capital, so there is often a drive to cut costs where possible.

Or, in small words, private companies avoid spending the money. 

As evidenced in the first point above, an estimated 75% of infrastructure operators. 

So it’s not the case of a few cases proving the rule about the magical prowess of the “Free” Market correct.  

But rather the overwhelming majority proving Dr. Friedman "dead" wrong.

Two further thoughts.

When the going gets tough, our national rough and tumble highly competitive private companies go running to Uncle Sugar for a handout.

1. You know them. They’re the guys who complain about welfare and how $300 a week unemployment benefits “sap the willingness of the precariat to work”.

2. While extolling how the “free” market delivers the best solutions to problems.

3. Now I’m not adverse to giving aid to those who are truly struggling.

4. Colonial Pipeline’s 2018 FYE audited report shows net profit of some US$ 470 million on total revenues of US $ 1,397 million (a very nice 33.7% net margin) and interim financials for 1Q2019 US$ 137 million in net profit (36% net margin).

5. It’s not possible to calculate a return on equity as CP has negative equity. Perhaps, due in part to a generous dividend program coupled with an earlier decapitalization (Treasury stock purchases in prior years). CP paid US $670 million dividends in 2018!

6. In light of those statistics, I think Uncle Sugar shouldn’t give them more than $299 a week lest we encourage them to slack off.

7. As you’ll note from the dearth of public information on its financials after 1Q19, CP is pretty good with keeping their financial information secure. So it’s pretty clear where their security focus is.

As to the problem being “old operational technology systems, some of which predate the internet,” having “outdated security and being difficult to upgrade”.

1. Old operational systems which predate the internet probably aren’t connected to the internet.

2. Thus, it would seem less likely to be vulnerable to hacking and capture unless miscreants were on the premises to infiltrate PLCs.

3. Analogy: If you only send snail mail, it’s unlikely that hackers are reading your correspondence.

4. In some cases if your “internet” technology or programs are “old” enough, they may be extremely difficult to hack/capture.

This is not intended as a recommendation for a Luddite return to manual or outdated systems. But rather as a counter to the “old systems” defense.

It is to repeat myself “all about the Benjamins”. 

It is a "tried and true" method to motivate folks who focus on money by "threatening" them with large fines and loss of their license to conduct business.

Profoundly Disturbing FT Article on Bitcoin and the Environment

Asleep at the Switch

 

Katie Martin and Billy Nauman had an extremely scary article in the FT on Friday 21 May.

While the main point of the article was about the amount of energy used to mine Bitcoin and its impact on the environment, it was this quote that sent the real chill down my spine. 

Tesla chief executive Elon Musk has highlighted the environmental impact of cryptocurrencies. Amid calls from climate activists for tighter rules, governments and central banks are starting to take notice.

So what the FT seem to be saying is that absent the Technoking’s statement and that of “climate activists” –who by the way have been ignored for years--, governments and central banks would still not have “taken notice”.

Thus, our fate apparently depends on the random tweets of celebrity businessmen, including one who actually thinks cryptocurrencies are investable assets and whose statements have a volatility mirroring that of Bitcoin. 

Did I mention that he has an (indirect) economic interest in a portfolio of some US $1.5 billion (cost) in Bitcoin?

Just the sort of chap one would go to for wise counsel.

What a damning statement on several levels about the official entities whose remit is, as we are told, to look out for us!

Unclear as to whether we should ascribe this sorry state to attitude or aptitude.

Or perhaps more likely to both.

This is not the only example of such behavior.

We’ve seen another just this week.

After the ransomware attack on Colonial Pipeline, the US House of Representatives “sprang” into action. Given the prior somnolence, it must have been quite a “leap”. Olympic at least.

The House Homeland Security Committee—as aptly and ironically named as the House Select Committee on Intelligence—apparently just discovered that cyberattacks and hacking pose a national security threat. 

It has in the words of the Committee’s Chairman brought a “new urgency to our work”.

Given repeated past cyberattack incidents and a manifest failure to act, it may be appropriate to remove the word “new” from the Chairman’s statement.

Otherwise, the unwary reader might be tempted to think that there was some urgency in the past.

Having made this criticism, if you’re the faithful reader of this blog, you know that I try to be fair.

I should, therefore, acknowledge Congress’s achievement in reducing pollution through the prevention of the burning of the USA flag. Achieved without a constitutional amendment or even legislation!

And I think we can be almost certain they will “stand tall” to prevent plant-based substitutes for the hamburger and beer.

So, perhaps, all is not lost.

Just most.

Market Commentary: Bill Gates on Biden's USD 1.9 Trillion Covid Relief Bill

Answers to All Your Questions

Announcing a new feature here at SAM: AA’s trenchant commentary on news and developments in the "market".

I saw on the internet about two weeks ago a Fareed Zakaria interview in which he asked Bill Gates to opine on the Biden USD 1.9 trillion stimulus plan.

I was surprised.

Prior to that, I hadn’t known that Bill Gates was an expert on economics.

As Phil Rosenzweig can tell you, success in one field, particularly one in which an individual makes billions, automatically confers unique knowledge in almost every other field on that individual or at least the appearance of such knowledge.

Often such knowledge is attributed by folks who one hopes should know better.

Given Fareed’s academic and professional focus on foreign affairs, I was surprised that he did not seize the opportunity with Bill to heal an unfortunate rift in the Middle East by asking Bill to provide the definitive analysis of the meaning of “غَدِيْر خُمّ “ and “أَهْل ٱلْكِسَاء‎ “.

Or perhaps give his solution to the Korea issue.

Sadly, for whatever reason, he did not.

One or is that two for the “missed opportunities” file?

I, of course, would have had my own set of different questions.

Before outlining these, I need to make a material disclosure.

Devoted readers of this blog (I’m counting bots so I can use the plural) know that there is a bit of bad blood between Bill and me.

Sometime back I was expecting advice from him on what I should be having for dinner, hoping to draw on another area of his wide ranging expertise after my foray in a mall bookstore's business books section.

Advice that sadly never came.

Madame Arqala, as she so often does, did rescue me on that occasion.

Despite a bit of lingering rancor on that failure, I would have straightaway asked Bill what strategy he would employ as Arsenal’s new head coach to ensure that they repeatedly won the Premier League, the Champions League, etc.

All in the hopes that Brother Stan was watching. Or might see the interview later on the VAR.

I'd probably have moved on from there to ask him to opine on a sharp difference between my elder wiser brother (expert in many thing Asian though clearly not on pizza) and me over the best pizza:  deep dish or thin crust. 

Or perhaps why the last two words in the fourth verse of Surah 112 did not have the same terminal vowels. 

Eventually I’d probably have asked Bill to comment on SolarWinds and Microsoft Exchange.

Why these events happened?

What Microsoft could or should have done to prevent them?

Perhaps, an area where his skills might be more profitably employed.

A Timely Reinforcement of Points from My Post on SolarWinds

Funny I always thought it was ἀνάμνησις. 
At least that's what I remember.

 

A while back I wrote about the underlying factors that make hacking “events” like SolarWinds possible and weaken information security. If you missed that “gem”, you’ll find it here.

Part of that post dealt with the risks posed by companies with offices in “risky” foreign countries that 

1. might expose them to local government pressure to disclose information;
2. allow local employees—whether pressured or not and one would expect the pressure a local government could exert on its citizens would probably extend to more than a concern for profit—to engage in activities that breached security of information; or
3. provide a local access point for those foreign governments or other malign actors in those countries to penetrate the companies’ security systems and access information without inside co-operation.

In last Wednesday’s FT, Tom Mitchell wrote about the US Department of Justice’s complaint against a PRC national resident in the PRC and formerly employed by Zoom.

Before going further, it’s important to note that at this point the DoJ has only made allegations against the individual as stated in its press release.

The charges in the complaint are allegations, and the defendant is presumed innocent unless and until proven guilty. If convicted of both charged conspiracies, Jin faces a maximum sentence of ten years in prison.

Two other points to note:

1. Companies are subject to the laws of the jurisdictions in which they operate, particularly, where they have offices.
2. The complaint does not allege hacking or surveillance of other than residents of the PRC.

You can read the DoJ press release here.

Here is the accompanying statement by an FBI Special Agent as part of the request for an arrest warrant. The “bits” about the “rectification plan” and involvement of the former employee and other officers of the company are quite “interesting”.

And to round out the picture, Zoom’s perspective on the DoJ complaint.

I think the lessons here are clear. 

On a corporate level, if you are concerned—as well you should—about the security of your corporate information and communications, or if you are worried about the security of your own internal systems: 

1. it’s a wise idea to avoid dealing with companies that have offices in jurisdictions of “risk”
2. in that regard you cannot rely only on the registration or domicile of the company but have to look deeper into shareholding, management as well as location of its network of offices. Not every company in the USA is pure as the driven snow. Nor every company in Switzerland.

On a personal level, if you are using the services of a company with exposure in a jurisdiction of risk, and are concerned about human rights, including your own, it may be equally a wise idea not to use that provider. 

Equally, you might be well advised to inquire whether the provider of a free service/app routinely sells the personal information, contacts, location history, or other aspects of its customers’ life to others. 

There are no truly “free” services, just like there is no free lunch.

It is probably not a good idea to rely on the kindness or conscience of strangers, particularly those focused on their own profitability.

Cybersecurity

If You Don't Use Wi-Fi, You Can't Get More Secure Than This

AA incautiously steps out of his areas of imagined expertise.

Interested in cybersecurity?  

Here are four articles for you.  

1. Hiscox 
2. Deloitte Article 
3. Deloitte Webcast 
4. FICO report.