Home>>Entertainment>>The Colonial Pipeline Ransomware Attack and the Perils of Privately Owned Infrastructure
Entertainment

The Colonial Pipeline Ransomware Attack and the Perils of Privately Owned Infrastructure

On May 8th, I had just flown into Norfolk, Virginia, when news broke that the I.T. system of the Colonial Pipeline Company had been compromised by ransomware and, as a consequence, the company had shut off the flow of the pipeline that supplies oil to most of the eastern United States. It was Mother’s Day weekend, and the line at the airport rental-car counter was prodigious: everyone, it seemed, wanted to drive. When I finally reached the front, I assured the agent that I’d return the car with a full tank of gas. What I did not yet know was that the pipeline, which stretches from the Texas Gulf to Linden, New Jersey—a distance of five thousand and five hundred miles—was the main supplier of fuel to Virginia retailers. The governor, Ralph Northam, made this point three days later when, with the pipeline still offline, he declared a state of emergency.

Of course, by then, anyone driving in Virginia would have figured this out. Many gas stations were shuttered, and lines of cars crowded the ones that were not. “This looks like the seventies,” my mother said, as we idled in one of the lines, behind a car-less man carrying a plastic jug. In Washington, President Biden was urging gas-station owners not to price-gouge. “That’s not who we are,” he said—and for the most part he seemed to be right. Where I was, at least, gas prices stayed below three dollars a gallon, despite the high demand, much of it brought on by panic-buying.

But, if that’s not who we are, this is: we are a country that has seen nearly a thousand reported ransomware attacks on our critical infrastructure since 2013. This includes transportation services, wastewater facilities, communications systems, and hospitals. The average recovery cost of a ransomware attack for businesses is around two million dollars. And the damage is not just financial. A case in point was last fall’s cyberattack on the University of Vermont Medical Center. Not only was it estimated to have cost a million and a half dollars a day in lost revenues and remediation expenses but it also caused the hospital to temporarily furlough or reassign three hundred employees, halt most surgeries, and cancel or postpone some treatments, including those for cancer. The hospital’s vice-president of network I.T., Doug Gentile, said that his team didn’t open a link that presumably contained a ransom note because they had no intention of giving in to the hackers. (Instead, they contacted the F.B.I.) This was not unusual. Last year, about three-quarters of ransomware victims did not pay their attackers. Those that did found that the hackers restored, on average, only sixty-five per cent of the data that they’d hijacked.

Colonial, it turned out, decided to pay. By the time the company announced the hack, on May 8th, it had already transferred five million dollars of bitcoin into an account that, according to the F.B.I., belonged to a criminal gang based in Eastern Europe. (Biden later said that the hackers may have been in Russia.) Even so, the payment didn’t automatically turn the spigot back on. That didn’t happen for another five days. If the pipeline had stayed shut for just another three or four days, according to the Departments of Homeland Security and Energy, the resulting shortage of diesel fuel would have halted shipments of food and other crucial goods across the country.

You might assume that the government would have anticipated the crippling effects of exactly this kind of a cyberattack and established a bulwark of protections to insure that such a thing couldn’t happen. In 2015, President Obama’s D.H.S. did designate dams, defense, agriculture, health care, and twelve other sectors of the economy as “critical infrastructure,” meaning that they “are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” But this designation was descriptive, not defensive: the D.H.S. issued cybersecurity guidelines to those sectors, but, because many companies operating critical infrastructure are privately owned, they were free to ignore them.

Eighty per cent of the energy sector, which includes pipelines, power generation, and the electricity grid, is privately held. D.H.S.’s “energy-specific plan,” also from 2015, noted that “because of the shared responsibility to secure North America’s energy delivery systems against cyber threats, a common vision and framework is needed to guide the public-private partnerships.” But that vision and framework doesn’t exist.

For years, businesses have resisted efforts from the federal government to hold them to robust cybersecurity standards, or to report cyberattacks. They typically argue that such requirements would be prohibitively expensive and damaging to brand identity, because the brands would lose consumers’ trust. Companies have also been stymied by a dearth of cybersecurity talent in this country. Colonial, for instance, had been advertising an open cybersecurity position for at least a month before the ransomware attack. (A company spokesperson told the Atlanta Journal-Constitution that filling the position would not have made a difference in this case.)

In fact, in 2018, an outside audit of Colonial Pipeline found “atrocious” information-management practices and “a patchwork of poorly connected and secured systems.” (One of its authors told the Associated Press that “an eighth-grader could have hacked into that system.” Colonial responded, “We are constantly assessing and improving our security practices—both physical and digital.”) Unfortunately, the company is not an outlier. In 2019, a European cybersecurity researcher, using open-source tools available to anyone, identified and mapped the location of twenty-six thousand industrial-control systems across the United States whose Internet configurations left them exposed and vulnerable to attack. These included dams, power plants, and chemical companies. And, although Colonial claimed that its I.T. system was separate from the software that it used to operate the pipeline, the fact that the company shut down the pipeline as soon as it discovered the hack suggests, as the Times reporters Nicole Perlroth and David Sanger wrote, that the two systems were more entwined than the company was admitting.

The Colonial Pipeline hack was the second major cyberattack with which the Biden Administration has had to contend. (There was also a ransomware hack of Washington, D.C.,’s Metropolitan Police Department, in late April, which resulted in the hackers leaking the personal information of twenty-two police officers.) Although the first, which used the I.T. giant SolarWinds, actually occurred during the Trump Administration, it was not discovered until December, 2020, just weeks before Biden was sworn in. At the time, the President-elect castigated his predecessor for failing to prioritize cybersecurity and said that his Administration would probably respond “in kind” to Russia, whose foreign-intelligence agency, the S.V.R., appeared to be behind the attack. It took months, but on April 15th, Biden issued an executive order levying sanctions on a number of Russian companies and individuals for what he called “harmful foreign activities by the Russian government.”

Unlike the case involving SolarWinds, the attack on Colonial Pipeline does not appear to be state-sponsored. Biden said this in his remarks about the hack, and the hackers themselves made the same claim, stating that they were only after money and had no interest in influencing geopolitics. But influencing geopolitics is exactly what they have accomplished, by illustrating to our adversaries—and to any number of common criminals and rogue nations—how easy it is to upend everyday American life. The hope that other nations will be deterred from attacking our critical infrastructure by the threat of the United States doing the same to them becomes less convincing when we understand that criminal gangs operating from those countries, often with the blessing of their governments, may not be so circumspect. And those gangs give those governments the shield of plausible deniability.

On May 12th, Biden issued another executive order. It had been months in the making, but the announcement was terrifically well timed, because the East Coast pipeline had come back to life less than an hour earlier. (It was several days, though, before sufficient fuel deliveries could be made to bring things back to normal.) “Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments,” a White House fact sheet stated, acknowledging that Biden was no less hamstrung by the private ownership of critical infrastructure than previous Presidents had been. Nonetheless, the order, which is largely directed to federal agencies and their contractors, requiring them to abide by a host of stringent new cybersecurity regulations and reporting requirements, is a clever and significant workaround of the problem. Many of the cloud services and software packages used by government agencies are also used in the private sector. By demanding that “all Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order,” the President is creating the conditions for those standards and requirements to be more broadly adopted. It’s like auto-emissions standards: when California raised its standards, twelve other states decided to adopt those requirements, and five automakers agreed to design all their new cars to meet them. Something similar is likely to occur here, too. “The Federal government must lead by example,” Biden stated.

donate

Please disable Adblock!

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: