Why Congress and the White House aren't treating the Colonial Pipeline security breach seriously enough
Whether the cyber-attacks that shut 5,500 miles of oil pipeline this weekend are coming from private crooks or a state-sanctioned effort is almost beside the point. Somehow our response to this attack, as the big one apparently triggered by what looked like Russian-sponsored hackers on government agencies and companies last month, ought to be generating a lot more urgency.
The idea that a small group of bad guys in a faraway darkened room can control our electric grid, our fuel supplies, our business functions, our very defenses virtually at will should be as frightening as the prospect of powerful bombs in the likes of Iran or North Korea.
In 10 minutes, these same people will be in a position to send electric cars and trucks awry or kill appliances of industrial-scale built with Internet or network connections.
Instead, what we're hearing is much concern about whether oil and gas costs are going to go up in the next weeks as the result of immediate shortages in delivering 2.5 million barrels of oil a day or almost half of production across the East Coast. Actually, if operations are restored within a week, even that result is unlikely.
What we're not hearing our Democratic and Republican leaders on the barricades over cyber at anywhere near the volume we hear harangues about nonexistent election fraud already six months old or whether so-callef socialism is going to end the American Dream as we know it or about a dozen cancel culture disasters that some perceive.
Instead, our Congressional leaders seem content holding occasional check-in hearings and leaving the actual work to the Cyber Command agencies to resolve.
One might even call such defenses critical to, um, infrastructure in a realistic look at current technology.
It might be nice to see an approach to international policing approach the fervor of our continuing community policing debate.
Colonial Pipeline system map (CP)
In the next week, the administration is expected to issue an executive order intended to bolster the security of federal and private systems after two major attacks from Russia and China in recent months caught by surprise American companies and intelligence agencies.
Meanwhile, Colonial Pipeline, a private company, is being tight-lipped over whether it plans to pay a ransom demanded by the suspected criminal hacker group, or has already paid, or when normal operations will resume from closings ordered to prevent further problems from the hackers.
The FBI, the Energy Department and Cyber Command at Fort Meade, Md., all have dived into the detective work, along with FireEye, a private security company hired by Colonial.
This time, officials said they believed the attack was the act of a criminal group, rather than a nation seeking to disrupt critical infrastructure in the United States. But at times, such groups have had loose affiliations with foreign intelligence agencies and have operated on their behalf. That doesn't make it better.
Ransomware is the uncharted attempt by evildoers to threaten damage to computers connected into a network, encrypting the business data that control increasingly vast operations in return for payment of millions of dollars and the decryption code. It's kidnapping without emotion. When backed by state powers, it veers into somewhere beyond espionage and into an actual act of war.
The recent disclosure of a massive breach of government agencies and corporations explains sanctions against Russia last month. If there is more retaliation planned, we won't know about it until Moscow's red lights turn green. We still don't even know how deep and wide the break was. In either case, this is where I'd like to see all that Law & Order haranguing wasted on suppressing votes and threatening jail time for peaceful protests go instead. Where's the Blue in these cases? Where's the send-troops-to-Afghanistan-for-20-years demand?
Colonial Pipeline, based in Georgia, said the ransomware attack Friday affected information technology systems and that the company moved proactively to take certain systems offline, halting pipeline operations, to forestall further damage.
I've worked in news companies that dealt with hackers who entered networks that were private and not connected to the Internet, and experienced both in the fear that our newsroom operations could be touched—they weren't—and in the difficult creation of defensive shields and practices. Hackers often can find doors opened through getting an employee to unintendingly allow a malicious piece of software to enter through an otherwise innocent-looking email. Or they can criminally seek to obtain employee identification information allowing more direct access.
It can be hard to protect against in a working environment or a society that prizes individualism over security, which is exactly where America finds itself. We're relying more and more on machinery and the networks that increasingly operate it, often without human intervention. That creates opportunity for bad guys.
The Associated Press notes that while there have long been fears about U.S. adversaries disrupting American energy suppliers, ransomware attacks by criminal syndicates are much more common and have been soaring lately. The Justice Department has a new task force dedicated to countering ransomware attacks across types and size of businesses or agencies.
So far, the advice in the security industry and government alike is akin to coronavirus—take heed of the problem and take common-sense steps toward hardening network defenses. There are no vaccines that outlast the latest and greatest hacker attempts.
Attacks by criminal syndicates operating out of Russia and other countries reached epidemic proportions last year, costing hospitals, medical researchers private businesses and state and local governments and schools 10s of billions of dollars, AP reports. Average ransoms paid in the United States tripled to more than $310,000 last year, as compared with the cost of an average outage of business for 21 days for each incident, according to security firm Coveware.
American cyber folks say that some of these criminals have worked with Russia's security services and that the Kremlin benefits by damaging adversaries' economies and cover for intelligence-gathering.
Anne Neuberger, the Biden administration's deputy national security adviser for cybersecurity and emerging technology, told AP that the government has an effort under way to help electric utilities, water districts and other industries defend themselves. The goal seems to be to ensure that control systems serving 50,000 or more Americans have the core technology to detect and block attacks. The White House has announced a 100-day initiative aimed at protecting the country's electricity system by encouraging owners and operators of power plants and electric utilities to improve capabilities for identifying cyber threats to their networks.
U.S. Cyber Command and the Department of Homeland Security last month released details on eight code files attributed to the Russian Foreign Intelligence Service that were used in the so-called Solar Winds attacks discovered earlier this year. The disclosure was described as part of "Hunt Forward" operations to generate insights to understand the source of attacks.
It's not exactly 100 million shots of vaccine in the arm in 100 days, but it is a start. I'd prefer that we wipe out the bad guys rather than issuing sanctions and warnings to protect ourselves.
- Major US pipeline shut by ransomware attack - Alternet.org ›
- Here's what's known and unknown about the hack at Colonial Pipeline ›
- Why the Colonial Pipeline cyber attack signals a bigger national ... ›
- Colonial Pipeline hackers claim they disbanded amid 'pressure' from US -- but experts aren't buying it - Alternet.org ›
- The Colonial Pipeline ransomware hackers had a secret weapon - Alternet.org ›