Elected officials and policymakers debating how extensive an infrastructure plan should be overlooked a key element.
On May 7, hackers disrupted the Colonial Pipeline through a cyber-attack. They used malware to extort money from Colonial Pipeline Co., headquartered in Alpharetta, Ga.
The pipeline runs from Houston to the Port of New York and New Jersey. The company paid $4.4 million to a group identified as DarkSide. Hackers then sent the firm software to unlock the system.
This was the largest cyber-attack on an oil operation in U.S. history. Security analysts regularly assess the weaknesses of the nation’s power grid and consider how to thwart attacks. The incident involving Colonial Pipeline, however, contained some surprises.
“For years, government officials and industry executives have run elaborate simulations of a targeted cyber-attack on the power grid or gas pipelines in the United States, imagining how the country would respond. But when the real, this-is-not-a-drill moment arrived, it didn’t look anything like the war games,” according to a story published Tuesday by the New York Times. “The attacker was not a terror group or a hostile state like Russia, China or Iran, as had been assumed in the simulations. It was a criminal extortion ring. The goal was not to disrupt the economy by taking a pipeline offline but to hold corporate data for ransom. The most visible effects — long lines of nervous motorists at gas stations — stemmed not from a government response but from a decision by the victim, Colonial Pipeline, which controls nearly half the gasoline, jet fuel and diesel flowing along the East Coast, to turn off the spigot. It did so out of concern that the malware that had infected its back-office functions could make it difficult to bill for fuel delivered along the pipeline or even spread into the pipeline’s operating system. What happened next was a vivid example of the difference between tabletop simulations and the cascade of consequences that can follow even a relatively unsophisticated attack. The after-effects of the episode are still playing out, but some of the lessons are already clear and demonstrate how far the government and private industry have to go in preventing and dealing with cyber-attacks and in creating rapid backup systems for when critical infrastructure goes down.”
Somehow, discussions occurring between representatives of the Biden administration and congressional leaders about a proposed $2 trillion infrastructure plan have ignored cyber-security. It took the hacking of the Colonial Pipeline to bring this omission to light.
“Neither the Biden administration’s infrastructure plan nor the counterproposal from Sen. Shelley Moore Capito, R-W.Va., explicitly mentions cyber-attacks, a topic that surged into the public eye after the May 7 hack of a pipeline system that supplies fuel to much of the East Coast,” a Roll Call article reported, published Monday by the Watertown Daily Times. “The White House’s proposal touches frequently on strengthening electricity grids in the United States and shoring up the country’s power supply against natural disasters and climate change. But the White House’s 27-page summary of its $2 trillion proposal, which is not yet in legislative language, does not mention cyber-security or hacking, or the terms ‘digital’ or ‘pipeline’ in a context related to cyber-attacks. The $568 billion rebuttal from GOP senators, a two-page list of broad demands for public works investment, also omits cyber-security and hacking.”
Legislators have expressed their views on what spending items rightly constitute “infrastructure.” This is certainly a worthy endeavor.
But protecting critical industries from cyber-attacks must be a priority in any infrastructure legislation. Plans to enhance these security measures need to be worked out and inserted into the bill when it’s presented.
The fuel transportation network is one example of a system upon which our nation depends, and others (water, energy, financial services, aviation, communications) are equally important. Disrupting operations would create chaos and imperil lives.
It’s vital that a plan to thwart cyber-attacks against these industries be developed. The government also should enhance collaborations with organizations in the private sector as well as other nations to identify security weaknesses and prosecute those who exploit them. Eliminating safe harbors for cyber criminals is one way to ensure more peaceful and prosperous global relationships.