A decade ago, after hackers were caught infiltrating natural gas pipeline operations and an al-Qaeda video emerged calling for an “electronic jihad” on U.S. infrastructure, then-Senator Joseph Lieberman tried to sound the alarm.
The system is “blinking red,” Lieberman warned his Senate colleagues during debate on the threat in 2012. “Privately owned and operated cyber infrastructure can well be, and probably some day will be, the target of an enemy attack.”
Led by the Connecticut independent and one-time vice presidential candidate, lawmakers sought to require energy companies to strengthen computer security. But the effort withered under fierce lobbying by oil companies and other corporate interests that succeeded in killing the legislation. That left in place a system of voluntary guidelines that failed to stop last month’s ransomware attack on Colonial Pipeline Co., which paralyzed a major artery for fuel along the East Coast.
“It’s really a lost opportunity,” said Lieberman, now senior counsel at Kasowitz Benson Torres LLP. “The attack on the Colonial Pipeline might not have happened if we passed the legislation.”
Now, in response to the attack, the Department of Homeland Security is preparing to jettison the voluntary approach and impose cybersecurity requirements on pipelines, according to a person familiar with the plans who asked not to be identified before a formal announcement.
That would be a defeat for oil companies and pipeline operators that for more than a decade have successfully fought off federal standards to thwart cyberattacks from legislation or regulatory agencies. Unlike power plants, U.S. pipelines are not required to follow any federal cybersecurity mandates, even though Homeland Security was given the authority to impose them when it was created in the wake of the Sept. 11, 2001 attacks.
The Transportation Security Administration, the DHS agency in charge of protecting the nation’s pipelines, will issue a directive this week requiring pipeline companies to report cyber incidents, according to the person familiar with the plans. Additional requirements for safeguarding facilities and responding to attacks are set to be advanced in coming weeks, the Washington Post reported.
“The Biden administration is taking further action to better secure our nation’s critical infrastructure,” DHS said in a statement on Tuesday. “We will release additional details in the days ahead.”
Until now, the TSA had resisted using its authority to mandate cyberprotection measures.
“My belief was we could get quicker and better security through working with the industry instead of regulating them because regulations set minimum security standards and industry in many cases was doing more than that,” said Jack Fox, who served as the agency’s manager of pipeline security before retiring in 2016.
Lieberman’s bill would have imposed cybersecurity performance requirements on privately owned critical infrastructure — and slap fines on companies that fell short. The rules would have been applied to more than pipelines: sectors where a hostile take-down of computer systems could lead to mass casualties, the collapse of financial markets or the disruption of energy and water supplies, were to be included.
Even a watered-down version of the bill failed to overcome a Republican-led filibuster.
For Lieberman, the failure still stings.
“We would sort of ask ourselves who is driving this aggressive opposition and the answer we were getting was the energy companies and the pipeline companies,” he said.
Every major U.S. oil company — including Exxon Mobil Corp., Chevron Corp. and ConocoPhillips — lobbied on the legislation, alongside some refiners and at least one pipeline operator. Colonial didn’t lobby on the measure in 2012, according to disclosure forms it filed with Congress. However, groups it belonged to did, including the American Petroleum Institute, the Association of Oil Pipe Lines and the Chamber of Commerce — a political titan that reported spending $103.9 million influencing government policies in 2012.
The Chamber opposed the legislation at the time, calling it an overly broad, heavy-handed approach to regulation that threatened to create an “adversarial“ relationship between the government and private industry instead of fostering collaboration against cyberattacks. The group backed an alternative approach focused on greater sharing of threat information, a stance it continues to endorse today.
“We support a public-private collaboration that strengthens our cybersecurity in all sectors, including pipelines, to benefit all Americans,” said Matthew Eggers, vice president of cybersecurity policy for the Chamber.
Cybersecurity experts and government officials have cautioned for years about the consequences of a pipeline hack, including in 2019 when the Office of the Director of National Intelligence issued a report warning a cyberattack could disrupt a pipeline “for days to weeks.”
Nevertheless, there was widespread business opposition to the Lieberman bill, with almost every affected industry, from financial services to communications, getting involved to warn the proposed cybersecurity mandates would insert the heavy hand of government into corporate affairs.
But proponents warned that mandates were essential to ensure there were sufficient safeguards amid a barrage of ever-more sophisticated attacks on private companies running power plants, dams and other critical infrastructure.
Weeks after the bill’s introduction, the Department of Homeland Security warned hackers had spent months trying to infiltrate computer systems for a number of natural gas pipeline operators. ABC News reported the FBI had obtained an al-Qaeda video calling for “electronic jihad” against U.S. critical infrastructure. And computer security firm McAfee Corp. warned of coordinated, ongoing cyberattacks on global energy companies in 2011.
The hacking episodes foreshadowed how alluring fuel delivery systems are to cyber-criminals, like the Russia-linked group that used DarkSide ransomware to hold Colonial’s computer systems hostage around May 7. The company was forced to shut down its roughly 5,500-mile-long (8,851-kilometers-long) pipeline system, which provides about 45% of the fuel used on the East Coast, spurring outages at filling stations and the payment of a $5 million ransom before service resumed five days later.
It’s not clear whether mandates would have thwarted the attack, and investigations are still underway. Colonial has pledged to “review any proposal that takes lessons learned from this event that strengthens or hardens our infrastructure.”
Oil and pipeline trade groups steadfastly insist now is not the time for prescriptive federal mandates.
“Any discussion of regulation is premature until we have a full understanding of the details surrounding the Colonial attack,” said Suzanne Lemieux, API’s manager of operations security and emergency response. “But we are committed to continuing our robust coordination with all levels of government.”
The trade association added in a statement it was generally aligned with the Chamber on the issue in 2012 and cautioned against a prescriptive one-size-fits all regulatory approach that it said would be counterproductive.
John Stoody, a spokesman for the Association of Oil Pipe Lines, whose members include Colonial Pipeline, said “We want TSA to get right anything they plan to do.”
“For example, an overly broad reporting requirement could overwhelm TSA with hundreds of thousands of cyberattack reports every day that would not do anyone any good,” he said.
Chevron said in an emailed statement that federal regulation “should take a risk-based approach” that gives companies flexibility to defend against threats. And Exxon noted that the rapid evolution of cyber threats means “any formal and prescriptive cybersecurity requirements for the industry are often outdated upon completion.”
The Transportation Security Administration has long taken a similar approach. A branch manager in the agency’s office of surface operations last year boasted it involves “very few regulations” and a “cooperative approach to industry adoption of security measure,” according to a presentation archived on the agency’s website.
The TSA opted not to regulate the pipeline sector because it felt a partnership with industry was more efficient, said Fox, the retired TSA manager of pipeline security.
“A regulation takes months or years to change,” Fox said in a phone interview. “With this partnership we could make a phone call and say we need you to do such and such and it would be reacted to the next day.”
Fox said he didn’t think the Lieberman bill would have prevented the Colonial cyberattack.
“You can regulate whatever you like,” Fox said. “We have regulations on speed limits and gun control and all kinds of things so if you regulate something it does not means it’s not going to happen.”
Ultimately in 2012, Lieberman and Collins watered down their bill in a desperate bid to win over Republicans to get it passed. They dropped mandates and fines in favor of a measure that would create only optional requirements.
But even the pared-back bill wasn’t enough. Continued concerns about liability and privacy haunted the legislation, and the Chamber opposed the new version too. It was twice defeated by a Republican-led filibuster, ultimately falling nine votes shy of the 60 needed to cut off debate in November 2012.
Amy Myers Jaffe, a Tufts University professor and author of “Energy’s Digital Future,” said the Colonial cyberattack may be the pipeline industry’s “Macondo moment.”
That’s a reference to the Gulf of Mexico oil well that blew out in 2010, killing 11 workers and unleashing the worst oil spill in U.S. history.
An overly cozy relationship between federal regulators and oil companies was blamed for contributing to the disaster, Jaffe said. “It’s shocking to me to think that an industry that likes to brag about its safety records would ever have lobbied against having government-run standards that are mandatory for cyber-security in vital energy infrastructure.”
— With assistance by Bill Allison, Gerson Freitas Jr, and Robert Tuttle