Compromise required for cybersecurity
Biden, Congress must act together to prevent another infrastructure ransomware attack.
A major pipeline running from Houston to New Jersey — which provides the East Coast with nearly half its fuel — was shut down over the weekend after the company fell prey to malicious hackers, in what experts believe is the largest ever cyberattack on U.S. energy infrastructure.
A group known as DarkSide infiltrated Colonial Pipeline’s servers and encrypted the company’s data, demanding payment to restore access in what is known as a ransomware attack. This is the latest highprofile incident to become public and to raise the alarm that the government must act to protect vulnerable industries.
The White House on Monday sought to allay fears of a fuel shortage and the pipeline is expected to be fully operational by the end of the week. While it seems as if a disaster was averted, the only guarantee moving forward is that the ransomware problem is going to get worse.
It’s already global, affecting individuals, cities, health care, financial and educational institutions. In the U.S. alone, more than 2,300 organizations faced some level of attack in 2020, including the Texas state court system. That hack came a year after nearly two dozen local governments in the state were hit by a similar coordinated intrusion.
Cybersecurity measures throughout different industries are uneven, and the energy sector is no exception. While large companies have more robust protection, smaller firms are much more vulnerable to cybercriminals.
“If you’re handling a lot of product and you have a lot of cash flow, the expectation would be you’re going to spend on cybersecurity, but not everyone is at the same strategic level as an organization like Exxon or Chevron,” Charles McConnell, a former U.S. assistant energy secretary now at the University of Houston, told the Chronicle. “The question you have to ask is, ‘Does the federal government need to step in to protect the folks that can’t protect themselves?’ ”
The answer is yes. We are still dealing with the fallout of the power grid failure during the Texas freeze. Imagine the havoc that a hacker group or a sophisticated state-sponsored attack could inflict on a larger scale.
President Joe Biden is expected to sign an executive order to strengthen cyberdefenses for federal agencies and contractors. According to reports, the order would also establish a system to share government information with private companies about threats and allow them to do the same.
These are important steps, but the private sector owns and operates most of the country’s critical infrastructure, meaning that Congress must step in to implement minimum cybersecurity standards for companies that are outside the federal procurement chain and which oversee vital systems, including the energy industry.
The last major effort in 2012 was scuttled by a Republican filibuster, as lawmakers opposed the bill claiming the standards would have been too onerous for corporations. With national security on the line, compromise is the only path forward.
So far, at least, reaction to the Colonial Pipeline breach points to possible bipartisan efforts to revive these standards, as some Republicans, including U.S. Sen. Ben Sasse, R-Neb., sound willing to include cybersecurity in Biden’s infrastructure plans.
“If Congress is serious about an infrastructure package,” he said in a statement, “at front and center should be the hardening of these critical sectors.”
Cyberattacks are disasters waiting to happen. How long will the next one wait? Congressional leaders shouldn’t wait to find out. They should join the president and the private sector in building a formidable defense for America against the many foreseeable digital dangers, and the ones we can’t even imagine.