Last Friday, cyber extortionists penetrated the networks of the company that controls the fuel pipeline serving half of the United States. The company shut down its industrial systems as a precaution, only starting the process of turning them back on late Wednesday. That’s scary, as the lines of people on the east coast waiting to fill their tanks can attest.
But if you’re looking for a way to put this incident in its proper, even more frightening context, look to the testimony Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency gave to Congress on Tuesday. CISA, part of the Department of Homeland Security, is in charge of protecting critical infrastructure from cyberattack. But after an attack on some of the country’s most infrastructure, potentially affecting hundreds of millions of people and dollars, Wales said his agency has yet to receive “technical data” about what’s actually happening.
A big part of CISA’s job is sharing information about vulnerabilities in America’s infrastructure, which has to include the pipeline carrying almost half the fuel for the entire East Coast. The number of severe attacks on America’s digital landscape is only increasing. But we’ve seen no real movement from the U.S. to actually make CISA’s job easier and digital criminals’ jobs harder.
There have been three major cyber catastrophes already disclosed this year: the Solar Winds breach, where a Russian intelligence agency allegedly exploited a software update model to burrow who knows what into thousands of corporate and government servers; an attack originating in China used rented servers inside the United States to invade unpatched Microsoft Exchange servers, affecting, according to estimates, tens of thousands of servers; and an unknown perpetrator hijacked a developer tool called Codecov to sneak spy software into thousands of systems.
Alone, any of these attacks would be a crisis. Together, they’re a catastrophe with no sign of stopping. Bob Gourley, a former chief technology officer of the Defense Intelligence Agency and a voice of sanity in the cyber world, puts it this way: “the point to ponder: will we continue to see one of the most devastating attacks in history every two months? What can we do to slow the rate? What will adversaries do to increase the rate?”
When speaking to Congress, Wales also disclosed that the company that owns the pipeline, Colonial, did not notify his agency about the attack. Nor did it have to: No law or incentive exists to force private companies to disclose its cyber vulnerabilities, even if it turns out that the country literally cannot function properly without knowing them. If Wales’s agency has to beg a law enforcement partner for the basic technical information needed to begin to do its job, then our response to emerging cyber threats is staggeringly whacked.
We’ve seen what can happen when the government puts in mind to something. CISA, under resourced and under-funded, managed to secure election systems from cyber-attacks during a once-in-a-century pandemic. Their staff collaborated with everyone: private companies, academics, their cyber-focused cousins in the intelligence community, foreign partners, and state and local election officials, and achieved a no-fail mission.
CISA’s tactical work on this cyber objective was complemented by at least some strategic messaging from the State Department and some government officials, who successfully convinced nation states that a direct attack on election infrastructure would be too costly. That they conveyed this message amid the cacophony of former President Donald Trump’s deluge of misinformation is miraculous — but they did it.
A model for how to think creatively about major and enduring cybersecurity problems exist. But far too frequently it runs up against a tangle of legal authorities, over-classification of intelligence, bureaucratic equities, and a corporate sector that has no financial or social incentive to change their own companies for the benefit of the cyber commons. The result, too, often, is a schmozz. (That’s the pro-wrestling term for when something major happens in the ring, but then everyone backstage runs out and starts attacking everyone else, and there’s no clarity about what happened or what needs to be done.)
President Joe Biden's newest cyber executive order is a necessary step towards resilience. It asks the public- and private-sector cyber communities, represented by a blizzard of acronyms, to cooperate on new federal incident reporting standards and orders up a number of in-depth studies to quicken the pace of basic cyber defense and standardization.
Most importantly, it also creates a National Transportation Safety Board-like body to serve as the investigators of record for major cyber breaches. Once set up, the team will have access to both highly classified intelligence and proprietary corporate data and will be required to make its findings public.
It’s a good start. Congress needs to build on this initiative and require that private companies working on what’s deemed to be critical infrastructure develop an immediate reporting system for cyber breaches based on the criteria developed by the executive order. And everyone involved has to develop cyber insurance standards that don’t penalize the private sector for doing their civic duty.
The public has to be willing to accept some trade-offs, too. That means, for example, giving the FBI wider authority to scour domestic networks for malicious cyber-signatures, using military assets to track down cyber criminals, or making it harder to access anything on the Internet without multi-factor authentication or patched software. It’s even worth considering whether internet users should incur social penalties — like having access taken way from popular sites until they add a secure form of authentication — for being insecure.
The only way to deter cyberattacks is to raise the cost would be the attackers must pay for attacking any given system. War metaphors are overwrought and unhelpful here despite their popularity; the physics of the digital world is different enough to make most meaningless. I'll just say plainly that the threat is one that requires persistent engagement and personal resilience. And that in until those things have improved, America remains very vulnerable to the next ransomware attack.