The assault on Colonial Pipeline Co. last week was a particular affront. Not only did it disrupt fuel distribution on the East Coast, it followed an effort by the Biden administration to act against cyber crime — especially ransomware, where criminals remotely disable a computer system and demand payment. Colonial was hit on day 37 of a 60-day push by the Department of Homeland Security to confront such attacks.
The administration’s campaign is the latest in a long series of cyber strategies offered by presidents and lawmakers from both parties to curb hackers. For years, security experts have offered concrete recommendations for governments, companies and other organizations to follow to ward off cyber-attacks, but they’re often ignored, or punted in favor of more pressing concerns.
“There has to be a different way of approaching this if we are going to stop this plague,” said Philip Reiner, chief executive officer of the Institute for Security and Technology. Reiner’s group recently offered 48 actions the Biden administration and the private sector could pursue against ransomware.
The Colonial pipeline was idled for the third consecutive day on Monday, as fuel suppliers increasingly worry about the possibility of gasoline and diesel shortages along the U.S. East Coast. The company said Monday it expects the pipeline to be “substantially” back in operations by the end of the week.
While President Joe Biden recently imposed sanctions on Russia over the hack of SolarWinds Corp., the threat of retaliation or prosecution from the U.S. holds little deterrence — at least so far. Many criminal hackers reside in countries that ignore them or tacitly approve of their behavior. Actions to punish state-sponsored hacking groups — including sanctions and indictments — have previously done little to counter the assaults.
The list of recent cyber-attack targets reflects both the sophistication and brazenness of the hackers. In government, the victims include the Department of Homeland Security, the Illinois Attorney General’s Office, even the Washington, D.C., police department. In the private sector, hackers infiltrated big tech companies like Microsoft Corp., the cyber-security firm FireEye Inc., San Diego-based Scripps Health and even the Houston Rockets of the National Basketball Association.
While Homeland Security advises critical infrastructure operators on risk management, private industry is still responsible for securing its own networks. The result is uneven protection: Some companies, including major banks, have invested heavily in cyber-security. But many others have followed a pattern of ignoring or minimizing the need for safeguards, which can be costly and easy to defer.
Recent cyber-attacks against Twitter Inc., and SolarWinds, occurred after security employees warned about weaknesses in the companies’ defenses.
The problem is particularly troubling for companies that operate critical infrastructure. Initiatives to enhance the security of the operational controls used to run the U.S. electrical grid and other energy infrastructure are years behind better-known efforts to shield data centers and corporate systems, experts say.
In the federal government, the non-partisan Government Accountability Office alone has issued some 3,300 recommendations since 2010 for agencies to address vulnerabilities, yet at least 750 had not been implemented by the end of last year.
“Although the federal government has made selected improvements, it needs to move with a greater sense of urgency commensurate with the rapidly evolving and grave threats to the country,” the GAO warned in March.
In 2019, Congress created a special group — called the Cyberspace Solarium Commission — specifically to come up with a better, more comprehensive plan to fight back against major hacks. The commission made 52 legislative recommendations in a report last March; Congress has enacted 25 of them so far; roughly 10 of 30 non-legislative recommendations have been implemented.
“The Cyberspace Solarium Commission was envisioned to be ‘the 9/11 commission that averts a cyber-9/11,’” the commission’s co-chairs, Senator Angus King, Independent of Maine, and Representative Mike Gallagher, a Wisconsin Republican, said in a statement after the Colonial breach.
“One of the gravest lessons from the terrorist attack 20 years ago was that it was a failure of imagination,” they said. “America can and must be better –- we must be imaginative, and proactive, in navigating the threats of the age of cyber aggression.”