Pipeline ransomware attack shows US economy’s soft digital underbelly
Lest we think the Colonial Pipeline hack is something that happens to other people, consider the pipeline infrastructure that feeds the Pacific Northwest.
A system of four pipelines carries gasoline, diesel, jet fuel and heating oil from the four refineries of north Puget Sound, plus U.S. Oil and Refining in Tacoma, south to Portland, serving customers all along the way. Eastern Washington is served by a separate pipeline network linked to the Gulf Coast.
According to the American Petroleum Institute, 190,000 miles of liquid petroleum pipelines cover the United States. Any could be targeted for shutdown by a hacker group such as DarkSide, which the FBI says is behind the Colonial shutdown.
The 5,500-mile Colonial is just one of them, albeit the largest. But considering its strategic importance to the East Coast and deep-pocket owners such as the Koch empire, ransomware attackers thought: low-hanging fruit.
If you want to get Americans’ attention, hit their ability to drive. Panic buying and gas lines were quickly seen in the Southeast. Midweek, 71 percent of the gas stations in car-burdened Charlotte, N.C., were dry.
Ransomware takes control of a company’s or organization’s software or data until the owners make a payment. Even paying a ransom doesn’t guarantee the owners will get control again.
Initial reports said Colonial refused to pay ransom. But Colonial handed over nearly $5 million to the hackers. Bloomberg reports that the payment was in difficult-to-trace cryptocurrency. In exchange, Colonial received a decrypting tool to help restore its disabled network.
DarkSide, believed to be based in Eastern Europe, released a statement saying, “We are apolitical, we do not participate in geopolitics … Our goal is to make money, and not creating problems for society.”
But no one is safe from cybercrime, whether the attacker is a shadowy group or tied to a nation-state, whether they want money or data or to paralyze infrastructure. Whether the victim is an individual who opened an email containing malware or a leading technology company.
Earlier this year, Microsoft’s popular Exchange email system was the target of hackers tied to the Chinese government. As the company worked feverishly to stay ahead of the hack, it reached crisis proportions affecting tens of thousands of victims and attracting the attention of the White House.
In 2019, Accenture predicted that cybercrime would cost companies $5.2 trillion worldwide within five years. Some 43 percent of attacks were against small businesses, while only 14 percent were prepared to repel them.
Hiscox, an insurer, said the average cost of a digital attack was $200,000. That’s easily enough to put many small companies out of business; many aren’t covered by insurance for cybercrime or can’t afford it.
It’s a Wild West of sublethal international conflict out there. The weaponized malware called Stuxnet set back Iran’s nuclear program in 2009, followed by other cyberattacks; Israel and the United States were seen as carrying them out. Chinese, Russian and North Korean hackers have targeted us, including penetrating government sites and conducting industrial espionage.
It’s not a leap to predict that the next major war will be fought heavily in cyberspace. Before the first shots are fired, an opponent might try to blind the enemy’s satellites by cybermethods, and use secreted malware that wrecks the capabilities of such advanced weapons as the F-35 Joint Strike fighter and shuts down the U.S. electrical grid. We, no doubt, would try the same.
The result might be more bloodless than previous wars. Unless, that is, a blinded nation fears it’s being targeted for a nuclear strike; then all bets are off.
Longtime readers remember one of my favorite stories about the dangers of techno-magic. In the television series “Battlestar Galactica,” Admiral Adama (played by Edward James Olmos) refused to allow his ship to be networked.
As a result, the aging Galactica was the only warship to survive the deadly Cylon surprise attack that depended on an advanced, networked fleet.
But in the real world, we’re living more than ever online and in the cloud.
President Joe Biden and Congress are under pressure to do more to protect us. The administration is committed to “a global effort” to fight ransomware attacks. That includes criminal prosecutions, going after hacker money laundering, and greater disclosure of breaches.
In 2019, Congress created the Cyberspace Solarium Commission to develop better defenses against major hacks, to prevent “a cyber 9/11.” But only about half of its recommendations have been implemented.
That fits a pattern of paralysis going back to 2010. Since then the Government Accountability Office has offered 3,300 recommendations for agencies to protect themselves. Yet at least 750 had not been put in place as of 2020.
“Although the federal government has made selected improvements, it needs to move with a greater sense of urgency commensurate with the rapidly evolving and grave threats to the country,” the GAO said.
And this is only in the federal government, not state or local government, not in the private sector overseeing critical infrastructure. An enormous workload awaits those charged with keeping ahead of cybercriminals.
It’s enough to keep you up at night. Or, in the daytime, be extra suspicious of potential malware showing up as a legitimate-looking email.
Jon Talton writes about business and the Pacific Northwest economy in the Sunday Seattle Times. He may be reached at [email protected] and on Twitter: @jontalton.