Storage tanks stand at the Colonial Pipeline Co. Pelham junction and tank farm in Pelham, Alabama, U.S., on Monday, Sept. 19, 2016. Credit - Bloomberg—Bloomberg via Getty Images
After more than a decade of warnings about the vulnerability of U.S. energy infrastructure to hackers, a cyberattack on a major pipeline has left over a dozen states scrambling for gasoline, jet fuel, diesel, and other petroleum products.
Drivers in states like Georgia, South Carolina, North Carolina, and Florida converged at gas stations. Virginia Governor Ralph Northam declared a state of emergency. Meanwhile, the Department of Transportation issued an emergency declaration of its own to examine federal statutes—some more than a century old—to determine how the government could relax rules or enact powers to ensure greater flexibility on fuel transport via rail, sea, and highway.
The ransomware attack on the Colonial Pipeline is already considered the most impactful hack against U.S. critical infrastructure in history, cybersecurity experts say, but it also serves as a harbinger of things to come. Computer hacks will increasingly result in having a physical, real-world impact as Americans continue to connect devices from industrial control systems to household thermostats online.
”More and more of what will be held hostage is not just someone’s data, but the operation of physical systems in the world,” says Peter W. Singer, a fellow at the nonprofit New America Foundation in Washington and coauthor of the book, “Cybersecurity and Cyberwar.” “And that might be a system that an entire community or nation depends on, like a power or gas system, or it might be an individual system in a home.”
Successive presidential administrations have failed to compel U.S. businesses to participate in public-private information-sharing partnerships and craft consistent policies related to responding to adversaries’ assaults. In the interim, cyberattacks have spiked. “Deterrence has failed so far,” Singer says. “It’s failed against criminal actors. The fear over jail or financial sanctions did not dissuade cyber criminals.”
The FBI confirmed Monday it was investigating the Colonial Pipeline attack and had traced it to DarkSide, a cyber gang based in Eastern Europe notorious for hacking into companies’ systems, encrypting their files and extorting them to pay large ransoms to unlock the data. The so-called “ransomware attack” is the latest in a string of high-profile hacks over the past five years.
It’s been lucrative business. Emsisoft, a cybersecurity company, found at least 2,354 U.S.-based governments, healthcare facilities, and schools were victims of ransomware in 2020, with payments totaling more than $900 million. “The impact of the attacks was alarming: ambulances were rerouted, radiation treatments for cancer patients were delayed, medical records were rendered temporarily inaccessible and, in some cases, permanently lost, while hundreds of staff were furloughed as a result of the disruptions,” Emsisoft reported. “The University of Vermont Health Network, which furloughed 300 staff, estimated the cost of the attack at $1.5 million per day.”
The hack against Colonial Pipeline, which sends more than 100 million gallons of fuel daily from Houston to New York, choked off the nation’s oil supply to much of the Eastern Seaboard where it supplies about 45% of the region’s fuel. The company is aiming to “quickly and safely” restore service within the next few days. In the interim, dozens of gas stations reported being without gasoline, according to GasBuddy, an app that tracks fuel prices and demand.
The Colonial Pipeline attack comes just five months after the U.S. government revealed a massive, long-running hack of some of its most sensitive networks. Under the so-called Solar Winds hack, suspected Russian hackers broke into networks belonging to the Pentagon, Department of Energy, as well as top U.S. private businesses, rummaging around in them and likely reading emails and gathering data.
And yet warning signs have been blinking red for years. Chinese hackers stole the personnel files of 4.2 million government employees, as reported by the U.S. Office of Personnel Management in 2015, including the real names of intelligence officers serving in covert positions around the world. That same year, Russian hackers were blamed for a phishing attack that seized control of the Pentagon Joint Staff’s unclassified email systems. In 2016, Russian military intelligence officers were indicted for crimes including hacking the computers of the Democratic National Committee primarily through phishing emails.
Congress created the Cyberspace Solarium Commission in 2019 specifically to develop a strategy against major hacks. Last March, the commission made 52 legislative and 30 non-legislative recommendations in a report. Only a fraction have been implemented.
“The Cyberspace Solarium Commission was envisioned to be ‘the 9/11 commission that averts a cyber-9/11,’” the commission’s co-chairs, Senator Angus King, an Independent from Maine, and Representative Mike Gallagher, a Republican from Wisconsin, said in a statement following the Colonial Pipeline attack. “America can and must be better—we must be imaginative, and proactive, in navigating the threats of the age of cyber aggression.”
The Biden Administration launched an initiative last month to bolster cybersecurity in the nation’s power grid. In the wake of this latest hack, there may never be a better moment to redouble defenses.