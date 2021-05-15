THE CONVENTIONAL wisdom that you don’t pay ransom money because it just rewards the kidnappers and encourages them to do it again is apparently out the window when it comes to computerized kidnapping of major infrastructure.
Bloomberg first reported last Thursday that the Georgia-based Colonial Pipeline Co. paid hackers $5 million in untraceable cryptocurrency after they shut down the nation’s largest gas pipeline, forcing major gasoline and jet fuel shortages along the entire East Coast. That included Virginia—where GasBuddy reported that 52 percent of the commonwealth’s stations found themselves out of gas on Wednesday.
By Friday, the pipeline was fully operational again, but not before at least one gas station in the commonwealth charged motorists nearly $7 a gallon.
Here’s the conundrum Colonial Pipeline faced: If it refused to pay the ransom, the pipeline shutdown could have been much worse—even permanent. But paying the ransom undoubtedly emboldened the cybercriminals to spread their malware to another unwitting victim.
Blaming Colonial Pipeline for letting its guard down ignores the fact that ransomware—which encrypts computers and even servers with a digital key which the hackers refuse to hand over without a payment—has been around since 1989, targeting everything from police departments to high-profile law firms, banks and credit unions, and even hospitals. Commonplace technology such as USB drives and emails have been used to gain access to vulnerable data systems and hold them for ransom.
In 2020 alone, there were nearly 2,400 ransomware attacks on state and local governments, schools, health care facilities and other entities that paid $300 million in ransom, according to Frank Cilluffo, director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University, and Mark Montgomery, senior advisor to the chairmen of the Cyberspace Solarium Commission.
The commission released a report in 2020 strongly urging the U.S. to adopt a “layered cyber deterrence” that rewards acceptable behavior and imposes steep costs on individuals, criminal groups or nation-states that target American cyberspace.
Last week, President Biden signed an executive order that removes barriers to information sharing between the government and IT providers, and takes other steps to prevent cybercriminals from gaining access to government and key U.S. industry databases.
U.S. Senator Mark Warner of Virginia, chairman of the Senate Select Committee on Intelligence, said in a statement that “the United States is simply not prepared to fend off state-sponsored or even criminal hackers intent on compromising our systems for profit or espionage. This executive order is a good first step, but executive orders can only go so far. Congress is going to have to step up and do more to address our cyber vulnerabilities.”
Exactly so. Especially when many, if not most of these cyberattacks are coming from offshore. When a 5,500-mile pipeline that carries more than 2 million barrels of gasoline and jet fuel from refineries in Texas to New York on a daily basis is hijacked by cybercriminals, creating a state of emergency in 17 states, this is no longer an industry problem, but an urgent matter of national security.
The hack prompted the FBI and the Cybersecurity and Infrastructure Security Agency to issue a joint warning to infrastructure companies, noting that “prevention is the most effective defense against ransomware.”
But Biden’s massive $2 trillion infrastructure spending bill “doesn’t address securing infrastructure from malicious cyber activity. The president’s budget proposal for next year also doesn’t prioritize cybersecurity,” Cilluffo and Montgomery pointed out.
This is unacceptable. If the nation’s electric grid or other key infrastructure—such as water treatment plants—are targeted by ransomware, the damage could be catastrophic.
Republicans and Democrats in Congress who are currently fighting over the size and scope of the infrastructure bill should at least be able to agree on this—and pass bipartisan legislation that hardens our critical support systems before it’s too late.