The bad guys — some espionage agents of our national enemies, others more ordinary criminals bent on mere extortion — are targeting America’s electronic infrastructure.
America’s digital vulnerability is as big as Colonial Pipeline, the nation’s largest supplier of all varieties of fuel, which was shut down for five days by a malware attack last month. The crime left gas stations with no gas, provoked fuel hoarding and ended only after the pipeline paid a $4.4 million ransom, some of which was subsequently recovered by federal agents.
It’s as local as Tulsa’s water bills, which were frozen harder than exposed pipes in a February ice storm by a similar cyberattack last month. Tulsa paid no ransom, but that left most of the city’s computer-dependent services hobbled as IT people tried to cleanse and rebuild a compromised network.
Last week, the Senate Homeland Security and Governmental Affairs Committee examined the Colonial Pipeline attack and what it reveals about threats to critical national infrastructure.
I watched the Washington hearing from the back bedroom of my Tulsa home, thanks to the U.S. Senate’s electronic network, which works seamlessly, except for a few hiccups when members tried to Zoom in their questions from their offices.
But things don’t always go so well, especially when there is evil afoot.
Hackers from Russia were able to infiltrate the information technology system of the Colonial Pipeline system and steal 100 gigabytes of information in two hours. They paralyzed the computers that make the 5,500-milw pipeline work, and demanded ransom for the codes to restore it to operation.
“The infrastructure that American lives depend upon is increasingly connected — connected to each other and connected to the internet,” said Chairman Gary Peters Sr., D-Michigan. “This gives a whole new meaning to the phrase, ‘You’re only as strong as your weakest link.’”
Those weak links might be hacked accounts, inadequate passwords, a clerk’s foolish click on a random email attachment or any number of other vulnerabilities that are inherent in a system designed and used by human beings.
Everything from the electrical grid to the corner gas station is connected, which means everything is a potential target.
“Cyberattacks used to be merely an inconvenience,” Peters said. “We now know that they can be attacks on our very way of life.”
Colonial President and CEO Joseph Blount Jr. was in the hot seat during the hearing.
He was the one in charge of the company that proved vulnerable. It appears the crooks got in through an aged VPN system that had single-factor authentication and was largely off the company’s radar.
He was the one who signed off on paying ransom to Russian terrorists, thus going against national policy and proving the potential for profit in cybercrime.
“There’s no CEO in America who wants to be sitting in the chair you’re in,” U.S. Sen. James Lankford, R-Oklahoma, a member of the homeland security committee, said.
Blount did a good job in a tough situation. He was straightforward, transparent and committed to doing things better in the future.
But he wasn’t apologizing for paying the ransom that helped get the East Coast back on the road.
“I believe with all my heart it was the right choice to make,” Blount said.
Lankford focused on the lessons learned from the crime and how other companies can apply Colonial’s experience to be prepared.
He also used his time to point out that the incident reinforces the importance of pipelines to the American economy, and to take jabs at the Biden administration for its weak support of the American pipeline industry, no small element of Oklahoma’s economy.
“Pipelines are essential to America,” Lankford said, and no one took him to task on that.
As bad as things were, they could have been worse.
Blount testified that his company didn’t know for days if the cybercriminals had only infiltrated the computer system or if they also had some degree of operational control over the pipeline or parts of it. That would have allowed a crime of extortion to be turned into a spewing, burning attack on the East Coast.
That didn’t happen, but that doesn’t mean it couldn’t happen in the future. If not there, somewhere else, especially if the bad guys are more bent on attacking the nation than their own pocketbooks.
Democrats and Republicans on the committee seemed to agree that the Colonial attack should spur the nation to protect its electronic infrastructure and become more vigilant in pursuing the hackers.
Lankford said the Colonial attack would be “the ghost of Christmas future,” if the nation does not respond appropriately.
Ranking member Rob Portman, R-Ohio, said bluntly that cybersecurity is national security and that attacks such as the one on Colonial should be considered attacks on the United States — with foreign nations held accountable.
Peters didn’t rattle that saber, but he did insist that critical private and public assets must be effectively protected.
“Inaction is not an option,” he said.
Word of the week: transmogrify — transform, especially in a bizarre or magic way. I was this many years old, and reading “Catch-22,” when I figured out that Kurt Vonnegut Jr. didn’t make up the word for “God Bless You, Mr. Rosewater.”