The Colonial Pipeline is the largest pipeline system for refined oil products in the U.S. It’s 5,500 miles long and can carry three million barrels of fuel per day between Texas and New York.
Or, at least, it could before it was attacked by criminal hackers operating on Russian soil, under the protection of the Russian government.
It seems like every week there is an alert that some company, federal agency, or municipality is the newest victim of a cyber-attack originating from one of America’s near-peer adversaries.
Does this mean that American cyber dominance is over?
There is a path forward if the federal government and the corporate world can find novel ways to cooperate in the face of this growing threat.
Some shocking statistics
Coming on the heels of the SolarWinds attack, which represented a new scale of nation-state aggression in cyber warfare, the ransomware attack on the Colonial Pipeline is shaping up to be the most impactful hack against U.S. critical infrastructure in history.
Shockingly, eighty-five percent of American critical infrastructure is owned by private companies, yet the U.S. government leaves it to private enterprise to protect itself.
According to NBC News, the National Security Agency (NSA) collects intelligence about cyberattacks, the FBI investigates them after they happen and the Department of Homeland Security (DHS) tries to protect government computers. But no federal agency oversees defending the American public against hackers, be they criminals or intelligence agencies.
“No one would ever think the private sector is responsible for defending itself against North Korean missiles,” said Glenn Gerstell, a recent former NSA general counsel. “And yet the private sector is expected to defend itself against foreign cyber maliciousness.”
A bill that would have established security standards to prevent “large-scale cyberattacks on the nation’s critical infrastructure — including water supplies and the electrical grid — failed in the Senate in 2012.” That was the last time that Congress attempted to fill the huge holes in our nation’s cyber defense.
This is likely what it felt like on December 6th, 1941, before the surprise Japanese attack on Pearl Harbor or on September 10th, 2001. The warning signs are everywhere, yet America’s increasing resistance to federal regulation of private companies is preventing us from protecting companies from all but the most rudimentary cyber-attacks.
The path forward involves greater collaboration between government and corporations
Experts agree that timely information sharing and early warning systems are key to minimizing damage from increasing attacks.
Perhaps the biggest obstacles to information sharing are companies unwilling to disclose information about a hack too soon out of a fear that the company will be exposed to legal liability from its customers and clients.
With this in mind, legislation is necessary that offers liability protection for companies that disclose hacks quickly, so the government has time to respond with its formidable toolset while the hack is still recent, maybe even ongoing.
On the flip side, companies that are reckless with customer data or critical infrastructure protections should be held liable.
Such a carrot and stick approach may be the only way to begin to increase government-industry cooperation.
The latest hack comes as the Biden administration works to pass a $2.3 trillion infrastructure plan which includes funds to fix critical infrastructure vulnerabilities.
As 5G expands and more Internet of Things (IoT) devices come online, the coming decade will show that the stakes are even greater for a hack that could severely disrupt the U.S. economy.
The real question that will be asked decades from now is “Were the Americans asleep on duty?”
Unfortunately, the answer to that question right now is “Yes.”