Pipeline shutdown shows need for tougher cybersecurity laws
The six-day shutdown of a key 5,550-mile fuel pipeline earlier this month after a malware attack proved a case study of all the things that can go wrong when the private sector, which controls crucial parts of American infrastructure, drops the ball on cybersecurity and the government doesn’t have the ability to adequately prevent cyberattacks or control the fallout. Our adversaries are watching, which underscores the urgent need for Congress and the White House to move quickly to stop the next breach.
The result of Colonial Pipeline’s response to a recent hacker attack was swift and far-reaching. The private firm closed the spigot on the supply of nearly half of the East Coast’s gasoline, diesel, and jet fuel — something that had never been done before. A combination of fuel shortages and panic buying caused long lines to form at gas stations from Washington, D.C., to Florida. US air travel routes were altered to add stopovers to allow planes to refuel in central and northern states.
And the cybersecurity breach that caused it all was not a sophisticated hack perpetrated by nation-state spies from China or Russia. It was a ransomware attack by a group of Eastern European cyber bandits known as DarkSide, which successfully extorted $4.4 million from Colonial Pipeline as the company rushed to regain control of its information technology system and ensure the hackers had not penetrated the pipeline’s operational system.
In the end, the pipeline was brought back online and DarkSide shut down operations. But the worst damage was already done: The incident revealed just how easy it was to bring a massive part of American infrastructure to a halt with a hack that, by cybersecurity standards, was about as sophisticated as a pickpocketing.
President Biden responded by signing an executive order that, among other things, would provide incentives for IT service providers to share information with the government about cybersecurity vulnerabilities and breaches. The order would also create a cybersecurity safety review board that would review and analyze breaches and make security recommendations, similar in authority to the National Transportation Safety Board, which investigates airline and railroad safety incidents.
But Congress must do more. That begins with imposing mandatory reporting rules requiring private sector firms in charge of parts of the nation’s critical infrastructure to disclose potential and actual breaches so that the government and industry can react more quickly to mitigate the fallout. Such a measure has been debated in Congress for more than a decade but until now has failed to result in new law.
“We need to build a structure that facilitates and supports open communication and trust . . . between this critically important infrastructure and the government in order for the government to be able to help,” said Senator Angus King, independent from Maine, in an interview. King is cochair of the Cyberspace Solarium Commission, established by Congress to bolster US cybersecurity protections.
Private sector firms are often reluctant to share critical information about cybersecurity vulnerabilities or threats for fear of civil liability and because the number of phishing or other low-level security breach attempts they encounter is so large. King said providing liability protections as well as carefully limiting and defining what qualifies as reportable incidents would be the carrots to the mandatory reporting requirement’s stick.
There is much more that should be done to buttress the cybersecurity of our nation’s critical infrastructure. That includes implementing more streamlined federal oversight in place of the current multiple-agency approach, which can be cumbersome, duplicative, and slow; holding Russia accountable not only for its own cyber-espionage but also for harboring other cyber attackers within its borders; and tightening the federal government’s own cybersecurity, which was revealed to be vulnerable last year by the SolarWinds hack, which affected private and federal government systems alike.
But holding those in control of American fuel supplies, electrical grid, transportation systems, and other key infrastructure components accountable and responsible for keeping their information systems secure is a tangible first step Congress should take now.
Editorials represent the views of the Boston Globe Editorial Board. Follow us on Twitter at @GlobeOpinion.
Gloss