May 20, 2021
The saga of the Colonial Pipeline ransomware attack continues to swirl, as gas availability in many parts of the eastern United States remains unreliable and other critical infrastructure companies worry about what this attack could portend for them. The pipeline’s operations have re-started, so the immediate panic has begun to subside. But the lessons learned from this relatively unsophisticated attack are just beginning to be fully understood and extend well beyond the energy sector, including for our mandate here in the USC Election Security Initiative.
Criminal organizations use a “ransomware-as-a-service” business model to carry out cyber attacks, and the criminal subcontractors reportedly get a cut of the profits when victims pay up, as Colonial Pipeline did in this case, to the tune of $5 million. These cybercriminal groups gain access to a victim’s network, steal their data and lock its systems, and demand a ransom from the company to regain access and control.
Many argue that DarkSide, named by the FBI as the perpetrator of the pipeline attack, is not technically a state-backed entity, although experts also assess it has ties to Russian cybercriminals — who operate independently but often do contract work for Russian intelligence. Analysts believe that DarkSide, which came online in August 2020 and claims to only be “profit motivated,” is likely operating from Russia, a common hub for cybercriminals.
The most crucial lesson for us to learn from this attack is the importance of determining vulnerability before an attack happens and proactively addressing any weaknesses. According to an Associated Press (AP) report, Colonial had hired four independent firms since 2017 to conduct cybersecurity risk assessments. The company also said they had increased their overall IT spending by more than 50%, amounting to tens of millions of dollars.
One of the outside audits of Colonial “found glaring deficiencies,” according to the AP. The report’s author said the company had “atrocious” information management practices, “a patchwork of poorly connected and secured systems,” and that “an eighth-grader could have hacked into that system.”
But — and this is the key point — we can’t just determine vulnerabilities. We have to act to protect against them as well. It’s unknown what steps (if any) Colonial took in the wake of these outside warnings, but it’s clear they did not do enough.
Prevention is the most important tool in the fight against ransomware. According to one expert interviewed by CNN, the best-case scenario (after preventing the attack in the first place) is if companies can catch the hackers while they’re in the network but before they fully execute the attack and ask for a ransom, which can take up to three weeks after the initial intrusion.
In the wake of the pipeline attack, debates have also re-surfaced about whether the federal government can or should force private companies to meet certain cybersecurity standards, given about 85 percent of our country’s critical infrastructure and key resources are privately-held.
Congress has tried to pass legislation on this issue before, most notably the Cybersecurity Act of 2012. That bill was the most forward-leaning ever introduced on the subject and would have given “the federal government and the private sector the tools necessary to protect our most critical infrastructure from growing cyber threats.” The legislation failed in the Senate, despite strong backing from national security officials and bi-partisan support, largely because critics expressed concern about putting additional regulatory burdens on private businesses.
At the time, Senator Joe Lieberman, an Independent and one of the bill’s chief sponsors, did not mince words about the impact of its failure: “This is one of those days when I fear for our country, and I’m not proud of the United States Senate. We’ve got a crisis, and it’s one that we all acknowledge. It’s not just that there’s a theoretical or speculative threat of cyberattack against our country — it’s real.”
It’s unsettling to think about how much better protected our infrastructure could be today if Congress had acted nine years ago, or at any point since then. Lawmakers are currently putting together a variety of new legislative possibilities to address cybersecurity, although it is an open question whether Congress will be able to pass anything.
At the White House, President Biden signed an Executive Order on May 12 that aims to address a number of pieces of this security puzzle, including removing barriers to threat information sharing between the government and the private sector, modernizing and strengthening the federal government’s cybersecurity standards, and creating a standard playbook for responding to cyber incidents. The federal government, of course, has also been the victim of high profile intrusions, most recently in the SolarWinds attack allegedly perpetrated by Russian hackers who compromised nine US agencies and dozens of private organizations.
The threat extends into our communities, as well, as the recent attack on the Washington, DC Metropolitan Police Department underscores. An online criminal gang released thousands of sensitive internal police documents, including disciplinary files and intelligence reports, after the department refused to meet their blackmail demands.
The difference in the outcomes when Colonial Pipeline gave in to the ransomware demands and when the DC police department refused to do so is at the heart of an ongoing discussion about whether to pay ransom. I dealt with this issue during my time at the State Department when we debated the U.S. Government policy of opposing paying ransom to terrorist organizations holding American hostages. On the one hand, many people believe that paying ransom only encourages more demands, more hostage-taking, and more hacking. On the other, there is an argument to be made that getting a hostage home safely or a pipeline back online is more important than money. And in all of these scenarios, there are often not other good policy options beyond paying the demands.
The Colonial Pipeline cyber attack should be a real wakeup call for us all. Election infrastructure, which has been designated as critical by the U.S. Government, is a mix of state, local, and private sector holdings. That designation allows the Department of Homeland Security to provide prioritized cybersecurity services at the request of state and local election officials, which these jurisdictions should definitely use.
Because so much of our election infrastructure is privately-owned, these new proposals about mandating cybersecurity for private companies are important. And because a large majority of election technology has been consolidated by a few companies, the cyber vulnerabilities have only increased, according to the Brennan Center for Justice at NYU. The Center noted in a 2019 report that “more than 80 percent of the voting systems used in the United States are under the purview of just three vendors — and a successful cyberattack against any of these three companies could have devastating consequences for elections.” While we know the 2020 election was arguably the most secure in history, the threat exists — and it must not be used as a political football in a fact-based debate about how to best protect our elections.
We will continue watching as these policy debates move forward and work with state, local, and private entities to provide the latest information. The threat is real, but we should also not panic. There are effective tools that can help us prevent attacks and mitigate their impact, which is why we need to remain laser-focused on this issue not just when there is a high-profile crisis but every single day.
Marie Harf
International Elections Analyst, USC Election Cybersecurity Initiative
Marie Harf is a strategist who has focused her career on promoting American foreign policy to domestic audiences. She has held senior positions at the State Department and the Central Intelligence Agency, worked on political campaigns for President Barack Obama and Congressman Seth Moulton, and served as a cable news commentator. Marie has also been an Instructor at the University of Pennsylvania and a Fellow at Georgetown University’s Institute of Politics and Public Service.