July 30, 2021
In the ongoing battle against cyber attacks, much of the debate centers around what tools we have to proactively protect our critical infrastructure, to react once there is a breach, and to punish those responsible. Three new ideas have recently been put forward to help address these various pieces of the puzzle by using executive, legislative, and legal means to try to counter the threat.
Many of these new proposals are focused on standardizing cybersecurity protocols and reporting mechanisms for private companies, a key challenge that needs to be addressed because about 85 percent of the United States’ critical infrastructure and key resources are privately-owned. This challenge is especially acute for our mandate, protecting our elections, because much of our nation’s election infrastructure is also in the hands of private corporations.
The Biden administration has rolled out several executive actions since taking office to help both the public and private sectors get a handle on the growing rash of cybersecurity incidents. Their latest effort is an executive order, announced last week, in which the Department of Homeland Security (DHS) will require federally designated critical pipelines to “implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.”
This is the second such directive put forward by DHS regarding pipeline cybersecurity since the ransomware attack on the Colonial Pipeline in May, which seriously interrupted gas availability on the East Coast. Colonial paid approximately $4.4 million to the hackers, reportedly the Russian-based group DarkSide, although the U.S. Department of Justice subsequently recovered most of that money.
These kinds of executive actions target private companies’ behavior as part of the federal government’s efforts to coordinate best practices in prevention and responses. Because the results of cyber intrusions have the potential to impact so many aspects of American life, and specifically our economy and security, the federal government should be compelling private companies to take this threat seriously and do better. (Federal agencies also need to get their cyber houses in order, as evidenced by high-profile intrusions at the State Department and elsewhere.)
While these executive actions focus specifically on pipelines, the lessons we learn from implementing them can help other industries – including those dealing with elections – because bad actors tend to use the same tactics no matter the industry.
In a related announcement last week, the Cybersecurity and Infrastructure Security Agency (CISA) gave the public more details about China’s recent aggressive cyber activity, including the disclosure that state-sponsored Chinese actors targeted 23 American oil and natural gas pipeline operators between 2011 and 2013 — thirteen of which were confirmed compromises, three were “near misses,” and seven “had an unknown depth of intrusion.” Those numbers only cover two years of data, making it crystal clear that pipelines are a key and growing target for bad actors.
At the other end of Pennsylvania Avenue, Congress, which has previously attempted to compel private entities to better protect their critical infrastructure, is now trying to get back in the game after the recent spate of high-profile, costly ransomware and hacking attacks. Last week, a bipartisan group of senators introduced the “Cyber Incident Notification Act,” which would require federal government agencies, federal contractors, and critical infrastructure operators to notify DHS when a cyber breach is detected. Once reported, the federal government can help the companies respond and mitigate the fallout. These private companies would get limited legal immunity if they report incidents, a potentially important incentive for them to do so.
Because elections infrastructure has been designated as critical by the U.S. Government, this bill’s provisions would apply to those companies involved in our elections.
As I’ve written about before, Congress has previously tried to pass legislation on this issue, most notably the Cybersecurity Act of 2012. That bill failed in the Senate — despite strong backing from national security officials and bipartisan support — largely because critics expressed concern about putting additional regulatory burdens on private businesses.
At the time, Senator Joe Lieberman, an Independent and one of the bill’s chief sponsors, did not mince words about the impact of the bill’s failure: “This is one of those days when I fear for our country, and I’m not proud of the United States Senate. We’ve got a crisis, and it’s one that we all acknowledge. It’s not just that there’s a theoretical or speculative threat of cyberattack against our country — it’s real.”
It’s unsettling to think about how much better protected our infrastructure could be today if Congress had acted nine years ago. Now we will see if the damage these attacks can inflict today is so demonstrably serious that it will override those previous concerns about increased private sector regulation.
The third branch of government — the judiciary — is increasingly seeing cases related to cyber attacks as well. For example, some businesses who have been impacted by recent ransomware attacks are turning to the courts for compensation. Several class-action lawsuits have been filed against Colonial Pipeline, including one by a gas station owner over lost revenues caused by the ransomware attack. Another lawsuit has been filed on behalf of consumers who paid higher prices at the pump as a result of the attack.
There is some history of companies paying out money in lawsuits to customers whose private personal information was hacked and stolen in attacks, but there is not a lot of precedent thus far for providing compensation to address a broader range of impacts of cyber attacks. Whether corporations can be held liable for all manner of first, second, and third-order effects of failing to protect their online infrastructure is a real open question — and one that may lead companies to take this threat more seriously given the financial stakes involved.
We know there is no one perfect tool or magic bullet to protect from cyber attacks. That’s why we need as many items in our toolbox as we can gather, including the three new efforts above. It’s really an all hands on deck situation.
Marie Harf
International Elections Analyst, USC Election Cybersecurity Initiative
Marie Harf is a strategist who has focused her career on promoting American foreign policy to domestic audiences. She has held senior positions at the State Department and the Central Intelligence Agency, worked on political campaigns for President Barack Obama and Congressman Seth Moulton, and served as a cable news commentator. Marie has also been an Instructor at the University of Pennsylvania and a Fellow at Georgetown University’s Institute of Politics and Public Service.