Late last week and over the weekend, the Colonial pipeline, which carries 45% of the refined petroleum products used across the east coast of the U.S., was shut down due to a ransomware infection apparently launched by a Russian criminal group. Let me be clear, this is not a wake-up call. It is the result of repeatedly hitting the snooze button for a quarter century.
Almost 25 years ago, a juvenile hacker shut down communications to the Worcester, Massachusetts airport. As a result, airport personnel lost the ability to contact security, call fire engines, and communicate by their main radio. The transmitter that activated the lights for the runway was out. The air traffic controllers were only able to communicate with planes by battery-powered radio and with others by a single cell phone. According to the airport manager “Had we been busier, the potential for a serious incident with dire consequences was there.”
Perhaps you think now is different – we are in the midst of a pandemic that has required remote access, exposing critical systems to attack. There was no pandemic in 1997, but there was still a business need for remote access, which is exactly how the attack occurred. The telephone company allowed remote access to the system that was shut down “so that telephone company technicians could change and repair the service provided to customers by these loop carrier systems quickly and efficiently from remote computers.”
A number of cyber incidents came to light more than twenty year ago, including the ILOVEYOU and Melissa viruses. More serious intrusions into government networks also took place in the prior century, including Solar Sunrise and Moonlight Maze. These attacks came from nation states, hackers and hacker groups, and even juveniles. National security was at risk. Government and the private sector took steps. Few made even a tiny dent in exponentially increasing cybercrime and attacks.
Almost 10 years ago to the day, the Obama administration released a legislative proposal that sought to establish performance-based requirements for the most critical of critical infrastructure. The proposal was the lightest of light-touch regulation, with sanctions that amounted to “naming and shaming” violators rather than imposing any fines and penalties. Although criticized as “weak tea” because it was so light touch, the proposal went nowhere. Senators Lieberman and Collins included key parts in their cybersecurity legislation, but it failed in the Senate, opposed by a widespread coalition of actors.
So don’t talk to me about wake-up calls. Here’s something more recent, from four years ago:
Reitinger and numerous others veterans in the field have been making many of the same calls through the years: Commit proper funding, like to any other national security threat; write new laws that would tangibly incentivize and enforce good behavior by companies large and small; put proper priority on creating a system that can defend itself. “I’m tired of people writing reports and recommendations,” Reitinger says. “We’re not treating this like the moonshot; we just get the words.”
My suggestions, sadly, remain the same as in 2017 or even 2011: respond as you would to any other real, palpable national security threat by committing proper funding, enforce and incentivize at scale good cybersecurity behavior by companies large and small, and prioritize building a cyber ecosystem that can defend itself.
If you don’t like those ideas, there are other other recommendations aplenty. Last week the Ransomware Task Force released a report, emphasizing the need for a whole of government approach. Gen. Paul Nakasone of the NSA emphasizes the need to give the NSA the ability to monitor pretty much all U.S. domestic Internet communications to hunt for attacks. Agree or disagree, and I would disagree without appropriate controls, but at least that is an idea that can be debated.
We need to stop with the half measures. Congress needs to take real action and immediately. Let’s not implement a bad idea but do our best to put into law our best ideas that may work. Otherwise, the snooze button on the alarm is in arm’s reach. Wake me up after another twenty-five years.
The author, Philip Reitinger, is the President and CEO of the Global Cyber Alliance. You can follow him on Twitter @CarpeDiemCyber.