Jandos Rothstein
This article appears in the July/August 2021 issue of The American Prospect magazine. Subscribe here.
A cyberattack on the electric grid is the one worst-case scenario that cybersecurity and emergency management professionals fear is imminent. They know that no one, from the utility company executives to the consumers who expect lights on, phones charged, and air-conditioners going full blast, are prepared for a prolonged and catastrophic electric outage.The winter weather-related Texas grid failure previewed what can happen when the electricity stops flowing.
The problem is, in cyberspace, there are no impenetrable systems. Anything designed by humans in the 21st century can be hacked. Most alarming is how private-sector companies fail to pay attention to even the most basic cyber hygiene measures, like backing up computer systems, using multifactor authentication (which requires users to provide two or more types of data to gain access to a network), and devising detailed plans to deal with security breaches.
One reason why: money. Many of the firms contracted to protect computer systems throughout the world have been bought up by private equity, which then cuts costs on R&D, offshores labor, and neglects maintenance in order to extract money for the fund managers, leaving businesses—and potentially critical infrastructure sectors like energy—vulnerable to ransomware attacks.
For example, the Kaseya ransomware attack hit about 1,500 companies just before the Fourth of July weekend and demanded ransoms ranging from $50,000 to $5 million. REvil, the Russia-affiliated collective behind the attacks, offered up a decryption key to unlock all the affected systems across the globe for a cool $70 million in Bitcoin. Managed by Insight Partners, a private equity firm, Kaseya provides IT service management software to large and small companies alike.
While not a ransomware attack, the 2020 SolarWinds hackers breached and exfiltrated data from key federal agencies like the Pentagon by inserting malware into the company’s network monitoring software, which was distributed to users through software updates. SolarWinds is also a private equity–owned firm.
Forbes reported that Colonial Pipeline, another ransomware victim, has links to private equity dealmakers, including the venerable PE firm KKR and a pension fund in Canada. Colonial Pipeline, which moves gasoline, diesel, and jet fuels from the Gulf Coast production hubs to the Eastern Seaboard, failed to use multifactor authentication. The DarkSide group hackers attacked the company’s business systems (and apologized for doing that), and apparently did not go after the operational networks that control the flow of fuels. Company officials decided to pay a $5 million ransom and shut down those systems as a precaution. (The new FBI Ransomware and Digital Extortion Task Force ferreted out $2.3 million of the ransom from a DarkSide Bitcoin wallet.)
But hackers don’t even have to shut down operations to create havoc. Panicked drivers drained gas stations in the South dry, even in areas of Florida that do not rely on the pipeline for fuel.
Confronting cyber threats requires a fundamental shift in thinking away from fortress-building—preventing hackers from getting in—and toward mitigating disruptions and getting back online.
AS THESE EXAMPLES INDICATE, too much of the security burden has been placed on companies that are relentlessly focused on their profit motives, not national security. For too many companies, cybersecurity is still perceived as nice to have, but not an essential cost of doing business. Stronger oversight of the energy sector is likely in the offing now that pipelines, a gateway to electricity production, have been exposed as one of the weakest links.
Ransomware attacks strike new targets every few seconds, according to the federal Cybersecurity and Infrastructure Security Agency (CISA). Attacks can be fended off, or at least minimized, with the proper precautions—if companies take them. Most security failures are policy failures, not technology failures, according to Bruce deGrazia, the head of cybersecurity management and policy at the University of Maryland Global Campus. DeGrazia is a “huge fan” of bringing in penetration testers to test a company’s defenses by hacking into its systems. Network segmentation, or keeping IT networks (that handle business functions, for example) separated from operations technology (which powers or controls energy systems), is another way to minimize the damage an intruder can do.
Hackers once focused on attacking individual computers and demanding hundreds of dollars in ransoms. Today, cyber extortion is big business. Criminals go after entire networks, encrypt a company’s data, and demand a ransom before they’ll provide a key to restore control. Often they will “exfiltrate” (copy or transfer) data and follow up with a second demand: Give them more money or they will publish the data.
COVID-19 was a boon for hackers, too. People working from home on their own devices made their job that much easier; there were no institutional firewalls to get through and no savvy co-workers to prod lax colleagues into better cyber hygiene.
Before the Colonial Pipeline attack, there was little need for geek-level skills. A motivated individual could order ransomware on the dark web, and, with the right credentials to gain entry, launch an attack against a computer network. (Some groups even offered customer assistance to help out if their malware didn’t work.) Although DarkSide and REvil have been taken offline by forces unknown (President Biden has indicated that the United States planned to act), hackers are likely to find other pathways to accomplish their goals.
“If you are looking to make a quick buck and pay the ransomware developer a commission or cut to use the exploit, it’s a pretty easy business,” Mike Moran of the U.S. Secret Service told a CISA National Cybersecurity Summit last year. Cracking down on cryptocurrency wouldn’t necessarily slow hackers down either. In 2016, when North Korean hackers broke into the Bank of Bangladesh, they steered the money to gamblers in Philippine casinos, who laundered the funds into casino chips.
At the end of May, the Transportation Security Administration, which oversees liquid and natural gas pipelines, issued a security directive that “requires” companies to notify CISA of any unauthorized IT, operational, or physical intrusions; identify a cybersecurity coordinator who can be available 24/7; and report the results of a review of security measures to TSA and CISA. Firms can be assessed daily financial penalties (pegged to the severity of the incident) if they fail to notify CISA of a breach. TSA is “considering follow-on mandatory measures,” according to a DHS press release. Asked to clarify, a DHS spokesperson declined to “speculate on what may or may not happen in the future” when it comes to “issuing permanent regulations.”
The first attack on an American electric utility made public occurred in the West in 2019 and briefly knocked out firewalls that controlled communications between control centers and remote generating sites, but did not affect power. However, the utility had not deployed an update released before the attack. The intruder was never identified.
The North American Electric Reliability Corporation (NERC) oversees the electric grid and has established a set of mandatory compliance standards for energy companies, such as knowing what levels of access to the network are held by particular individuals and how a company plans to handle and recover from an attack. The Federal Energy Regulatory Commission has proposed rules to establish voluntary incentives to persuade companies to go above and beyond the NERC requirements. magazine notes that the Industrial Energy Consumers of America, composed of large manufacturing firms, has called for natural gas pipelines to adhere to the same physical and cybersecurity mandates that the electricity sector does.
Colonial Pipeline’s exceptionally bad PR is likely to persuade some CEOs that paying a ransom is preferable to being summoned to Capitol Hill for a grilling. Cybersecurity experts have called for express prohibitions on paying ransom; so far, CISA and the FBI advise against it. Some companies and individuals have paid ransoms but never got the keys to release their data.
The partial recovery of Colonial’s ransom may give false hope to companies that the feds might be able to recoup at least some portion of their money. Then there are the companies that just may take the write-off. Since ransoms are considered theft, some losses may be tax-deductible. Companies can save money on beefing up information security and instead pay ransoms where necessary (with the government kicking in a portion), and potentially come out ahead. If Congress wants to reduce private-sector complacency about the national-security threat that is cyber extortion, revisiting this section of the tax code may be in order.
In June, Sen. Mark Warner (D-VA), the Senate Intelligence Committee chair, released a draft Cyber Incident Notification Act of 2021 that would require entities in critical infrastructure sectors and federal law enforcement to report cyber intrusions to CISA within 24 hours and provide limited immunity for reporting companies that would remain confidential. The proposed legislation does not address ransom payments; Warner has said that companies should at least disclose if they have paid a ransom.
The upheaval in the cyber attack insurance industry as ransomware attacks increase could speed shifts in the private-sector mindset. Insurers are requiring clients to document the specific procedures employed to avoid breaches as a condition of coverage. A report noted that insurers are also raising premiums and scaling back coverage.
The “lesson learned” guidance that NERC issued after the 2019 attack is full of reminders to pay closer attention to the basics, such as managing software patches that need to be made, relying on fewer “internet-facing” devices, and using virtual private networks that allow users to create private networks over public internet connections.
Confronting cyber threats requires a fundamental shift in thinking away from fortress-building—preventing hackers from getting in—and toward mitigating disruptions and getting back online. “When [companies] do their cybersecurity plans for their organizations, those plans must contain some aspect of their contingency plans, in other words, what are you doing to make sure that the damage is minimized?” says Stuart Madnick, an information technology professor emeritus at the MIT Sloan School of Management. “My suspicion is it gets nowhere near the attention it needs to have.”
Update:
Since this article went to press, President Biden put a bright line under the obvious: The United States must adopt more sophisticated strategies to fight the nation-states and malicious actors bent on disrupting the country’s critical infrastructure systems.
To that end, the administration has developed the “Industrial Control Systems Cybersecurity Initiative,” a “voluntary, collaborative effort” to push and prod private sector companies, government agencies, and other institutions into researching, developing, and deploying technologies that can monitor threats, detect intrusions, and respond to breaches in online business operations and control systems used by key sectors. The challenge, and it’s a major one, is impressing a sense of urgency on people who don’t understand the threat, take cybersecurity seriously, have any interest in establishing baseline standards, or know how to respond to disruptions when they occur.
The Department of Homeland Security plans to issue preliminary goals for control systems across critical infrastructure sectors no later than mid-September withpilot programs for the chemical, water and wastewater systems sectors implemented by the end of the year. Electricity and natural gas projects are already underway.
The 16 critical infrastructure sectors are chemicals, communications, government, commercial, and critical manufacturing facilities, dams, defense industries, energy, emergency services, financial, food and agriculture, health care and public health, IT, transportation, waste and wastewater, and nuclear power.
The White House national security memorandum is a bridge to more robust federal regulation, which can’t come fast enough. The annual defense reauthorization bill for fiscal year 2022 boosts the Pentagon’s cybersecurity efforts by nearly $270 million and adds program proposals such as a voluntary public-private partnerships with “internet ecosystem companies” to protect their platforms from cyber intrusions. In the House, the Energy and Commerce Committee reported out eight cyber bills dealing with a range of issues, from stepping up mobile network cybersecurity to a creating literacy campaign to educate Americans about cybersecurity threats and best practices.