Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Colonial Pipeline Hack Reveals America’s Vulnerabilities

America’s largest pipeline shut down in the wake of a ransomware attack that triggered a gasoline crisis in cities across the Southeast. It’s just one of several major cyberattacks in recent weeks.

(TNS) — Lest we think the Colonial Pipeline hack is something that happens to other people, consider the pipeline infrastructure that feeds the Pacific Northwest.

A system of four pipelines carries gasoline, diesel, jet fuel and heating oil from the four refineries of north Puget Sound, plus U.S. Oil and Refining in Tacoma, south to Portland, serving customers all along the way. Eastern Washington is served by a separate pipeline network linked to the Gulf Coast.

According to the American Petroleum Institute, 190,000 miles of liquid petroleum pipelines cover the United States. Any could be targeted for shutdown by a hacker group such as DarkSide, which the FBI says is behind the Colonial shutdown.

The 5,500-mile Colonial is just one of them, albeit the largest. But considering its strategic importance to the East Coast and deep-pocket owners such as the Koch empire, ransomware attackers thought: low-hanging fruit.

If you want to get Americans' attention, hit their ability to drive. Panic buying and gas lines were quickly seen in the Southeast. Midweek, 71 percent of the gas stations in car-burdened Charlotte, North Carolina, were dry.

Ransomware takes control of a company's or organization's software or data until the owners make a payment. Even paying a ransom doesn't guarantee the owners will get control again.

Initial reports said Colonial refused to pay ransom. But Colonial handed over nearly $5 million to the hackers. Bloomberg reports that the payment was in difficult-to-trace cryptocurrency. In exchange, Colonial received a decrypting tool to help restore its disabled network.

DarkSide, believed to be based in Eastern Europe, released a statement saying, "We are apolitical, we do not participate in geopolitics ... Our goal is to make money, and not creating problems for society."

But no one is safe from cybercrime, whether the attacker is a shadowy group or tied to a nation-state, whether they want money or data or to paralyze infrastructure. Whether the victim is an individual who opened an email containing malware or a leading technology company.

Earlier this year, Microsoft's popular Exchange email system was the target of hackers tied to the Chinese government. As the company worked feverishly to stay ahead of the hack, it reached crisis proportions affecting tens of thousands of victims and attracting the attention of the White House.

In 2019, Accenture predicted that cybercrime would cost companies $5.2 trillion worldwide within five years. Some 43 percent of attacks were against small businesses, while only 14 percent were prepared to repel them. Hiscox, an insurer, said the average cost of a digital attack was $200,000. That's easily enough to put many small companies out of business; many aren't covered by insurance for cybercrime or can't afford it.

It's a Wild West of sublethal international conflict out there. The weaponized malware called Stuxnet set back Iran's nuclear program in 2009, followed by other cyberattacks; Israel and the United States were seen as carrying them out. Chinese, Russian and North Korean hackers have targeted us, including penetrating government sites and conducting industrial espionage.

It's not a leap to predict that the next major war will be fought heavily in cyberspace. Before the first shots are fired, an opponent might try to blind the enemy's satellites by cybermethods, and use secreted malware that wrecks the capabilities of such advanced weapons as the F-35 Joint Strike fighter and shuts down the U.S. electrical grid. We, no doubt, would try the same.

The result might be more bloodless than previous wars. Unless, that is, a blinded nation fears it's being targeted for a nuclear strike — then all bets are off.

Longtime readers remember one of my favorite stories about the dangers of techno-magic. In the television series "Battlestar Galactica," Admiral Adama (played by Edward James Olmos) refused to allow his ship to be networked. As a result, the aging Galactica was the only warship to survive the deadly Cylon surprise attack that depended on an advanced, networked fleet.

But in the real world, we're living more than ever online and in the cloud.

President Joe Biden and Congress are under pressure to do more to protect us. The administration is committed to "a global effort" to fight ransomware attacks. That includes criminal prosecutions, going after hacker money laundering, and greater disclosure of breaches.

In 2019, Congress created the Cyberspace Solarium Commission to develop better defenses against major hacks, to prevent "a cyber 9/11." But only about half of its recommendations have been implemented. That fits a pattern of paralysis going back to 2010. Since then the Government Accountability Office has offered 3,300 recommendations for agencies to protect themselves. Yet at least 750 had not been put in place as of 2020.

"Although the federal government has made selected improvements, it needs to move with a greater sense of urgency commensurate with the rapidly evolving and grave threats to the country," the GAO said.

And this is only in the federal government, not state or local government, not in the private sector overseeing critical infrastructure. An enormous workload awaits those charged with keeping ahead of cybercriminals.

It's enough to keep you up at night. Or, in the daytime, be extra suspicious of potential malware showing up as a legitimate-looking email.


(c)2021 The Seattle Times. Distributed by Tribune Content Agency, LLC.
Special Projects
Sponsored Stories
Sponsored
In recent years, local governments have been forced to adapt to a wildly changing world, especially as it pertains to sending bills and collecting payments.
Sponsored
Workplace safety is in the spotlight as government leaders adapt to a prolonged pandemic.
Sponsored
While government employees, students and the general public had to wait in line for hours in the beginning of the pandemic, at-home test kits make it easy to diagnose for the novel coronavirus in less than 30 minutes.
Sponsored
Governments around the nation are working to design the best vaccine policies that keep both their employees and their residents safe. Although the latest data shows a variety of polarizing perspectives, there are clear emerging best practices that leading governments are following to put trust first: creating policies that are flexible and provide a range of options, and being in tune with the needs and sentiments of their employees so that they are able to be dynamic and accommodate the rapidly changing situation.
Sponsored
Service delivery and the individual experience within health and human services (HHS) is often very siloed and fragmented.
Sponsored
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Sponsored
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Sponsored
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
Sponsored
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?