Pipeline Shutdown Shows Need for Tougher Cybersecurity Laws

 

The six-day shutdown of a key 5,550-mile fuel pipeline earlier this month as a result of a malware attack proved a case study of everything that can go wrong when the private sector, which regulates critical sections of American infrastructure, fails to prioritize cybersecurity and the government lacks the resources to properly deter cyberattacks and manage the fallout. 

Colonial Pipeline's response to a recent hacker attack was fast and comprehensive. The private company turned off the supply of nearly half of the East Coast's oil, diesel, and jet fuel, which had never been done before. Long lines formed at gas stations from Washington, D.C., to Florida as a result of a combination of fuel shortages and panic buying. Stopovers were added to US air travel routes to enable planes to refuel in central and northern states. 

Colonial Pipeline was the victim of a ransomware attack by a group of Eastern European cyber bandits known as DarkSide, which extorted $4.4 million from the company as it rushed to reclaim control of its information management infrastructure and ensure the hackers had not breached the pipeline's operating system. The pipeline was eventually brought back online, and DarkSide discontinued operations However, the most serious harm had already been done: The incident demonstrated how simple it was to put a large portion of American infrastructure to a halt with a cyberattack that was as sophisticated as a pickpocketing. 

President Biden responded by signing an executive order that would provide incentives for IT service providers to share data share about cybersecurity vulnerabilities and breaches with the government. The order also establishes a cybersecurity safety review board with jurisdiction similar to the National Transportation Safety Board, which investigates airline and railroad safety accidents and makes security recommendations. 

However, Congress should impose mandatory reporting regulations requiring private sector companies in charge of sections of the nation's vital infrastructure to report possible and actual violations so that the government and industry can respond more quickly to minimize the consequences. A bill like this has been discussed in Congress for more than a decade, but it has yet to become law. 

Senator Angus King, who is co-chair of the Cyberspace Solarium Commission, established by Congress to bolster US cybersecurity protections, stated in an interview, “We need to build a structure that facilitates and supports open communication and trust, between this critically important infrastructure and the government in order for the government to be able to help.” 

Because of the vast number of phishing or other low-level security breach attempts they face, private sector companies are sometimes unable to disclose sensitive details regarding cybersecurity vulnerabilities or risks for fear of civil liability. The carrots to the mandatory reporting requirement's stick, according to King, will be liability protections and carefully restricting and identifying what counts as reportable accidents. 

A lot needs to be done to ensure the cybersecurity of our country's vital infrastructure which includes enforcing more structured federal oversight in place of the current multi-agency approach, which can be cumbersome, redundant, and slow; holding Russia responsible not just for its own cyber espionage but also for sheltering other cyber attackers within its borders; and tightening the federal government's own cybersecurity, which was discovered to be vulnerable last year by the SolarWinds hack.