For years, government officials and industry executives have run elaborate simulations of a targeted cyberattack on the power grid or gas pipelines in the United States, imagining how the country would react.
But when the real moment, it’s not an exercise, came along, it was nothing like war games.
The attacker was not a terrorist group or a hostile state like Russia, China or Iran, as had been assumed in the simulations. It was a criminal extortion ring. The goal was not to disrupt the economy by taking a pipeline offline, but to keep corporate data for ransom.
The most visible effects – long lines of nervous motorists at gas stations – did not stem not from a government response but from a decision by the victim, Colonial Pipeline, who controls nearly half of the gasoline , jet fuel and diesel flowing along the East Coast, turning off the tap. He did so out of fear that the malware that had infected his back office functions could make it difficult to bill for fuel delivered along the pipeline or even spread through the pipeline operating system.
What happened next was a vivid example of the difference between tabletop simulations and the cascade of consequences that can follow even a relatively unsophisticated attack. The aftermath of the episode is still playing out, but some of the lessons are already clear and show how far the government and the private sector must go in preventing and managing cyberattacks and in creating rapid backup systems in the event of a disaster. failure of critical infrastructure. .
In this case, the long-held belief that pipeline operations were completely isolated from data systems blocked by DarkSide, a ransomware gang supposedly operating outside of Russia, turned out to be false. And the company’s decision to shut the pipeline has sparked a series of dominoes, including panic buying at the pump and a silent fear within government that the damage could spread quickly.
A confidential assessment prepared by the energy and homeland security departments found that the country could only afford an additional three to five days with the Colonial pipeline shutdown before buses and other public transport ran out. to limit their operations due to a lack of diesel fuel. Chemical plants and refining operations would also close, as there would be no way to distribute what they produced, according to the report.
And although President Joe Biden’s aides announced efforts to find alternative means of transporting gasoline and jet fuel to the East Coast, none were immediately in place. There was a shortage of truck drivers and tank cars for the trains.
“Every fragility has been exposed,” said Dmitri Alperovitch, who co-founded CrowdStrike, a cybersecurity firm, and chairs the Silverado Policy Accelerator think tank. “We learned a lot about what could go wrong. Unfortunately, our opponents too.
The list of lessons is long. Colonial, a private company, may have thought she had a waterproof protective wall, but she was easily raped. Even after paying extortionists nearly $ 5 million in digital currency to retrieve its data, the company found the process of decrypting its data and re-activating the pipeline to be extremely slow, which means it will still take more work. days before the East Coast returns to Ordinary.
“It’s not like flipping a light switch,” Biden said Thursday, noting that the 5,500-mile pipeline has never been closed before.
For the administration, the event turned out to be a perilous week in crisis management. Biden told his aides, one recalled, that nothing could do political damage faster than television footage of gas pipes and rising prices, with the inevitable comparison to the worst moments of Jimmy Carter as president.
Biden feared that unless the pipeline resumed operations, the panic subsided and the price hike was nipped in the bud, the situation would fuel fears that the economic recovery was still fragile and that the inflation is increasing.
Beyond the wave of actions to get oil flowing on trucks, trains and ships, Biden issued a long-lasting executive order that, for the first time, seeks to force cybersecurity changes.
And he suggested he was prepared to take action the Obama administration hesitated to take during the 2016 election hacks – direct action to retaliate against attackers.
“We will also pursue a measure to disrupt their ability to function,” said Biden, a line that appeared to imply that the US Cyber Command, the military’s cyber-war force, was authorized to take DarkSide offline, just like it did for another ransomware group in the fall before the presidential election.
Hours later, the group’s websites turned dark. On Friday morning, DarkSide and several other ransomware groups, including Babuk, who hacked into the Washington DC Police Department, announced they were exiting the game.
DarkSide has hinted at disruptive action by an unspecified law enforcement agency, although it is not clear whether this was the result of US action or pressure from Russia before. the expected Biden summit with President Vladimir Putin. And keeping quiet may simply reflect a decision by the ransomware gang to thwart retaliatory efforts by shutting down operations, perhaps temporarily.
Pentagon Cyber Command referred questions to the National Security Council, which declined to comment.
The episode underscored the emergence of a new “mixed threat,” which can come from cybercriminals, but which is often tolerated, and sometimes encouraged, by a nation that sees attacks as serving its interests. as the culprit, but as a nation that harbors more ransomware groups than any other country.
“We don’t think the Russian government was involved in this attack, but we have good reason to believe that the criminals who committed this attack are living in Russia,” Biden said. “We have been in direct communication with Moscow on the imperative for the countries responsible to take action against these ransomware networks.”
With DarkSide’s systems down, it’s unclear how the Biden administration would retaliate further, beyond possible charges and penalties, which had not deterred Russian cybercriminals before. Responding with a cyberattack also comes with its own escalation risks.
The administration must also take into account that much of America’s critical infrastructure is owned and operated by the private sector and remains ready to be attacked.
“This attack revealed how poor our resilience is,” said Kiersten E. Todt, CEO of the nonprofit Cyber Readiness Institute. “We are overthinking the threat, when we are still not doing what is necessary to secure our critical infrastructure.”
The good news, some officials say, is that Americans have received a wake-up call. Congress was faced with the reality that the federal government does not have the power to require companies that control more than 80% of the nation’s critical infrastructure to adopt minimum levels of cybersecurity.
The bad news, they said, was that America’s adversaries – not only the superpowers, but also terrorists and cybercriminals – have learned how little it takes to instigate chaos in much of the country, even s ‘they do not penetrate the heart of the electricity grid. , or the operational control systems that move gasoline, water and propane across the country.
Something as basic as a well-designed ransomware attack can easily do the trick, while still offering plausible deniability to states like Russia, China, and Iran that often use third parties for cyber operations. sensitive.
How DarkSide broke into Colonial’s commercial network remains a mystery. The private company said virtually nothing about how the attack unfolded, at least in public. He waited four days before having substantive discussions with the administration, an eternity during a cyberattack.
Cyber security experts also note that Colonial Pipeline would never have had to shut down its pipeline had it been more confident in separating its commercial network from pipeline operations.
“There absolutely should be a separation between data management and actual operational technology,” Todt said. “Not doing the essentials is frankly inexcusable for a company that transports 45% of gas to the East Coast.”
Other pipeline operators in the United States are deploying advanced firewalls between their data and operations that only allow data to flow in one direction, out of the pipeline, and would prevent a ransomware attack from spreading.
Colonial Pipeline has not said whether it has deployed this level of security on its pipeline. Industry analysts say many critical infrastructure operators say installing such one-way walkways along a 5,500-mile pipeline can be complicated or prohibitively expensive. Others say the cost of deploying these backups is always less than the losses due to potential downtime.
Deterring ransomware criminals, which have grown in numbers and outrageousness over the past few years, will certainly be more difficult than deterring nations. But this week has clearly shown the urgency.
“Everything is fun and entertaining when we steal money from each other,” Sue Gordon, former senior deputy director of national intelligence and longtime CIA analyst for cyber issues, said at a conference hosted by The Cipher Brief, an online intelligence newsletter. “When we compromise a society’s ability to function, we cannot tolerate it.”
This article originally appeared in The New York Times.
© 2021 The New York Times Company