Close this search box.

Colonial Pipeline cyberattack highlights U.S. ignorance


Colonial Pipeline cyberattack highlights U.S. ignorance

The ransomware attack on the nation’s biggest fuel pipeline is pressuring officials to address how to stop debilitating hacks.

The Colonial Pipeline Co. Pelham junction and tank farm in Pelham, Alabama.

(Bloomberg) — The ransomware attack that shut down the nation’s biggest fuel pipeline prompted an all-too-familiar question in the corridors of power in Washington and boardrooms across the country: Can anyone stop debilitating hacks?

The recent assault on Colonial Pipeline Co. was a particular affront. Not only did it disrupt fuel distribution on the East Coast, but it also followed an effort by the Biden administration to act against cybercrime — especially ransomware, where criminals remotely disable a computer system and demand payment. Colonial was hit on day 37 of a 60-day push by the Department of Homeland Security to confront such attacks.

The administration’s campaign is the latest in a long series of cyber strategies offered by presidents and lawmakers from both parties to curb hackers. For years, security experts have offered concrete recommendations for governments, companies and other organizations to follow to ward off cyberattacks, but they’re often ignored or punted in favor of more pressing concerns.

“There has to be a different way of approaching this if we are going to stop this plague,” said Philip Reiner, chief executive officer of the Institute for Security and Technology. Reiner’s group recently offered 48 actions the Biden administration and the private sector could pursue against ransomware.

The Colonial Pipeline was idled for the third consecutive day on Monday, May 10, as fuel suppliers increasingly worry about the possibility of gasoline and diesel shortages along the U.S. East Coast. The company said Monday it expects the pipeline to be “substantially” back in operations by the end of the week.

While President Joe Biden recently imposed sanctions on Russia over the hack of SolarWinds Corp., the threat of retaliation or prosecution from the U.S. holds little deterrence — at least so far. Many criminal hackers reside in countries that ignore them or tacitly approve of their behavior. Actions to punish state-sponsored hacking groups, including sanctions and indictments, have previously done little to counter the assaults.

The list of recent cyberattack targets reflects both the sophistication and brazenness of the hackers. In government, the victims include the Department of Homeland Security, the Illinois Attorney General’s Office, even the Washington, D.C., police department. In the private sector, hackers infiltrated big tech companies like Microsoft Corp., the cybersecurity firm FireEye Inc., San Diego-based Scripps Health and even the Houston Rockets of the National Basketball Association.

While Homeland Security advises critical infrastructure operators on risk management, private industry is still responsible for securing its own networks. The result is uneven protection: Some companies, including major banks, have invested heavily in cybersecurity. But many others have followed a pattern of ignoring or minimizing the need for safeguards, which can be costly and easy to defer.

Recent cyberattacks against Twitter and SolarWinds occurred after security employees warned about weaknesses in the companies’ defenses.

Preventing a ‘cyber 9/11′

The problem is particularly troubling for companies that operate critical infrastructure. Initiatives to enhance the security of the operational controls used to run the U.S. electrical grid and other energy infrastructure are years behind better-known efforts to shield data centers and corporate systems, experts say.

In the federal government, the non-partisan Government Accountability Office alone has issued some 3,300 recommendations since 2010 for agencies to address vulnerabilities, yet at least 750 had not been implemented by the end of last year.

“Although the federal government has made selected improvements, it needs to move with a greater sense of urgency commensurate with the rapidly evolving and grave threats to the country,” the GAO warned in March.

In 2019, Congress created a special group called the Cyberspace Solarium Commission specifically to come up with a better, more comprehensive plan to fight back against major hacks. The commission made 52 legislative recommendations in a report last March; Congress has enacted 25 of them so far; roughly 10 of 30 non-legislative recommendations have been implemented.

Angus King. (Photo: Bloomberg)

“The Cyberspace Solarium Commission was envisioned to be ‘the 9/11 commission that averts a cyber 9/11,’” the commission’s co-chairs, Senator Angus King, Independent of Maine, and Representative Mike Gallagher, a Wisconsin Republican, said in a statement after the Colonial breach.

“One of the gravest lessons from the terrorist attack 20 years ago was that it was a failure of imagination,” they said. “America can and must be better — we must be imaginative and proactive in navigating the threats of the age of cyber aggression.”

A divided Congress

In the aftermath of the Colonial Pipeline attack, Biden and a bitterly divided Congress will be under pressure to mandate greater disclosure of breaches and costly network protections that have been thwarted in the past.

“My administration takes this very seriously,” Biden said Monday (May 10), as he committed to “a global effort” to combat ransomware attacks, including criminal prosecutions and efforts to disrupt money-laundering operations associated with the hackers.

The White House had already moved to strengthen collaboration between U.S. national security agencies and power utilities, with a plan for rolling out better technology to detect hacks of industrial control systems that run the nation’s power systems.

The administration is also finalizing an executive order that would set basic cybersecurity standards for the federal government, including multifactor authentication of users.

There’s widespread consensus that better coordination between the government and private industry is needed to bolster the nation’s cyber defenses. But it isn’t as easy as it seems.

A major challenge is simply sharing information. The federal government itself is limited in how much it can tell companies about potential threats, and industry leaders have complained they are too often left in the dark.

Despite years of hand wringing about the need for government and companies to collaborate better, “it has yet to really occur,” said Mike McKenna, a former senior White House official with energy and cybersecurity clients.

Coordination deficit

“The industry tends to be impaired because it does not have real-time access to what the government knows, and government tends to be impaired because, with a very few exceptions, they don’t actually have cybersecurity capabilities,” McKenna said.

Companies face numerous obstacles to revealing their own breaches, including fears that they will be slapped with shareholder lawsuits if they disclose an attack too soon. But rapidly informing regulators about possible breaches and the digital fingerprints hackers have left behind can be critical to identifying and preventing other intrusions.

“There are still potential risks that companies take in sharing the information,” said Suzanne Spaulding, a former Homeland Security official who now is a senior adviser at the Center for Strategic and International Studies.

One option for Congress is removing some legal liability, which could encourage companies to disclose cyberattacks swiftly. But if Congress goes too far to shield companies, it could remove pressure for them to harden their defenses, Spaulding said.

“It’s a delicate balance,” Spaulding said. “It’s hard, finding that right formula for maintaining the incentive to do the right thing while figuring out how to incentivize them to share the information.”

James Lewis, senior vice president at the Center for Strategic and International Studies, said people generally don’t take the risk of a cyberattack as incentive enough to take action.

“We’ve been wrestling with this thing for a decade or so now, and the answer is, market forces alone aren’t going to push people to do the right thing,” he said.

“We’ve learned the hard way that there are some basics that make it very hard to get hacked,” Lewis said. “Most people don’t do it.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Related posts


Specific Technologies Driving Insurtech Investment in 2024

Understanding the Funding Decline The decrease in funding does not necessarily spell trouble for the insurance sector but instead highlights a strategic shift, the report suggests. “The insurance industry, like many sectors, is focusing on the most promising ventures with substantial insurance potential,” the report explains. “Insurers are directing their investments toward key areas and current trends such as embedded insurance, employee benefits, and cyber risk management. This strategic investment approach signals a forward-looking mindset within the industry.” Three Key Insurtech Trends for 2024 The report identifies three major trends shaping insurtech investments in 2024: Public Insurtech Companies: Financial and Growth Strategies The report also notes that public insurtech companies are prioritizing revenue growth as their main goal. These firms are restructuring their financial strategies to boost cash flow and capitalize on rising revenue streams. Their growth prospects are supported by expanding asset portfolios and strong market demand. “Public insurtech companies are focusing on revenue growth and optimizing their financial frameworks to increase cash flow,” the report states. “The growth potential for these companies is driven by increasing revenue opportunities, broadening asset bases, and a robust market for their services.” In summary, while global insurtech funding saw a decline in 2023, the industry’s focus on GenAI, digital process management, and connected insurance technologies is setting the stage for a dynamic and forward-looking 2024.

Read More

Insurer Secures Unanimous Supreme Court Victory in New York Choice of Law Dispute

In the world of sports, a clean sweep, a shutout, or a perfect game is the ultimate achievement. In the legal arena, a unanimous decision from the U.S. Supreme Court is equally rare and significant. In a notable legal triumph, Great Lakes Insurance SE achieved a unanimous 9-0 victory in the Supreme Court on February 21, 2024. This victory follows a protracted legal battle that began in the District Court of Pennsylvania, advanced to the U.S. Court of Appeals for the Third Circuit, and culminated in the Supreme Court’s decisive ruling. Background of the Case: Great Lakes Insurance SE v. Raiders Retreat Realty Company The heart of the dispute was the insurance contract’s clause selecting New York law to govern any future legal conflicts. Although the financial implications of this case were relatively minor compared to the broader marine insurance industry, the insurer’s determination to uphold a crucial maritime legal principle has significant long-term implications for marine insurance. Faced with the insured’s counterclaims—including allegations of breach of fiduciary duty, insurance bad faith, and violations of Pennsylvania’s Unfair Trade Practices Law—the insurer was confronted with serious risks. Such claims could lead to the shifting of attorney’s fees, treble damages, and more, which might normally encourage insurers to settle rather than risk pursuing justice. However, Great Lakes Insurance, supported by The Goldman Maritime Law Group, opted to challenge the Third Circuit’s decision and seek clarity from the Supreme Court. Supreme Court Ruling: A Landmark Decision In a landmark ruling, Justice Brett Kavanaugh affirmed that choice of law provisions in maritime contracts should be upheld by default. This ruling is a major victory for establishing a consistent federal standard in maritime law and avoiding a patchwork of state laws that could complicate marine insurance disputes. The Supreme Court’s decision overturned the Third Circuit’s earlier judgment, which had questioned whether Pennsylvania’s public policy concerns might override the insurance contract’s choice of New York law. By upholding the New York choice of law clause, the Supreme Court eliminated the extra-contractual bad faith claims under Pennsylvania law, thereby ensuring that the dispute could be resolved based on the merits of the insurance claim itself. Significance of the Supreme Court’s Decision This ruling represents a significant advancement in maritime law, affirming that choice of law clauses in maritime contracts are generally enforceable. The decision establishes a clear, uniform legal framework for resolving maritime contract disputes, which will streamline the process and ensure fair adjudication of future insurance claims. Justice Clarence Thomas’s concurring opinion was particularly notable for its criticism of the 1955 Wilburn Boat v. Fireman’s Fund Insurance decision, which had previously influenced maritime insurance law. Thomas argued that Wilburn Boat was incorrectly decided and stressed that a uniform and enforceable set of rules is essential for the development of maritime law. Impact on the Marine Insurance Industry The Supreme Court’s decision sets a “bright-line” rule affirming that choice of law clauses are valid unless there is a strong argument against the selected jurisdiction. By endorsing New York’s insurance laws as a reasonable choice, the ruling supports a more consistent and predictable legal environment for marine insurers. This decision represents a major step forward in maritime law, helping insurers better assess risks, determine premiums, and ensure fair and efficient resolution of maritime insurance disputes.

Read More
Try your instant quote