The Morning Jolt

National Security & Defense

The Colonial Pipeline Hack: A New Era of Cyberwarfare

Holding tanks at Colonial Pipeline’s Linden Junction Tank Farm in Woodbridge, N.J. (Colonial Pipeline/Handout via Reuters)

On the menu today: a deep dive into what appears to be a frightening new era of cyberwarfare and ransomware — because the Colonial Pipeline hack and extortion was only the highest-profile example this week; this kind of crime and terrorism is taking off like a rocket.

Suddenly, Ransomware Is Everywhere

Apparently, ransomware attacks are like the latest TikTok dance: rapidly growing in popularity and not easily understood by anyone over the age of 30. You’ve heard about the Colonial Pipeline hack. But you probably didn’t hear that Ireland’s health service shut down its computer systems after being hit with a ransomware attack. DarkSide hit Toshiba Corporation and compromised more than 740 gigabytes of information including passports and other personal information. The Washington, D.C., police just suffered the biggest hack of a police force ever, exposing “hundreds of police officer disciplinary files and intelligence reports that include feeds from other agencies, including the FBI and Secret Service.” The city government of Gary, Ind., has to restore and rebuild all of its servers after they were attacked.

And that’s just in the past 24 hours or so.

One of the oddities of the Die Hard movie series is that none of the movies started out with a script for a Die Hard movie; they were all adaptations of scripts for previously written different novels and other movies, and altered to fit the John McClane character.

The fourth movie, Live Free or Die Hard, actually started not as a novel or a screenplay, but as a nonfiction article in Wired magazine. Written in 1997 and titled “A Farewell to Arms,” it laid out the United States’ vulnerability to cyberattacks on its critical infrastructure.

The closing paragraphs of that Wired article warn about the emerging era of information warfare, which “includes electronic warfare, tactical deception, strategic deterrence, propaganda warfare, psychological warfare, network warfare, and structural sabotage”:

When the threat everyone’s talking about is from faceless foreign hackers, terrorists, and bomb makers — why not throw in a few child pornographers — it is a fair bet that paranoid demagoguery will not be absent. It’s happened before: look at the 1950s. The best will lack all conviction, the worst will be full of passionate intensity, and the political fabric will start to fray.

All of which, of course, could sound a lot like what our Chinese friends call “soft destruction.” As William Church says, “The most damaging form of I-war is political war or psychological war.” And pretty much anything can be part of it: power outages, network breakdowns, clever disinformation campaigns — anything “to get the populace to feel that the country is going to hell.”

As we contemplate a brief but intense interruption to the gasoline supply to the East Coast, the fact that law enforcement never developed any leads on those pipe bombs left at the RNC and DNC, mass shootings, the conspiracy theories of QAnon, and all of the other chaotic forces in American life, that 1997 prediction feels . . . unnervingly prescient, doesn’t it? I’ll remind you that a guy who believed in “lizard people” blew up downtown Nashville on Christmas Day. Events that would have once seemed shocking have turned into one-day news stories.

Way back in 2009, I wrote: “cyber-warfare is, generally speaking, more controllable than a biological weapon, doesn’t run afoul of as many established treaties as a chemical weapon, is nowhere near as expensive and visible as a nuclear weapon, and is much harder to attribute than conventional terrorism. It is another asymmetrical tool that allows weaker countries and groups to play on the same field as the big boys.” Earlier in the year, I had attended a gathering of some of the corporate world’s top cybersecurity experts and wonks, and they had shared the familiar potential horror stories about our insecure infrastructure: attacks and shutdowns of electricity grids, air-traffic control, finance and banking, telecommunications, etc.

Lots of people, including most elected officials, can’t quite fully understand the threat of cyberwarfare because they can’t see it. (Most people are visual learners.) One day, a computer system is working as it should, and the next day, it isn’t. There are no masked gunmen, no explosions, no enemy helicopters or hijacked planes. We can see Osama bin Laden and Abu Bakr al-Baghdadi and Qasem Soleimani. Hacker groups such as DarkSide are faceless. And don’t buy into these guys’ spin that they just want money. There are lots of ways to make money. These guys want to make money by threatening, and in some cases creating, chaos.

As I noted after Trump proposed a joint cybersecurity effort with the Russians, “It’s the deniability and ability to ‘mask’ the origin of cyber-attacks that make them particularly tempting for malefactors, rogue states, and hostile superpowers alike. It’s a chance to sucker-punch your foe anonymously. Way back when, one of those cyber-security experts compared cyber-warfare by asking ‘how do you win a boxing match when you’re blindfolded?’ The answer was ‘you put the boxer in a suit of armor.’ The only real way to win the fight is to harden your defenses until they’re impenetrable and no one wants to step into the ring with you.”

It seems fair to wonder whether a sustained and impregnable wall of cybersecurity is possible. Hackers develop new tricks, which spurs institutions to develop new firewalls, which spurs the hackers to throw away their old tricks and try new ones, until one works. And if a lasting, impregnable firewall is possible, the U.S. federal government does not seem to be the institution most likely to quickly adopt new technologies and innovations.

Back during the “Russia hacked the election results!” panic in December 2016, I went back and looked at the little-discussed cyberattacks upon federal-government systems over the previous two years:

In 2014, the U.S. Postal Service “suspended telecommuting for employees while it works to remediate a network intrusion that has exposed data on some 800,000 postal workers and an additional 2.9 million customers.”

Also in 2014, a private firm that performs background checks for U.S. government employees suffered a hack that “compromised data of at least 25,000 workers, including some undercover investigators.”

Also that year, China hacked the National Oceanic and Atmospheric Administration and the National Weather Service, requiring the agencies to seal off data vital to disaster planning. A review determined that the agency did not notify the proper authorities when it learned of the attack.

In 2015, the IRS “disclosed a massive security breach that allowed hackers to obtain detailed tax-return information on 104,000 taxpayers.” In 2011, the Treasury Department’s Inspector General found the IRS did not have an adequate “screening process” nor adequate “minimum requirements” to ensure security and privacy.

The biggest hack of them all, at the Office of Personnel Management, involving the personnel records and security clearance files of 21.5 million federal employees. In March 2014, OPM became aware of a partially successful Chinese hack into its systems. In July, after a New York Times report, OPM director Katherine Archuleta publicly denied that any hack had occurred: “We did not have a breach in security. There was no information that was lost. We were confident as we worked through this that we would be able to protect the data.”

That was not only a lie, it represented blind denial of just how bad the consequences were. The information stolen basically amounts to a “how-to” guide for blackmailing federal employees with security clearances, with the confidential records including the intimate personal details of federal workers’ infidelity, drug abuse, and personal debts uncovered during the background-check process.

In February, an unknown hacker published contact information for about 20,000 FBI employees and threatened to publish information on another 9,000 Department of Homeland Security employees.

The general public doesn’t pay attention to this stuff until there’s no fuel in any of the area gas stations. And a lot of people in government prefer it this way; greater awareness of cybersecurity failures would undermine public confidence in the government, possibly start a panic, and encourage copycats.

Why have ransomware attacks increased 62 percent in just two years? One big reason is the pandemic; people working from home created bigger, broader, more spread-out networks for institutions, giving the hackers more potential metaphorical cracks and crevices to sneak through. And the pandemic, quarantine, lockdowns, and social distancing made people, companies, and governments more dependent upon the Internet and computer networks than ever.

But it’s hard to shake the sense that this sort of crime flourishes when the potential risk is low and the potential reward is high. Hackers on foreign soil are unlikely to get SEAL Team Six kicking down their door, or a pair of 500-pound bombs coming through their roofs like Abu Musab al-Zarqawi. Maybe they’ll get tracked down and arrested.

We now know that Colonial Pipeline got the oil flowing again by paying the ransom. Yesterday, at the White House:

Q: One more, Mr. President? Just one more on the ransom: Were you briefed on the fact that the company did pay the ransom?
THE PRESIDENT: I have no comment on that. Thank you.

On Monday, Deputy National-Security Adviser for Cyber and Emerging Technologies Anne Neuberger made an odd comment:

Q: Did you — would the administration offer any advice on whether or not to pay a ransom?
MS. NEUBERGER: So, typically, that is a private-sector decision, and the administration has not offered further advice at this time.  Given the rise in ransomware, that is one area we’re definitely looking at now to say, “What should be the government’s approach to ransomware actors and to ransoms overall?”

As Charlie Cooke asked, “In what universe is this primarily a ‘private sector decision’? And in what universe does the Biden administration, which seems to want pretty much every aspect of American life to fall under the purview of the state, believe that ransom demands made against core energy infrastructure is outside of its remit?”

From those comments from Biden and Neuberger, we don’t know that the president and his team encouraged Colonial Pipeline to pay the ransom, or tacitly supported the company’s metaphorical surrender. But the administration certainly doesn’t seem all that opposed to Colonial Pipeline sending the money, now, do they? If the administration thinks paying the ransom is a bad idea that will only encourage more ransomware attacks, it’s been awfully quiet about those objections. Keep in mind, when Texas suspended its statewide mask mandate, Biden quickly labeled that “Neanderthal thinking.” But a big U.S. pipeline company sends $5 million to a bunch of Russian hackers, and Biden is suddenly tight-lipped and reluctant to criticize.

Paying the ransom is always the easier answer in the short term — but it’s an answer that sets you up for worse problems in the long term. You have to wonder if the flourishing of ransomware is a consequence of annual accumulations of short-term thinking. Apparently, the U.S. government has had different public and private policies for a while now: “For example, the FBI’s standing guidance is that victims should not pay a ransom in response to an attack in order to discourage perpetrators from targeting more victims. But multiple sources have previously told CNN that the FBI will, at times, privately tell targets that they understand if they feel the need to pay.”

If the U.S. government’s stance is to publicly insist no one should ever pay ransomware, and then with a wink-and-a-nod acceptance and/or encouragement of paying ransom . . . why would anyone be surprised that ransomware is becoming more common?

Finally, as David Harsanyi observes, it feels really odd to see Joe Biden going before the cameras and repeatedly insisting that as far as the U.S. government knows, Vladimir Putin and the Russian government had nothing to do with this.

ADDENDA: If you’re not reading Jimmy Quinn on the publication of a letter in Science calling the COVID lab-leak theory “viable,” you’re missing out. Come to think of it, if you’re not reading Jimmy Quinn period, you’re missing out.

Oh, and the suits are offering a subscription to NRPlus and the magazine for $1.25 a week for a year, which feels like the kind of deal that might be a misprint or something, so grab it before someone notices. For perspective, one copy of the weekday print edition of the New York Times is three dollars!


The Latest