Companies and the government need to confront cyberattacks before an unmanageable disaster arrives.
Visit Colonial Pipeline’s corporate website and you’ll learn that the Alpharetta, Georgia, energy company is “committed to EXCELLENCE” and that “safety, environmental stewardship, and first-class customer service” drive its operating philosophy.
What you won’t find — unless you navigate to the bottom of the home page and click on “News & Media” — is any mention that the company that operates the largest refined fuels pipeline in the U.S. was brought to its knees by computer hackers Friday. That’s understandable, because it’s likely that Colonial still doesn’t completely understand what hit it.
In a brief statement Saturday, Colonial said it learned the previous day that hackers were trying to extort it using ransomware. In response, the company shut down its pipeline and some information technology systems and hired cybersleuths to sort out the damage. It offered more of the same Sunday evening, while also disclosing that the Department of Energy had joined a federal law enforcement investigation of the attack. Other than noting that its main lines were still closed, Colonial didn’t offer much clarity about when it would be back in business (which has left oil traders on edge and scrambling for alternatives).
Companies have their reasons for going mum when hacked, of course. They’re worried about reputational damage. If publicly traded, they also fear possible negligence lawsuits from investors (Colonial is privately held). But in an era in which nation-states and roving freelancers alike have turned rival governments, corporations, schools and universities, hospitals, research labs, fire and police departments, and other institutions into digital piñatas, hunkering down only perpetuates the problem.
Colonial may be making the rounds as I write, spilling the beans about its hack to competitors in the energy industry and to outside investigators. I don’t imagine it is, though. During a Senate Intelligence Committee hearing in February about the massive SolarWinds Inc. burglary orchestrated by Russian operatives, Microsoft Corp.’s president, Brad Smith, and other corporate insiders said one of their biggest frustrations in battling cyberattacks is that information is scattered among private and public stakeholders who don’t freely share it with one another.
All of the bad reasons for holding onto information about a cyberattack — embarrassment, competitiveness, incompetence — only make it that much harder to prepare for and surmount the next one.
While the SolarWinds attack brought to the fore how sophisticated and aggressive countries such as Russia, China, North Korea and Iran are about waging cyberwarfare, the Colonial intrusion didn’t, apparently, involve state actors. It was the handiwork of a cybercrime gang called DarkSide, according to Bloomberg News. Many of these freelancers — including other ransomware operatives such as REvil, Maze and Ragnar Locker — may be state-sponsored anyhow, making such distinctions irrelevant.
Even so, DarkSide — if it was simply acting as an independent grifter — still pulled off an attack that shuttered a pipeline system traversing some 5,500 miles, according to Colonial. The company says it provides 45% of all fuel that the East Coast consumes and supplies 50 million Americans and the U.S. military with everything from gasoline and jet fuel to home heating oil and diesel. The shutdown has a whiff of the apocalyptic about it, and is the stuff that gives national security experts nightmares.
It is also the kind of action the U.S. has shied away from taking in response to state-sponsored attacks such as SolarWinds. Targeting transit lines and energy grids worries diplomats, the military and the national security community because it harms average citizens alongside corporate or government targets and can lead to escalations. Yet here we are. The Joe Biden administration, pressured in the wake of the SolarWinds attack to respond decisively to Russia, said it is examining the Colonial matter closely.
A group of five partnerships own Colonial. How closely was their company monitoring its own systems? Colonial has been shut down by hurricanes in the past, as well as what it has described as “integrity” issues in its pipeline network. The company also was responsible for a huge spill of at least 1.2 million gallons of gas in a North Carolina nature preserve last year. This is the first time, apparently, that hackers have shuttered its operation. How well the company is managed will draw greater scrutiny in coming days.
The hack is only the latest and most serious of many attacks directed at energy infrastructure worldwide. As my colleague Liam Denning observed, the vulnerability of all energy networks is one of the top-drawer issues of the 21st century. But that vulnerability extends to almost all facets of our public, private, business and social lives now, given how dependent we are on digital networks and on how they knit us together globally.
Companies and the government should do a better job of insulating those networks by being transparent, communicative and proactive about threats. At some point, the wake-up calls will morph into unmanageable disasters.