In America, we tend to take gasoline for granted. It’s been 42 years since the oil crisis of 1979, when price spikes and long lines at the pump were commonplace. Most drivers on the road today are too young to have waited in those lines. We assume that when we drive to the gas station, gas will be there.
This May, we got a wake-up call. A ransomware attack on Colonial Pipeline, the largest pipeline in the United States responsible for delivering nearly half of the fuel consumed on the East Coast, forced a system shutdown. Fuel shortages and panic stockpiling ensued throughout the region. In my home state of North Carolina, nearly two-thirds of the state’s gas stations ran out of fuel, and constituents reported lines at the pump a mile long. We learned a dramatic lesson about the painful real-world consequences of cyberattacks.
Ransomware is a type of malware that allows a malicious actor to enter a company’s network and render its system unusable unless a ransom is paid. Hackers may also steal private data from the company and threaten to leak it or use other methods to shut down a company’s network and force its leadership to negotiate.
This is not a new threat. The FBI is currently tracking over 100 different types of ransomware, each with multiple known victims. For years, hackers have used these tools to seek profit by holding hostage our hospitals, schools, state and local governments, police departments, and private businesses.
However, the attacks on Colonial Pipeline, the food processing company JBS weeks later, and now the attack this month on the technology company Kaseya — which is being reported as the biggest known ransomware attack on record — represent a dangerous escalation. In the early days of ransomware, an attacker might target a small company and demand a ransom of a few hundred dollars. Now, the number of victims and the dollar amounts demanded by hackers both measure in the millions. Often, these attacks succeed not because our enemies are out-maneuvering us, but because there are so many vulnerabilities left unsecured for exploitation. Colonial Pipeline, for instance, was likely compromised through a leaked password.
The time has clearly come for the federal government to take on a larger role in the growing fight against cyber criminals.
Thankfully, our nation’s law enforcement agencies are already hard at work holding hackers accountable. On June 7, the Department of Justice’s Ransomware and Digital Extortion Task Force announced that it had recovered over half of the $4.4 million Colonial Pipeline ransom, an incredible success for an organization created just months ago.
We also have a powerful but under-appreciated weapon in the federal research enterprise. I serve on the House Committee on Science, Space and Technology, which oversees the National Institute of Standards and Technology (NIST). The same organization that brought us the nation’s first programmable computer and the atomic clock now operates the NIST National Cybersecurity Center of Excellence, our nation’s brain trust for developing standards and best practices for cybersecurity. NIST is working around the clock to understand new cyber threats as they emerge and to issue new guidelines to the public and private sectors alike on how to prevent and recover from cyberattacks.
Every business owner in this country has a lot to lose if their systems are breached by ransomware, but not every business has a full-time cyber defense expert on its payroll. That is why I am working with my colleagues in Congress to provide our federal cybersecurity agencies, like NIST, more resources to help businesses protect themselves from ransomware. NIST should do everything it can to make its guidance as user-friendly and accessible as possible, especially for industries and companies that don’t specialize in cybersecurity. It’s also imperative that business leaders and IT professionals take a fresh look at their vulnerability to ransomware threats and utilize NIST guidance as they do so.
In addition, the federal government should consider instituting mandatory cybersecurity standards for critical sectors. Shortly after the Colonial Pipeline attack, the chairman of the Department of Energy’s Federal Energy Regulatory Commission (FERC) issued a statement calling for mandatory pipeline cybersecurity standards comparable to those already in place for our bulk electric system. Similarly, in May, the Department of Homeland Security’s Transportation Security Administration issued a Security Directive that would require pipeline operators to report cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency and to designate a cybersecurity coordinator. Congress and federal agencies must continue to pursue a multi-pronged approach that will keep us prepared for and able to respond to future attacks.
Hackers will continue to attack and hold American industries hostage as long as they quickly receive ransom payments and suffer minimal repercussions for committing their crimes. We all have a role to play in making it harder for them to succeed. With enhanced cooperation between federal authorities and the private sector, we can better secure our country — networks, pipelines, meatpacking plants, and small businesses alike — against the growing threat of ransomware attacks.
Deborah Ross represents the 2nd District of North Carolina and is a member House Committee on Science, Space and Technology.