Eastern Seaboard Americans actually sat in lines last month waiting to buy gas. For baby boomers and those older, it was a trip down memory lane to the late ’70s when gas shortages were purposefully engineered by oil-producing countries in the Middle East.
This time, the disruption in gas flow was caused by criminals armed with software, not rich men wearing keffiyehs. And now, last week, we learned that it might be tough to buy beef for a little while because crooks have extorted a major meat distributor with ransomware.
Suddenly, Americans are getting a taste of a specific threat the intelligence community and cybersecurity experts have warned about for years: cyber attacks, engineered overseas, can evolve to a point where they interfere with basic services we all depend on.
Make no mistake, we are at a worrisome, if not yet fully dangerous, inflection point.
Up until now, cyber attacks have mostly meant some customer data loss, some identity theft, some fraud losses — all bad but not in the same league of concern that the Colonial Pipeline Company and JBS meat processor attacks foreshadow. Those are a preview of potential coming attractions, a next-level threat that scares the HTML out of security professionals.
In the simplest of terms, think of data technology as two-pronged: software that drives information and software that enables operations — commonly referred to as information technology (IT) and operational technology (OT). IT runs the books; OT runs the factory.
Most criminal cyber attackers target their weaponized software, or “malware,” against IT because that’s where the data that can be monetized resides and most crooks are in it for the money. Plus, IT is more exposed to the internet, the wide tunnel that gets the bad buys into the vault.
OT is less exposed to the internet but that seems to change every day because of convenience and economics. This is scary because OT is a mix of control systems that can be turned on and off. It’s not a good day when a foreign attacker is the one remotely flipping switches from some cubicle overseas.
To be precise, the attack on Colonial Pipeline was directed by criminals at its IT, not its OT infrastructure. However, because the company apparently allowed a certain degree of IT/OT convergence, the IT-focused attack had bad secondary effects for company operations such as keeping gas flowing to where it was needed.
So, while the cyber criminals attacking Colonial Pipeline did not directly start controlling operational processes, their bad acts had the same effect. The villains publicly pretended all this caught them by surprise — but that didn’t stop them from gleefully extorting a whopping ransom from the company.
The intelligence community publicly assessed years ago that hostile intelligence services in Russia, China and possibly Iran have the ability to remotely disrupt our electric grid and delivery of vital goods and services. It is a way for countries that cannot compete militarily with the U.S. to still inflict catastrophic and life-threatening damage on our shores. These government-sponsored actors are restrained only by diplomatic and geopolitical ramifications.
The Colonial Pipeline and JBS attacks disrupt the traditional construct that makes IT attacks the playground of criminals and OT attacks the purview of hostile intelligence services. Criminals now have a taste of how lucrative an OT attack might be. Will we start to see criminals target OT infrastructure more often?
That is certainly the concern of law enforcement and the intelligence community. Attacks on infrastructure by criminals who aren’t deterred by diplomatic niceties changes the game. This concern was reflected in announcements on Friday by the Department of Justice that ransomware extortions will immediately move up the priority stack to equal terrorism. FBI Director Christopher Wray followed up by likening the surge in ransomware hacks to 9/11. These are startling statements that wouldn’t have been issued without the Colonial Pipeline attack. Interesting what some gas station waiting lines will trigger.
Lurking behind all this is a scenario that has our protectors reaching for antacids. Are enemy intelligence services making moves to leverage criminal organizations to attack OT infrastructure, with all its debilitating effects, in a kind of proxy cyber war? This would theoretically allow plausible deniability and complicate direct retaliation.
We do know that the most aggressive criminal hacking groups reside in geographic areas within easy influential reach and with tacit tolerance of Russian and Chinese intelligence services. Security professionals inside and outside our government firmly suspect these intelligence services share developed malware with criminal enterprises for a fee. In addition, there are indicators that enemy intelligence service hackers may freelance with criminal groups to supplement their meager government salaries.
If there is a silver lining within this mess, any forcing function that makes cybersecurity a greater imperative is a good thing since, to date, our cybersecurity results have not been stellar and we’re getting clobbered. We’re spending more money on cybersecurity than ever before and getting attacked more than ever before. What’s wrong with this picture?
At a basic level, evidence suggests we really aren’t serious about cybersecurity. There hasn’t been truly impactful cybersecurity legislation passed in 20 years. Modest regulations to force prudent security practices don’t really exist. Government agencies have suffered jaw-dropping breaches that don’t inspire confidence. Private industry, understandably concerned with business agility, generally won’t spend money on security if they think they can get away with it. More and more, companies and industries are not getting away with it.
Perhaps above all, cybersecurity remains a mystery to even sophisticated businesses. Its ultra-dense jargon is understood by a relatively small population of tech geeks who think Klingon is a romance language. This handicaps corporate executives’ ability to make informed, prudent strategic decisions that would make cybersecurity cheaper and more effective for their companies. Hear this: Cost-effective technology that can stop ransomware and other cyber attacks does exist. We lack, all too often, the knowledge and willpower to implement.
Our miserable COVID-19 year unfortunately exposed an American flank as we shut down large parts of the economy and plunged ourselves into record debt to keep afloat. It laid bare what disruptions of key goods and services looks like. This was not lost on our adversaries. Russia and China can be counted on to assess how our relatively weak cybersecurity posture can be exploited, either directly or through cooperative criminal proxies, to inflict very real and very dangerous damage to existential services such as power, finances and transportation.
We are at a pivot point. Cybersecurity is becoming a greater national security imperative. It’s time to get more serious.
Kevin R. Brock, former assistant director of intelligence for the FBI, was an FBI special agent for 24 years and principal deputy director of the National Counterterrorism Center (NCTC). He independently consults with private companies and public-safety agencies on strategic mission technologies.