The Colonial Pipeline attack should be a wake-up call for hardening our cyber defenses
The Biden administration recently issued an emergency declaration to lift regulations on drivers carrying fuel in 17 states after Russian cybercrime hacking group DarkSide launched a cyber attack on Colonial Pipeline. The largest fuel pipeline in the U.S., Colonial Pipeline was forced to shut down its networks entirely.
The FBI confirmed DarkSide ransomware was responsible for compromising Colonial Pipeline’s operations. DarkSide hacked into the network, encrypted files to deny Colonial Pipeline access, and extorted the company with a reported $5 million bitcoin payment to restore service.
Its critical and highly vulnerable infrastructure under attack, the U.S. was in an incident-response phase to the right of boom. Facing gas shortages and price increases, our citizens should expect alarm bells to be ringing in the White House, which should consider this attack — even if by now we have gotten past the immediate repercussions — a siren call to harden our defenses, lest we be attacked even more viciously in the future.
Ransomware most often results from an employee unwittingly accepting malware, which threatens to block access to the victim’s data until payment is made. Ransomware attacks usually involve a “Trojan horse” disguised as a legitimate document or file, which the user opens or downloads from a seemingly innocuous email attachment.
Sometimes ransomware involves a malicious insider, who provides access to the enterprise’s operating system in return for some form of remuneration.
Colonial Pipeline is conducting the forensics to determine just how this costly attack was generated. Their results should be shared as widely as possible, including with relevant law enforcement authorities and private-sector enterprises.
Russian intelligence long has had a symbiotic relationship with cyber hackers, who refrain from attacks inside Russia where they reside. In the case of the Colonial Pipeline attack, the U.S. Intelligence Community (IC) is on the hook to collect on a spectrum of possibilities ranging from the Kremlin simply allowing DarkSide to homestead on its territory to ordering the attack as revenge for coercive policy measures, including sanctions.
Intelligence analysis can be like assembling a jigsaw puzzle, in which some of the pieces are part of a different puzzle and others are missing altogether. There is always great value in sharing intelligence on cyber attacks, especially with our closest allies. The CIA makes analytical judgments with levels of low, medium or high confidence. There is no such thing as 100 percent certainty, but the closer the better, especially in anticipation of an upcoming June summit between Presidents Biden and Putin.
There are also at least three key measures that should be taken:
First, intelligence is first and foremost about detecting indications and warnings, to preempt threats before they are visited on our shores or, in the case of Colonial Pipeline, on our critical infrastructure. The IC has demonstrated a sophisticated ability to find, fix and finish non-state actor terrorists. A similar paradigm should be considered for cyber hacking groups, which present the greatest threat to our nation.
Deterrence happens only when an enemy is met with a strong defense and the real threat of counterattack, which is severe enough to induce a change in the enemy’s risk calculus. U.S. Cyber Command took a major step forward to this end, reportedly by disrupting the Russian Internet Research Agency prior to the 2018 midterms as part of an offensive cyber campaign.
And we also need to hold nations — including Russia when appropriate — accountable for giving our cyber adversaries the sanctuary they need to plot against us.
Second, cyber-savvy companies rightly focus on prevention during the pre-attack phase. But the first thing they should do is assume they will be successfully hacked and prepare accordingly. They should have a contingency plan in the event of a ransomware attack, which in the case of critical infrastructure includes a disaster recovery plan with redundancy of data. Companies that are hacked should contact the FBI before paying any ransom, which is discouraged because it only encourages hackers to conduct follow-on attacks.
Third, companies cannot rely on only technological solutions such as an incident-response platform and reducing vulnerable attack space by securing routers and servers, using firewalls and applying patches. Companies also should develop their own enterprise-wide program to counter insider threats from negligent employees who require training to appreciate and defend against the dangers to which they are subjected.
Mitigating the risk of malicious insider threats requires effective employee lifecycle management: hiring people who are a good fit for the enterprise and onboarding them with proper training; continuing through the employment phase with training and awareness; tracking of red flag indicators; and a robust employee assistance program.
Daniel N. Hoffman is a retired clandestine services officer and former chief of station with the Central Intelligence Agency. His combined 30 years of government service included high-level overseas and domestic positions at the CIA. Follow him on Twitter @DanielHoffmanDC.
Shawnee Delaney, a subject matter expert on insider threat, is the CEO of Vaillance Group. She was a clandestine officer and former detachment chief for the Defense Intelligence Agency and information technology specialist for the Department of Homeland Security for 10 years.