Jeh Charles Johnson
On May 6 of this year, Colonial Pipeline was hit with a ransomware attack by the Russian-based group DarkSide. Reportedly, DarkSide attacked Colonial Pipeline’s billing system, not its operational technology. But as a precaution, for the first time in history, Colonial shut down its entire pipeline, which supplies 45 percent of all the gasoline and jet fuel consumed on the East Coast of the United States.
This shutdown had an immediate, direct, and far-reaching impact on the day-to-day lives of the American people. Shortages at gas stations popped up across Alabama, Florida, Georgia, North and South Carolina and Virginia. On May 11, 71 percent of gas stations in Charlotte, North Carolina ran out of fuel. On May 14, 87 percent of gas stations in Washington, DC went dry. Gas prices shot up. Panic buying and hoarding occurred. Airports and airlines were affected. Colonial Pipeline paid the $5 million ransom. The pipeline was tuned back on. But one ransomware attack, directed at one company, had far-reaching consequences to our nation, its people, and its national security.
It was as if one water-main break in downtown Houston, Texas caused kitchen faucets to run dry in Arlington, Virginia. Or, as if a single pothole in a runway at the Atlanta airport had delayed every commercial flight in the southeastern United States.
This wasn’t the first cyberattack on energy infrastructure, and it won’t be the last.
In 2015, Russian hackers attacked the power grid in Ukraine, leaving 225,000 people in the dark.1
In 2012, Saudi Aramco was hit with a cyberattack, likely by the government of Iran, which forced the then-world’s largest oil company to shut down 35,000 computers and go back to operating with typewriters and fax machines.2
In February 2021, a hacker infiltrated a water treatment plant in Florida and attempted to increase the water supply’s sodium hydroxide to alarmingly dangerous levels.3
In August 2021, a nation-state attempted a cyberattack on the Port of Houston, the largest container port on the Gulf Coast.4
The cyber threat to our energy infrastructure is real and growing. Indeed, it’s not just a threat. It is our current reality.
For three years, I served as Secretary of the Department of Homeland Security (DHS). As a New Yorker who was present in Manhattan on 9/11, and after four years as the senior legal official for the Department of Defense, I came to the job of DHS Secretary with a counterterrorism bent. I told my staff at DHS that counterterrorism needs to be the cornerstone of our mission. I soon learned that a building can have more than one cornerstone, and that cybersecurity needs to be another cornerstone mission for DHS.
Cyberspace is the new 21st century war zone. As reported by the New York Times just a few days ago, the governments of Iran and Israel are actively engaged in covert cyberwarfare right now.5Cyberattacks are replacing kinetic attacks. Covert actors are replacing conventional state actors. US Cyber Command now exists alongside the combatant commands of our nation’s military.
A cyberattack on our nation’s energy sector, or any other sector of critical infrastructure, must be viewed as an attack on the nation itself, warranting a national response.
Under US law, critical infrastructure is defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”6 As declared by DHS, there are eighteen critical infrastructure sectors in this country, including the defense industrial base, financial services, transportation, energy, water, and nuclear reactors.7 Just before leaving office in January 2017, I added election infrastructure to the list, as a subsector of the government facilities sector. Our government goes to the trouble of declaring these assets critical infrastructure for a reason.
In the energy sector in particular, assets of critical infrastructure are becoming increasingly interconnected and increasingly vulnerable to a cyberattack of widespread consequences. And just as every organ of the human body depends on a healthy heart, all of the other sectors of critical infrastructure depend on the energy sector.
To be sure, there are compelling reasons for the increasing interconnectivity of our energy sector. With climate change comes the need for renewable energy. With renewable energy, wind and solar power, efficient uses of fossil fuels, and smarter uses of electric grids, come the need for digitization and interconnectivity. As a result, the US electricity grid is now referred to as “the largest interconnected machine in the world.”8
All this leads to cleaner uses of energy. But it need not mean trade-offs for our cybersecurity.
With the recent passage of the new bipartisan infrastructure law, nearly $2 billion will be devoted to making our infrastructure more resilient against the impact of cyberattacks.9 But there are other things we must do to strengthen the cybersecurity of the energy sector and the other sectors of critical infrastructure in this country.
First, and perhaps the easiest, least expensive and most obtainable solution: continue to raise awareness about the threat of spear-phishing. Many of us know what spear-phishing is, but many still fall prey to it. Spear-phishing occurs when a system user is lured into responding to an email from a bad cyber-actor posing as a benign and familiar caller. And once the user answers the knock, opens the door, and lets the bad actor in to the secure zone, that bad actor can pose as almost anyone for any purpose. To this day, many of the most devastating cyberattacks on our nation began by a simple act of spear-phishing. This is preventable. Raising awareness about spear-phishing among those who use a system can go a long way to dramatically reducing the success rate of this form of attack. More broadly, simply raising awareness about weak passwords or the value of two-factor authentication can prevent a large number of attacks that originate due to lack of what we refer to as “cyber hygiene.”
Second, achieve and ensure redundancy. Whether it is the ability to count ballots or control a pipeline, redundancy is key. This is not a new concept. Like the retention of paper ballots after an election, some call for back-up manual control of power grids and pipelines. This may not be doable in all circumstances. The point is to have redundant systems that exist off the internet in the event the primary system is corrupted. Or, at the least, a contingency plan for how services are to be delivered if redundancy is not possible.
Third, Congress should not give up on efforts to legislate certain minimum standards for cybersecurity in critical infrastructure. Most of our nation’s critical infrastructure is in the hands of the private sector. Working with the private sector, the government ought to be able to develop basic, practical and implementable standards. The good news is that many large and sophisticated companies within critical infrastructure are far along in the cybersecurity of their own assets. Others are not, including many new entrants to sectors of critical infrastructure.
In 2012, Congress tried but failed to legislate national minimum cybersecurity standards, and even offered immunity from civil liability as a carrot. That effort failed. Events since then provide further proof of the need for this.
No one size fits all when it comes to cybersecurity standards for the different sectors of critical infrastructure. Certain standards for certain sectors already exist by virtue of regulatory action. Congress should empower regulators of each sector of critical infrastructure to do more. Successive administrations, including the current one, have undertaken to regulate cybersecurity by executive action. This is no substitute for laws passed by Congress. It is also common sense. By federal law, we regulate aviation security, road safety, maritime security, nuclear and chemical facilities. Why not cybersecurity? The need is no less compelling.
Fourth, we must bolster mandatory reporting to the federal government of certain categories of cyber incidents within critical infrastructure. I am disappointed that bipartisan efforts to insert such a requirement in this year’s National Defense Authorization Act failed.10 Tom Fanning, chairman and CEO of Southern Companies and a leader in calls for greater cybersecurity of the utility industry, has gone so far as to argue that the country needs “[a] real-time view of [the] battlefield” that allows US Cyber Command to monitor critical systems at the same moment and at the same time as the operators of those systems do.11
Fifth, we must recognize that a cyberattack on a pipeline or a power grid could now cause as much physical damage and suffering as a natural disaster. The good news here is that the bipartisan Infrastructure Investment and Jobs Act signed into law by President Biden in November creates a Cyber Response and Recovery Fund to be administered by DHS for this purpose.12
Sixth, I join the many calls for the education, recruitment and retention of a cyber-workforce to meet the urgency of the current threats in cybersecurity. Exchange programs between the public and private sectors should be encouraged. Given the current threats we face, why not a National Cybersecurity College or University for both civilians and military, funded by the Departments of Defense and Homeland Security, to exist alongside our military academies, the National Defense University and the National War College?
Seventh, and finally, we must make it clear to the world that, in the eyes of the United States, a cyberattack from overseas on our nation’s critical infrastructure may rise to the level of an armed attack on the nation itself, warranting a military response (as the term “military” is now understood in the 21st century).
In reaction to the terrorist attacks on 9/11, our government reshaped itself to go to war against terrorist organizations. We reshaped how we think of war. We recognized that warfare can be conducted against unconventional, non-state actors, and that conflict against non-state actors may not be limited to the boundaries of a particular nation.
As I said before, cyberspace is the new 21st century war zone. Covert state and non-state actors launch cyberattacks from overseas on our critical infrastructure that have the potential to cause death and destruction to the same extent and in the same manner as an air strike or a terrorist attack.
In testimony before the House Armed Services Committee in 2018, I said that a cyberattack which causes large-scale death or physical destruction can be considered an armed attack on the United States, warranting a military response.13 The President has the constitutional authority to take military action to defend the nation, so long as the action does not rise to the level of a war in scope and duration, which only Congress can declare.14 Under international law, the United States is authorized to act in self-defense if the host nation is unwilling or unable to address the threat itself within its boundaries.15 And under established principles of the international laws of war, a military response to an attack should be proportionate, but it need not be in kind.16
The United States has offensive cyber capabilities that are second to none. They should serve as both a defense and as a deterrent. I am a recipient of the Ronald Reagan Peace Through Strength Award. Like President Reagan, I believe that peace and security is achieved though strength. In 2018, when I accepted the Reagan Award, I said this:
No comments:
Post a Comment