The Colonial Pipeline Attack is a Clear Demonstration of the Threat of Ransomware
May 12, 2021
Ransomware attacks — in which criminals employ a form of malware to hold a victim’s information or systems at ransom — have targeted the personnel files of Washington D.C. police officers, municipal services in Tulsa, Oklahoma, and most prominently the Colonial Pipeline, disrupting the East Coast’s fuel supply.
Christopher Whyte, Ph.D., an assistant professor in the Homeland Security and Emergency Preparedness program at Virginia Commonwealth University’s L. Douglas Wilder School of Government and Public Affairs and co-author of “Understanding Cyber Warfare: Politics, Policy and Strategy,” is an expert in cyber conflict and U.S. cybersecurity policy. Whyte explained why it’s so difficult to protect against ransomware, why the attacks are increasingly common, and what policies might be useful in preventing future attacks.
Hackers have launched ransomware attacks on the Colonial Pipeline and D.C. Police. Why are we seeing more of this kind of attack?
There are a number of reasons. Perhaps the most obvious is the quick buck to be made accompanied by little risk. This kind of attack isn't easy to pull off but the skill bar to do so is also not as high as you might expect. At the same time, there are typically almost no repercussions for this kind of action. Combined, these realities make the upside too compelling for criminal outfits to ignore, not least because many critical infrastructure operators in the United States are wealthy corporations who opt to minimally invest in legacy technical systems instead of spending more appropriate amounts demanded by contemporary security standards.
In essence, if your target can pay, is easy to hit and can do very little to retaliate, why not hack? And this dynamic will persist even if we get much better at securing our services, software and hardware systems. Hardening our national cyber defenses is a clear priority. That said, a nationwide security posture sufficient to deter this kind of criminal activity would need to be exquisite. As we know from past efforts, that is something that, unfortunately, would be prohibitively expensive and difficult for the government to either mandate or incentivize in an immensely diverse private industry landscape like the one we have in the United States.
There is, of course, also the possibility that [Colonial Pipeline] was a state-sponsored attack. Global digital conflict has not only intensified over the past decade, but has also diversified. Today, rogue nations like North Korea have used ransomware attacks as a means of funding their security programs and bypassing sanctions. Other countries have their hands in the global cyber criminal ecosystem at a number of levels and benefit from criminal actions that offer plausible deniability and new sources of malicious cyber tools. Though I don't yet have cause to think this attack was state-sponsored, it is not outside the realm of possibility. If so, this kind of attack might be strategically useful to a country like Russia as a sort of swaggering signal, an indication to Western countries that they have some ability to hold our critical infrastructure at risk. It's important to remember that the pipeline shutdown was something done by the defender and not the attacker directly. However, there is enough of a history of supposed efforts by Russian-backed threat groups like Energetic Bear to compromise energy grid systems that this scenario is entirely feasible.
In the past day we've seen gas prices rising across the Southeast, panic buying among consumers and emergency declarations from governors in North Carolina and Virginia. Does this attack, and previous ones like SolarWinds, point to vulnerabilities in our infrastructure?
Yes, these clearly highlight vulnerabilities. However, it's important to note that these attacks were extremely different in the nature of their compromise. While the immediate effect on gas prices and consumer behavior seems concerning, the SolarWinds compromise of the Orion software was dramatically more significant than the pipeline shutdown. The Colonial Pipeline experience is obviously a clearer demonstration of the type of threat that ransomware presents to the function of modern society. That said, to some degree, it is also rapidly becoming par for the course in terms of the scale and the format of expected disruption from criminal cyber actions. By contrast, SolarWinds was a compromise of software that is run across tens of thousands of companies and public organizations. Purging the ransomware from Colonial's business systems is ultimately a relatively simple task, though not without risks. Addressing SolarWinds will take years and may never be satisfactorily combated without the substantial replacement of much of America's routing and computing infrastructure.
How can we address these vulnerabilities?
Addressing America's vulnerabilities to digital attack is no simple task. Greater investment in security talent, education and systems is often extremely hard to motivate among private businesses and operators of the nation's critical infrastructure. The costs of simply paying out of pocket to address a breach are often less than the long-term costs of simply building a better security apparatus. Cyber insurance makes this calculus even less likely to align with public interests and the frequency with which American firms are hit is reducing reputational costs associated with the loss of consumer data or the disruption of services. On top of all this, hardening our national cyber defenses just might not do the trick. There are so many opportunities for compromise across different locales, economic sectors and elements of individual organizations that the incentive for criminal attack remains strong even with substantial new spending.
That's not to say that we're doomed. The key is to think about these issues as more than just technical or criminal in nature. Where attacks like this are linked to foreign political interests, the Department of Defense is increasingly focused on in-kind retaliation to try and draw red lines that our adversaries know not to cross again in the future. More broadly, it helps to think about cyber attacks by drawing from the lessons of environmental protection or even public health. Regarding the former idea, it's not a stretch to accept that Americans and American businesses now live in a world polluted by digital insecurities. Much as environmental economic policies reduce national costs and risks by using market incentives like tradable pollutant permits to reduce risks where it matters most, so too could the federal government use tax policy and incentives to motivate the most important private actors in the U.S., like critical infrastructure operators, to invest in their security apparatus. On the notion of public health, it's worth realizing that the effects of things like ransomware attacks and theft of consumer data often have outcome patterns that look more like that of a pandemic than, say, a terrorist attack. Malware often spreads laterally and doesn't stay contained within a targeted organization and socially vulnerable communities often suffer more than others hit to roughly the same degree. And so another route for the government to address major cyber threats is to build policy designed to enable societal helpers, those community organizations and information sharers that make the response to sudden calamity so much more rapid and effective.
Is there more the federal government should be doing to target these cyber criminals? Are there policies you would recommend?
The United States has, since 2018, embraced a strategic posture of "defending forward" in cyberspace. This means that U.S. Cyber Command is empowered to engage the nation's adversaries in networks beyond the American homeland, wherever they might be found. A group like the one ostensibly responsible for the Colonial Pipeline attack, however, highlights some of the challenges we face in heading off major assaults on American interests. Though the FBI has had DarkSide under study since October 2020, the link to Russian state interests does not appear clean at this juncture. As a result, preemptive action against the group would not necessarily fall under the jurisdiction of American military cyber forces. Likewise, it's not clear how government analysts would have clearly prioritized DarkSide over other potential threats. After all, the group is more involved with providing ransomware as a service to other criminal clients and the major disruption of the recent incident with Colonial Pipeline came from defender actions, not the direct result of ransomware.
These are the challenges faced by our cyber defenders on a daily basis. If anything, perhaps the best policy in the present moment would simply be not to waste an opportunity to demonstrate American resolve and willingness to punish criminal actors severely in the wake of an attack like this. Hitting back quickly and surgically to apply cost to DarkSide and/or affiliated criminal elements is something that will rapidly lose its effectiveness as a teaching mechanism for other criminals that might look to attack American companies. However, if American response to incidents like this can be tailored to effectively punish those criminal elements involved over the next several years, then achieving a condition of broad-scoped understanding about what targets are off-limits for criminal exploitation might be possible. That said, the deterrent retaliation is inevitably only one part of the solution. It must be married with real reformation in the way that we think about the risks and the impacts of attacks like the recent one on Colonial Pipeline.
Are there insights from your cyber security research that might be applied here?
The popular response to the pipeline shutdown is understandable, but it shouldn't necessarily be conceived of as broad-scoped panic or fear. Research that myself and a colleague at ETH Zurich are having published this month in International Studies Quarterly points out that media reporting around cyber issues generally and incidents like this specifically invariably adopt a doomsayer tone in discussing the repercussions of digital insecurity. This is odd, particularly given that cyber attacks are almost never physically destructive and can be patched in hours or days. We run a large-scale experiment and demonstrate that the only people that respond to cyber attacks with an unusual amount of panic are those few people that remain detached from the use of modern digital services and products.
Individuals faced with attacks like this exhibit similar anxiety to those faced with weather-related power outages, not fearful so much as they simply lose a bit of confidence in their access to services in the short term. Importantly, we also show that individuals' concern about national cyber threats only exists wherein there is a perceived threat to their person or livelihood. This strongly implies that periods following cyber incidents, like the one we're in right now, are a unique window within which the government might be able to more effectively build support for new, assertive cyber policies.