A hacking of a major pipeline, the latest evidence of the nation’s vulnerabilities to cyberattacks, prompted questions about whether the administration should go further.
Published May 9, 2021Updated May 10, 2021, 11:20 a.m. ET
WASHINGTON — A pipeline that provides the East Coast with nearly half its gasoline and jet fuel remained shuttered on Sunday after yet another ransomware attack, prompting emergency White House meetings and new questions about whether an executive order strengthening cybersecurity for federal agencies and contractors goes far enough even as President Biden prepares to issue it.
The order, drafts of which have been circulating to government officials and corporate executives for weeks and summaries of which were obtained by The New York Times, is a new road map for the nation’s cyberdefense.
It would create a series of digital safety standards for federal agencies and contractors that develop software for the federal government, such as multifactor authentication, a version of what happens when consumers get a second code from a bank or credit-card company to allow them to log in. It would require federal agencies to take a “zero trust” approach to software vendors, granting them access to federal systems only when necessary, and require contractors to certify that they comply with steps to ensure that the software they deliver has not been infected with malware or does not contain exploitable vulnerabilities. And it would require that vulnerabilities in software be reported to the U.S. government.
Violators would risk having their products banned from sale to the federal government, which would, in essence, kill their viability in the commercial market.
“That is the stick,” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. “Companies will be held liable if they’re not telling the truth.”
The order, which is expected to be issued in the coming days or weeks, would also establish a small “cybersecurity incident review board.” The board would be loosely based on the National Transportation Safety Board, which investigates major accidents at air or sea.
The measures are intended to address the fact that the software company SolarWinds made for such an easy target for Russia’s premier intelligence agency, which used its software update to burrow into nine federal agencies as well as technology firms and even some utility companies. (Despite SolarWinds’ incredible access to federal networks, an intern had set the firm’s password to its software update mechanism to “SolarWinds123.”)
But federal officials, who caution that the draft of the order is not final, concede that the regulations would still almost certainly have failed to thwart the most skilled nation-state intrusions and disruptions that have rocked the government and corporate America in recent months, given their sophistication. That includes the more recent Chinese hackings of American businesses and military contractors that used a series of unknown holes in Microsoft email systems.
Theoretically, it could be more effective against the kind of criminal ransomware attack that took over Colonial Pipeline’s headquarters networks last week. That attack — the second to shut down a pipeline in a little over a year — did not appear to involve the kind of highly sophisticated steps that Russia and China are known for: Rather than directly try to take over the pipelines, the attackers went after what officials say was poorly protected corporate data, stealing it on such a large scale that it forced the company to shutter the pipeline rather than risk a spreading attack.
But it was unclear whether Mr. Biden’s executive order would apply to Colonial Pipeline. It is a privately held firm that oversees the distribution of much of the East Coast fuel supplies — just as 85 percent of America’s critical infrastructure, from power grids to communications networks to water treatment plants, is controlled by private firms.
On Sunday afternoon, the company offered no more details and refused to answer questions about the hacking, including whether it was paying the ransom — a step the F.B.I. discourages. The firm did not say when it would resume operations, only that it “is developing a system restart plan.”
Federal officials expressed frustration at how ill-prepared the company was to fend off the attack or respond to it, and White House officials were holding emergency meetings, some focused on how to protect other operators who may have similar vulnerabilities.
Officials involved in the investigation said a criminal gang known as DarkSide invaded Colonial’s networks and took 100 gigabytes of data in a few hours, a detail reported earlier by Bloomberg. The firm then received a ransom demand for an unspecified amount threatening to make its data forever inaccessible to the firm, and publish some of it — presumably proprietary information — on the internet.
“The success of this attack is pretty stunning given how important they are to our nation’s critical infrastructure,” said Kiersten Todt, the managing director at the nonprofit Cyber Readiness Institute and a former director of the President’s Commission on Enhancing National Cybersecurity.
On Sunday, the commerce secretary, Gina Raimondo, warned companies to secure their networks.
“This is what businesses now have to worry about,” Ms. Raimondo told CBS’s “Face the Nation. “Unfortunately, these sorts of attacks are becoming more frequent. They’re here to stay, and we have to work in partnership with business to secure networks to defend ourselves against these attacks.”
Government officials have been repeating similar statements since the George W. Bush administration. While some industries — particularly the nation’s biggest financial institutions and utilities — have invested billions of dollars, many have not.
And efforts to regulate minimum cybersecurity standards for companies that oversee critical systems have repeatedly failed, most notably in 2012, when lobbyists killed such an effort in Congress, arguing that the standards would be too expensive and too onerous for businesses.
“The ghost of 2012 hangs over this,” Mr. Lewis said. “But we’ve been recommending these same measures since there were two people on the internet.”
Colonial Pipeline is a prime example. Though the industry talks constantly about “information sharing” to deter attackers, the company has said nothing publicly about how cybercriminals broke into its network.
The group responsible, DarkSide, is considered a relative newcomer to ransomware, surfacing in August. It is one of dozens of organized criminal groups that have moved to the double-extortion model of not only locking up victims’ data with encryption, but threatening to release it. Such groups run sophisticated “help desks” to negotiate payment in hard-to-trace cryptocurrencies.
It is a wildly profitable business: In previous attacks, DarkSide is estimated to have made anywhere from $200,000 to $2 million in extortion demands, it has said. But that actually falls on the low end of the spectrum. A recent study by the cybersecurity firm Palo Alto Networks said the average ransom demand is now $850,000, with the highest $50 million.
Intriguingly, DarkSide advertises a code of conduct on its website: Hospitals, hospices, schools, nonprofits and government agencies are considered off limits. Large, for-profit companies like Colonial Pipeline are considered fair game, and the cybercriminals even claim to donate some of their illicit proceeds to charities. (Some recipients of DarkSide’s “donations” have said they would not accept them.) Investigators say they believe some profits are funneled into designing even better ransomware that evades existing protections.
Last month, top executives from Amazon, Microsoft, Cisco, FireEye and dozens of other firms joined the Justice Department in delivering an 81-page report calling for an international coalition to combat ransomware. Leading the effort inside the Justice Department are Lisa Monaco, the deputy attorney general, and John Carlin, who led the agency’s national security division during the Obama administration.
Last month the two ordered a four-month review of what Ms. Monaco called the “blended threat of nation-states and criminal enterprises, sometimes working together, to exploit our own infrastructure against us.” Until now the Justice Department has largely pursued a strategy of indicting hackers — including Russians, Chinese, Iranians and North Koreans — few of whom ever stand trial in the United States.
“We need to rethink,” Ms. Monaco said at the recent Munich Cyber Security Conference.
Among the recommendations in the report by the coalition of companies is to press ransomware safe havens, like Russia, into prosecuting cybercriminals using sanctions or travel visa restrictions. It also recommends that international law enforcement team up to hold cryptocurrency exchanges liable under money-laundering and “know thy customer” laws.
The executive order also seeks to fill in blind spots in the nation’s cyberdefenses that were exposed in the recent Russian and Chinese cyberattacks, which were staged from domestic servers inside the United States, where the National Security Agency is legally barred from operating.
“It’s not the fact we can’t connect the dots,” Gen. Paul M. Nakasone, who heads both the National Security Agency and the Pentagon’s Cyber Command, told Congress in March, reviving the indictment of American intelligence agencies after Sept. 11. “We can’t see all the dots.”
The order will set up a real-time information sharing vessel that would allow the N.S.A. to share intelligence about threats with private companies, and allow private companies to do the same. The concept has been discussed for decades and even made its way into previous “feel-good legislation” — as Senator Ron Wyden, Democrat of Oregon, described a 2015 bill that pushed voluntary threat sharing — but it has never been implemented at the speed or scale needed.
The idea is to create a vessel to allow government agencies to share classified cyberthreat data with companies, and push companies to share more data about incidents with the government. Companies have no legal obligation to disclose a breach unless hackers made off with personal information, like Social Security numbers. The order would not change that, though legislators have recently called for a stand-alone breach disclosure law.
Thomas Fanning, the chairman and chief executive of Southern Company, one of the nation’s largest energy firms, said in an interview last week that the existing structure was slow and broken: The country now needs real-time command centers, like it built during the Cold War to see incoming missile attacks.
“A real-time view of that battlefield that allows Cyber Command to see my critical systems at the same moment and the same time I see them,” he said. “Sharing isn’t fast enough. It’s not comprehensive, and you can’t rely on it on matters of national security.”