WASHINGTON — The successful hack of America's largest gas pipeline has exposed gaping holes in U.S. cyber defenses, experts say.
The weaknesses have been known for years: Eighty-five percent of American critical infrastructure is owned by private companies, and few regulations govern how those companies must protect their computer networks. Criminal hackers like the ones the FBI says attacked Colonial Pipeline are given overseas sanctuary by hostile foreign governments, out of reach of American law enforcement. The vast majority of ransomware attacks originate abroad, many of them from Russia, experts say.
Against this largely foreign threat, the U.S. government leaves it to the private sector to protect itself. The National Security Agency collects intelligence about cyberattacks, the FBI investigates them after they happen and the Department of Homeland Security tries to protect government computers. But no federal agency is in charge of defending the American public against hackers, be they criminals or intelligence operatives.
"No one would ever think the private sector is responsible for defending itself against North Korean missiles," said Glenn Gerstell, a recent former NSA general counsel. "And yet the private sector is expected to defend itself against foreign cyber maliciousness."
The secondary role of federal agencies was on stark display Tuesday, when the acting head of the Cybersecurity and Infrastructure Security Agency, a unit of DHS known as CISA, acknowledged that five days after the attack on the company was first reported, Colonial Pipeline had yet to share with his agency the technical deals of the hack. Colonial never notified CISA of the breach — the FBI did that, acting Director Brandon Wales said.
"Right now we are waiting for additional technical information on exactly what happened at Colonial so that we can use that information to potentially protect other potential victims down the road," he told an incredulous Sen. Rob Portman, R-Ohio, at a hearing of the Senate's Homeland Security Committee.
The government, Portman noted earlier, can't even say definitively which agency is in charge of securing its own federal networks, let alone private ones that are crucial to the American economy.
"At our last hearing, I asked the witnesses which agency is in charge of federal cybersecurity," he said. "The witnesses were unable to give an answer, which is troubling."
Colonial brought in a private company, Mandiant, to assess the damage and remediate its networks. It's unclear whether the FBI has full access. Famously, when the Democratic National Committee was hacked in 2016, it never provided the FBI direct access to its servers, instead providing data through a third party.
While CISA's name implies it is the main cyber defense agency, it actually plays a limited role, focusing on testing vulnerabilities and promoting best practices. CISA is not a regulatory agency.
"CISA works with FBI and other investigative agencies, but they are not the lead," an agency official told NBC News. "CISA is not who you would call if you need immediate assistance — that would be FBI."
President Joe Biden has plans to change some of this, including a proposed executive order that officials say would require companies that operate critical infrastructure to tell the government when they are hit by a cyberattack. But only Congress can impose comprehensive cyber regulations, and an effort to do that failed in 2012.
Many experts believe much bigger changes in law and policy are needed.
"For well over two centuries, America has responded to foreign threats where they resided — overseas," said Gertstell.
Years at the NSA, which employs some of the world's best hackers, taught Gerstell there is no network hackers can't breach. So cybersecurity must be configured with the expectation that the bad guys will pick the lock, he said, and must prioritize containing the damage once they get inside.
The key to that is rapid information sharing, he said — the kind that isn't happening now.
"We need to do a way better job nipping attacks in the bud before they spread too far," he said. "That requires a robust public/private sharing of info in real time. The instant an attack starts on some company it should have a legal duty to report that, it should have an electronic means of reporting very quickly."
The information should go to a coordination center, he said, which would include classified intelligence about cyber signatures. The faster an attack is diagnosed, the faster it can be contained.
"So maybe the next SolarWinds affects only 22 companies" instead of thousands, he said, referring to a massive hack of corporate and government networks believed to be the work of Russian intelligence.
It's also crucial to move to a "zero trust environment," Gerstell and other experts say — configuring networks so that all outside software and devices are treated as hostile until proven otherwise. Biden's executive order calls for federal networks to adopt that policy, according to The New York Times.
"Zero trust can greatly mitigate the damage that can be done once a user or host is compromised," said Gary Kinghorn, marketing director of Tempered Networks, a cybersecurity firm. Without it, he said, the infection can spread, giving hackers further access to steal more information or do more damage. "Zero trust can reduce the lateral spread of attackers and malware by blocking access and communication that is not explicitly authorized."
But even if the U.S. got its cyber defenses in order, it would still face the problem of hostile countries such as Russia allowing criminal hackers to operate unmolested from their territories. As long as they are attacking the English-speaking West, experts say, they are not touched. Some of them freelance for Russian intelligence services.
DarkSide, the group the FBI says attacked Colonial, appears to be based in Russia, Biden said Monday.
Dmitri Alperovitch, cofounder of the cybersecurity firm CrowdStrike and now executive chairman of the Silverado Policy Accelerator, a think thank, says the U.S. should provide Russia a list of hackers it wants prosecuted or extradited. And if that doesn't happen, it should impose severe sanctions.
Ransomware attacks like the one that crippled Colonial Pipeline's operations have become commonplace. But this time, a cyber mishap is striking at the wallets of average Americans, in the form of higher gas prices. Some experts believe it could be a turning point.
"The only silver lining is this is going to be a big enough deal that I believe this will be the wake-up call the government needs," said Eric Cole, a cybersecurity expert and author.
Kelvin Coleman, executive director of the nonprofit National Cyber Security Alliance, had a different take.
"I'm tired of getting wake-up calls," he said. "It's time to stay awake."