Colonial Pipeline, the United States’ largest purveyor of refined fuel, including gasoline, diesel and jet fuel, recently had a bad day. Late last Friday, the company’s information technology systems fell victim to ransomware. The company quickly shut down its operations as a precautionary measure to contain the attack and prevent long-term damage to its physical systems. As of Tuesday afternoon, the pipeline was still largely offline, though Colonial hopes to restore operations by the end of the week.
The attack on Colonial Pipeline is one data point in an overall trend of increased attacks from ransomware, malicious software that prevents victims from accessing their data and requires a ransom payment in order to restore their systems. The consequences can range from the economically costly to the downright dire: Businesses get locked out of their computer systems for several hours or days at a time, halting operations, disrupting supply chains and significantly harming consumer trust.
In 2020 alone, nearly 2,400 state and local governments, health care facilities and schools were victims of ransomware attacks. Additionally, the victims of these attacks paid a total of $350 million in ransom, marking a 300-plus-percent increase from the previous year.
And ransomware is just one kind of cyberthreat posed to infrastructure — one of the country’s most prevalent national security risks and one that should be at the top of priority lists for infrastructure needs. Given the severity of the danger, it was disappointing to see that the Biden administration’s current infrastructure plan falls woefully short in terms of actually securing the infrastructure it proposes to build, a failing that has raised eyebrows.
The Colonial Pipeline attack “is a play that will be run again, and we’re not adequately prepared” warned Sen. Ben Sasse, R-Neb. “If Congress is serious about an infrastructure package, at front and center should be the hardening of these critical sectors — rather than progressive wish lists masquerading as infrastructure.”
America’s critical infrastructure as traditionally defined and historically understood is deeply in need of investment and renewal. The backbone of the package must therefore be to safeguard and upgrade these core elements — from airports and highways to mass transit and beyond — and must have significant cybersecurity investments properly baked in.
President Joe Biden’s $2 trillion package does include $621 billion for long-standing transportation infrastructure needs such as bridges, roads and ports and over $300 billion for upgrading electric grids and drinking-water infrastructure and expanding broadband internet access.
However the package stretches the definition of infrastructure beyond its traditional meaning. Under the plan, for instance, $400 billion goes to support the home-based health care workforce, the component of the package described by The New York Times as the “most transformational and polarizing.” Aspiring to transformational change is a leader’s prerogative; but it should be done transparently in a way that does not subvert logic, common sense or pressing national and economic security priorities — in this case, securing infrastructure itself from cyberattacks.
Indeed, malicious actors are more emboldened than ever to take advantage of the vulnerability of American critical infrastructure, from our water supply to our electric grid to our pipelines. The Colonial Pipeline supplies 45 percent of the East Coast’s fuel, transporting nearly 100 million gallons of refined fuel between the Gulf Coast and New York on a daily basis. If the disruption were to continue unabated, the East Coast could be at risk for more distribution problems and price fluctuations, which could prompt other cascading consequences that could jeopardize many systems — airports, businesses and day-to-day travel — that rely on its fuel deliveries. The possible harm to the wider economy could extend even beyond that.
The Biden administration is taking some important steps outside of the infrastructure bill to address the issue of ransomware and cybersecurity more broadly. The recent announcement of a Department of Homeland Security “sprint” to tackle ransomware by raising awareness and disrupting bad actors, a Department of Justice ransomware task force to go after perpetrators and suggestions that a new White House ransomware plan is forthcoming all signal an increased willingness by the federal government to act. But unfortunately, these are inadequate and significant vulnerabilities still exist.
Specifically, the Biden administration’s proposed infrastructure spending plan doesn’t address securing infrastructure from malicious cyber activity. The president’s budget proposal for next year also doesn’t prioritize cybersecurity. The Cybersecurity and Infrastructure Security Agency received only a 5 percent budget increase, compared to the overall 16 percent increase in nondefense spending. Both the budget and the infrastructure plan continue the Trump administration's failure to sufficiently fund cybersecurity efforts in the nondefense department budget areas.
A correction is possible. Congress can alter the infrastructure plan to prioritize needed investments in the cybersecurity of our most vulnerable critical infrastructures, including water and wastewater infrastructure, electricity grid distribution systems, maritime transportation systems and municipality networks. Given the large price tag of the White House’s infrastructure plan, this spending shouldn’t be contentious.
Such an investment plan could include expanding the government’s Pipeline Cybersecurity Initiative to include the use of grants and low-interest loans to rectify shortfalls that the initiative identifies in boundary protection, monitoring, configuration management and access controls.
It’s also important that the government establish a public-private collaboration so the private-sector entities responsible for systems and assets that underpin national critical functions, such as Colonial Pipeline, shoulder additional security requirements befitting their unique status and importance to include requirements to report all cyber intrusions. In exchange, these entities would benefit from additional federal protections even as they are entrusted with access to the most up-to-date, actionable and relevant federal intelligence on emerging threats.
As members of the Cyberspace Solarium Commission, we were pleased to see Congress codify into law two recent provisions that will help victims prepare for, respond to and mitigate the consequences of cyberattacks. First, a Joint Cyber Planning Office will soon be established to help coordinate campaigns to fight cyberattacks between the public and private sectors. Secondly, the executive branch must develop a playbook for maintaining the functioning of the national economy in the event of a significant cyber incident. Although both these initiatives have been authorized by law, the administration must now take action on implementation.
As the Biden administration and Congress prioritize a massive infrastructure plan, now is the time for the federal government — and the country as a whole — to come to terms with the major investments needed to ensure the security and resiliency for our national systems. Otherwise, many more Americans will be impacted by the next bad day in critical infrastructure.