If you think rocket science is tough, try building a computer system. Computer software is among the most complex items ever invented. Modern, internet-connected computer operating systems are vastly complicated, containing many millions of instructions and requiring many hundreds of work-years to develop. The pieces interact with each other in ways that the designers might not anticipate. Sometimes, those interactions create security risks, and computer system security is far from an exact science. Every sector or our economy is a target, especially those engaged in finance and infrastructure.
A dedicated hacker can probe for security holes through which they can insert virtually undetectable code to steal data or commandeer a computer’s resources. A team of a thousand or so government-sponsored computer engineers working to find one of those holes has a good chance of success. Once a malign operator finds a vulnerability, it’s certain to be exploited.
The Russian government has been conducting cyberattacks on United States’ computing resources for years. In the runup to the 2016 election, Russia hacked the Democratic National Committee. In 2018, the Computer Emergency Response Team alerted us that the Russian Government was conducting a “multistage intrusion campaign by Russian cyber actors who targeted commercial networks where they staged malware … and gained remote access into energy sector networks.”
Those hacks targeted U.S. power plants and government facilities, among other resources. Last October, the FBI, CISA, and HHS reported they have “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.” The New York Times reported that Russian hackers had a list of more than 400 targeted hospitals; more than 30 were infected by ransomware. In a single 24-hour period, six hospitals were hit with demands for millions of dollars.
Last year, Russian government hackers succeeded in planting spyware in more than 18,000 government and business systems through what’s known as a “supply chain attack.” The infected sites use software from a company named SolarWinds to monitor and manage their computer systems. The hackers planted malware in a SolarWinds update that allowed them to access virtually all the data on the infected machines. The Russian government could and did read anything and everything from government sites including the departments of Homeland Security, State, Commerce and Treasury. After the attack had been exposed in November, House Intelligence chair Adam Schiff described the attack as “devastating.” Senate Republicans said, “We should make it clear that there will be consequences.” Even now, six months after the intrusion was detected, we don’t know the extent of the breach.
Over the last two weeks, a variation on this theme emerged. On May 7, a Russian criminal hacking group carried out a malware cyberattack on Colonial Pipeline resources, forcing a shutdown of the oil pipeline that feeds more than 2.5 million barrels of oil and gasoline to much of the east coast. The hackers stole hundreds of gigabytes of sensitive data and threatened to dump it on the internet unless Colonial Oil paid them nearly $5 billion.
The shutdown lasted about a week, but the damage was significant. Gas prices skyrocketed, frightened people created long lines at gas stations, many of which were completely sold out. The president said he doesn’t believe the Russian government was involved, even though the attack came from Russia. Perhaps that statement was intended to serve some deeper diplomatic purpose, but let’s be clear: nothing like this (or the attacks on US hospitals) could happen in Russia without Putin’s knowledge, if not his approval.
Cyberattacks occur all over the country. Last November, Baltimore County schools were shut down for a week and were forced to pay $1.7 million to restore services in a ransomware incident. Banks are prime targets. For example, last year, CitiBank had a data breach exposing more than 300,000 credit card accounts. In 2019, more than 100 million credit card applications were stolen from Capital One — chances are that hackers know what’s in your wallet.
Just as roads and bridges are part of our country’s physical infrastructure, our schools, banks, hospitals, and fuel distribution systems are parts of our social and economic infrastructure and must be protected. It should be clear to all that nothing is safe from potential cyberattacks. Schiff is putting pressure on the White House to make it clear to Russia they will be held to account for these attacks or suffer the consequences. It won’t be easy or cheap to harden our defenses against the cyberwarfare coming from Russia. But the cost of ignoring them is greater.
Mitch Edelman, vice chairperson of the Carroll County Democratic Central Committee, writes from Finksburg. His column appears every other Tuesday. Email him at mjemath@gmail.com.