Friday’s crippling cybersecurity attack on the Colonial Pipeline likely took a lot of people off-guard. After all, how many average Americans knew the 5,500-mile-long pipeline network was the nation’s largest? That it is a primary source of gasoline, diesel, home heating oil and jet fuel from Gulf Coast refineries to the East Coast? Or, most importantly, that computer hackers could essentially shut it down with a ransomware attack?
Yet here we are, waiting day by day, to see if the system’s software can be repaired and the pipeline put back in operation by midweek. Should it take longer, the consequences could prove severe beginning with fuel shortages, rising prices and a glut of crude oil at backed-up refineries. Already, oil companies are looking to alternative means of shipment including barges and tanker trucks. And the prospect of significantly more fuel trucks on the nation’s highways is not a happy one given how disastrous tanker-truck-involved crashes can be; the fiery single vehicle accident that killed the driver and closed Interstate 70 in Mount Airy for six hours in March providing is perhaps the most recent local example. Pipelines are far safer.
Attacks by ransomware, the use of malware to disable computer software until money is paid, has become a rising threat to government and private industry in the United States and around the world. Baltimore County had a taste of it when an attack forced its public schools to temporarily close last fall. More recently, the University of Maryland, Baltimore acknowledged last month that private information of students and staff was leaked after a ransomware attack. Federal officials have repeatedly warned hospitals against the threat of data theft and service disruptions posed by these extortion attempts. The 2019 ransomware attack against city government that cost taxpayers more than $18 million to fix now looks simply like a preview of things to come.
After each, we have heard the customary warnings: Government and private industry must harden their security systems against future assaults. So why is the problem only growing worse, as Department of Homeland Security Secretary Alejandro Mayorkas acknowledged last week at a U.S. Chamber of Commerce event just two days before the Colonial attack? Part of the problem is surely that the hackers have a profit motive; last year, an estimated $350 million was paid to attackers. Another component is the international scope of the problem. The attack on the Colonial Pipeline is thought to be the work of DarkSide, a Russian criminal organization. But such attacks can also sometimes be sanctioned by governments with an adversarial view of the U.S. — including Russia, China and Iran, which means they pose a troubling potential national security threat.
Enough is enough. Given the Biden administration’s willingness to invest in infrastructure, we would humbly suggest that cybersecurity needs to be made the highest possible priority. Everyone is due for an upgrade. And it’s just not about protecting government computers. Private employers, large and small, need to be encouraged to make similar information technology investments. No company should ever make the calculation that it’s cheaper to pay the hackers than to upgrade its software. That only perpetuates the threat in the long-term.
What is needed is not only greater vigilance, but accountability. Secretary Mayorkas and others ought to make criminal prosecution of hackers a mission. And if the Russian government — or any other nation-state — is found to be providing aid or assistance to such outlaws, there must be consequences for that as well. It’s unlikely that cyberattacks will soon become a thing of the past, but there are surely ways for computer systems to be made far less vulnerable to them. It’s like the arms race, but with software and a target-rich environment.
And finally, this is a matter that ought to be taken seriously by individuals as well. A more robust public information campaign than the little-noticed “Stop. Think. Connect.” is overdue. It’s up to all of us to follow cybersecurity best practices, particularly with so many working remotely during the COVID-19 pandemic. That can be as simple as guarding against phishing (fraudulent emails that seek personal or financial information) and updating your computer’s security software or password. Human error is a common vulnerability — and a costly one. The Colonial Pipeline may yet be fully restored this week and the impact on East Coast fuel supply will prove modest. The danger posed by hackers, however, will continue with no foreseeable end in sight.
The Baltimore Sun editorial board — made up of Opinion Editor Tricia Bishop, Deputy Editor Andrea K. McDaniels and writer Peter Jensen — offers opinions and analysis on news and issues relevant to readers. It is separate from the newsroom.