For years, government officials and industry executives have been running in-depth simulations of a targeted cyberattack on the US power grid or gas pipelines and imagining how the country would react.
But when the real moment came when it wasn’t an exercise, it didn’t look like the war games.
The attacker was not a terrorist group or a hostile state such as Russia, China or Iran, as was assumed in the simulations. It was a criminal blackmail ring. The aim was not to disrupt the economy by taking a pipeline offline, but rather to save company data as a ransom.
The most visible impact – long lines of nervous drivers at gas stations – came not from a government response but from a decision by the victim Colonial Pipeline, which controls almost half of the gasoline, jet fuel and diesel flowing on the east coast, to turn the spigot. This was out of concern that the malware that had infected their back office functions could make it difficult to bill for the fuel delivered down the pipeline or even spread to the pipeline’s operating system.
What happened next was a vivid example of the difference between table simulations and the cascade of consequences that can follow even a relatively straightforward attack. The episode aftermath is still playing out, but some of the lessons are already clear, showing how far the government and the private sector must go to prevent and manage cyberattacks and put in place fast backup systems in case that critical Infrastructures fail.
In this case, the long-standing belief that the pipeline’s operations were completely isolated from the data systems locked down by DarkSide, a gang of ransomware believed to be operating out of Russia, proved false. And the company’s decision to shut down the pipeline sparked a series of dominoes, including panic buying at the pumps and silent fear within the government that the damage could spread quickly.
A confidential assessment by the ministries of energy and homeland security found the country could only afford three to five days if the colonial pipeline was shut down before buses and other local transport had to cut operations due to a lack of diesel fuel. Chemical plants and refineries would also be shut down as there was no way to sell what they produced, the report said.
And while President Biden’s advisors announced efforts to find alternative ways to get gasoline and jet fuel to the east coast, none were immediately available. There was a shortage of truck drivers and tankers for trains.
“Every fragility has been exposed,” said Dmitri Alperovitch, co-founder of CrowdStrike, a cybersecurity company and now chairman of the Silverado Policy Accelerator think tank. “We learned a lot about what could go wrong. Unfortunately our opponents too. “
The list of lessons is long. Colonial, a private company, may have thought it had an impermeable protective wall, but it was easy to break through. Even after paying the extortionists nearly $ 5 million in digital currency to recover their data, the company found that the process of decrypting its data and turning the pipeline back on was excruciatingly slow, which means it is still It will be days before the east coast comes back to normal.
“It’s not like flicking a light switch,” Biden said Thursday, noting that the 5,500-mile pipeline had never been shut down before.
For the administration, the event was a dangerous week in crisis management. Mr Biden told the aides it was remembered that nothing could cause political damage faster than television images of gas pipes and soaring prices, with the inevitable comparison to Jimmy Carter’s worst moments as president.
Mr Biden feared the situation would raise concerns that the economic recovery is still fragile and inflation will rise if the pipeline is not restarted, panic subsides and the price cut is nipped in the bud.
In addition to the numerous measures to get oil in motion on trucks, trains and ships, Mr Biden published a long-standing regulation intended for the first time to require changes in cybersecurity.
And he suggested that he was ready to take steps the Obama administration hesitated during the 2016 election campaigns – direct measures to repel the attackers.
“We are also going to take action to disrupt its operability,” said Biden, a line suggesting that the United States Cyber Command, the military’s cyberwarfare force, had authority to take DarkSide out of circulation like another ransomware group in the fall before the presidential election.
Hours later, the group’s website went dark. Early Friday, DarkSide and several other ransomware groups, including Babuk, who ran the Washington D.C. Police Department, announced hacked announced that they would get out of the game.
Darkside alluded to disruptive actions by an unspecified law enforcement agency, although it was not clear whether this was the result of US action or pressure from Russia ahead of Mr Biden’s expected summit with President Vladimir V. Putin. And the silence could have simply expressed a decision by the ransomware gang to thwart retaliation by possibly suspending their operations.
The Pentagon’s Cyber Command referred questions to the National Security Council, which refused to comment.
The episode highlighted the emergence of a new “mixed threat” that may emanate from cybercriminals but is often tolerated and sometimes encouraged by a nation that views the attacks as serving their interests. That is why Mr Biden singled out Russia – not as the culprit, but as a nation that is home to more ransomware groups than any other country.
“We do not believe that the Russian government was involved in this attack, but we have strong reasons to believe that the criminals who carried out this attack live in Russia,” said Biden. “We spoke in direct communication with Moscow about the need for responsible countries to take action against these ransomware networks.”
With Darkside’s systems down, it’s unclear how Mr Biden’s government would take further revenge beyond possible charges and sanctions that Russian cybercriminals have not previously deterred. Fighting back with a cyber attack also carries the risk of escalation.
The government must also expect much of America’s critical infrastructure to be owned and operated by the private sector and still ripe for attack.
“This attack showed how bad our resilience is,” said Kiersten E. Todt, executive director of the nonprofit Cyber Readiness Institute. “We are rethinking the threat if we still don’t lay the foundations to secure our critical infrastructure.”
The good news, some officials said, was that the Americans received a wake-up call. Congress faced the reality that the federal government lacks the power to require a minimum level of cybersecurity from the companies that control more than 80 percent of the country’s critical infrastructure.
The bad news is that American opponents – not just superpowers, but also terrorists and cyber criminals – have learned how little it takes to wreak havoc in a large part of the country, even if they don’t break into the core of the power grid or the operational control systems moving gasoline, water, and propane across the country.
Something as basic as a well-designed ransomware attack can easily do the trick while providing plausible denial to states like Russia, China, and Iran, which often appeal to outsiders for sensitive cyber operations.
It remains a mystery how Darkside first broke into Colonial’s business network. The privately owned company has said practically nothing, at least in public, about how the attack unfolded. It waited four days before having significant conversations with the administration, an eternity during a cyberattack.
Cybersecurity experts also note that the Colonial Pipeline never should have shut down its pipeline if it had had more confidence in the separation between its business network and pipeline operations.
“There should definitely be a separation between data management and the actual operating technology,” said Ms. Todt. “Frankly, for a company that ships 45 percent of its gas to the east coast, it is inexcusable not to do the basics.”
Other pipeline operators in the US employ advanced firewalls between their data and its operations that only allow data to flow out of the pipeline in one direction and prevent a ransomware attack from spreading.
Colonial Pipeline did not indicate whether this level of security was provided in their pipeline. Industry analysts say that many critical infrastructure managers say that installing such one-way gateways along a 5,500-mile pipeline can be complicated or prohibitively expensive. Others say the cost of providing these protections is still cheaper than the losses from potential downtime.
Detering ransomware criminals, whose number and audacity has increased in recent years, will certainly be more difficult than deterring nations. But this week made the urgency clear.
“It’s all fun and games when we steal each other’s money,” said Sue Gordon, former assistant chief executive officer of the National Intelligence Service and longtime C.I.A. Analyst specializing in cyber topics said at a conference from The Cipher Brief, an online intelligence newsletter. “If we play around with the functioning of a society, we cannot tolerate it.”