Tanzina Vega: Last week, hackers breached the computer networks of Colonial Pipeline, which operates the largest gasoline pipeline on the East Coast. The company says that the hack only impacted its business networks, but that they chose to shut down their pipeline control system as well to make sure the hackers couldn’t access it.
On Wednesday, the company announced that service was starting back up on their pipeline, but they said it would take several more days to get their supply chain in order again. The days-long shutdown has led to slight increases on the price of gas in some states, and it has also scared consumers, leading to overbuying in parts of the Southeast. It has reportedly resulted in gas shortages for certain areas, but beyond the immediate concerns around fuel safety, cybersecurity experts say this latest breach is a prime example of why both the private and public sectors in the United States need to put more resources into cyberinfrastructure.
With me now is Chris Painter, the United State's former top cyber diplomat at the State Department from 2011 to 2017 and co-chair of the Ransomware Task Force’s recent report "Combating Ransomware." Chris, thank you for being here.
Chris Painter: Happy to be here.
Tanzina Vega: Okay. Colonial pipeline says that the hack only impacted its business networks. What does that mean?
Chris Painter: Well, I think what it means and we only have what they say to measure this by is that all their accounting systems, other systems they use were infiltrated by this ransomware attack. Now, whether there was a connection to the control systems that control the pipeline itself, unclear. They claimed they shut this down to make sure that that didn't transfer the systems, which probably was a wise move, but as you say, resulted in pretty wide disruptions.
Tanzina Vega: The hackers claimed that they were only going after money and that it wasn't their intent to shut down the entire pipeline. What was their plan? How are they going to get money out of this?
Chris Painter: Well, first, I'm not sure I take the hackers at their word. Second, I think that this is not something that's new. We've been seeing these kinds of ransomware attacks for a few years now, and they've ramped up in severity impact and frequency, and they've hit hospitals and health care providers during the pandemic over the last year.
They recently had an effect on the DC Police Department and interrupting some of its operations. This is becoming a real issue and one where it's not just theft of information, but disruption of organizations. Whether they meant to do that or not, that's the effect they had, and that's the effect a lot of these ransomware activities have and they're essentially holding these companies, these institutions, even state local governments hostage unless they pay the ransom.
Tanzina Vega: Also they say we're going to lock up your computer network unless you pay this large ransom?
Chris Painter: Yes, obviously, it has an effect on the victim itself, but it has a second-order effect, as we've seen here on public health and safety. When you go after police departments, hospitals, health care providers, and critical infrastructure like pipelines, that really brings it home to ordinary people.
Tanzina Vega: What do we know about who these hackers are?
Chris Painter: They're apparently about a new group, but these groups merged from one to the other, so who knows how long they've been operating. They apparently are operating from Russia, a number of these groups do, but these groups are all over the world. They're increasing in numbers, some of them don't have a lot of sophistication, they use what they call ransomware as a service, they get the tools from someone else and do this, but this is becoming a real problem because it's easy money, there's almost no consequences for these folks. The amount of ransom they get has gone dramatically up over the last year, sometimes in the hundreds of thousands, sometimes in the millions, and that it's essentially free money for them.
Tanzina Vega: Also successful, companies end up paying the large ransoms.
Chris Painter: Yes, look, companies are in the bind, where they have their operations essentially set to shut down. They're faced with this idea of, "Do we not pay the ransom? Or do we pay it and get access to our systems back?" Hopefully, it's not guaranteed that these ransomware actors will do that and so, many did pay the ransom, and that just fuels this going forward because the ransomware attackers know that they can get the money.
Tanzina Vega: Do companies in the private sector take cybersecurity seriously enough?
Chris Painter: Not nearly enough. We've certainly improved. I've evolved in cyber and cybersecurity issues for about 30 years now, so for a long time, and I have seen an improvement over that time. But the financial sector, some of the other sectors, I think have taken it more seriously, but we're hugely vulnerable to these kinds of attacks. Unless we start treating this as a true national security issue, we're not going to be able to make the progress we need. We're too vulnerable. The impacts are too great. This is only going to increase into the future.
Tanzina Vega: President Biden has signed an executive order saying that companies that do business with the federal government will need to report cyber breaches and threats. Colonial Pipeline is a private company, what can the federal government do to make sure that critical parts of the private sector that maybe do not do business with the federal government, aren't also vulnerable to cyber-attacks?
Chris Painter: Yes, look, the executive order I think is a good move, but there's only so much that the President can do by executive order, mostly with the US government. Part of that order talks about having better software. When the US buys software, they're going to have standards now, and that will affect maybe the entire marketplace, which will be good. Companies own their own infrastructure, they need to take better precautions, they need to do a lot better in protecting themselves.
The ransomware Taskforce Report that I was on that you mentioned, makes a sweeping set of recommendations about how we go after this issue, everything from more awareness and priority at a national international level, going after safe havens for these criminals, going after cryptocurrency, which many of these criminals use to be paid, but also helping victims prepare, and harden their systems, so this doesn't happen, but we have a long way to go. Unfortunately, even for critical infrastructure like pipelines, we leave it in their hands, they just haven't done it so far. They haven't prioritized it. We need them to do that because the effects again, are not just on them, but on us.
Tanzina Vega: There's been a decent amount of attention on the vulnerability of power grids to cyberattacks, what other critical infrastructure needs to be secured against future attacks? Just quickly.
Chris Painter: Basically, everything you can think of water supplies, financial systems, electricity, everything.
Tanzina Vega: All right. Chris Painter is the United State's former top cyber diplomat at the State Department from 2011 to 2017. Chris, thank you so much.
New York Public Radio transcripts are created on a rush deadline, often by contractors. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of New York Public Radio’s programming is the audio record.