notebook
The entity behind the first cyber attack on American electricity assets was never identified.
“If you are looking to make a quick buck and pay the ransomware developer a commission or cut to use the exploit, it’s a pretty easy business,” Mike Moran of the U.S. Secret Service told a CISA National Cybersecurity Summit last year. Cracking down on cryptocurrency wouldn’t necessarily slow hackers down either. In 2016, when North Korean hackers broke into the Bank of Bangladesh, they steered the money to gamblers in Philippine casinos, who laundered the funds into casino chips. At the end of May, the Transportation Security Administration, which oversees liquid and natural gas pipelines, issued a security directive that “requires” companies to notify CISA of any unauthorized IT, operational, or physical intrusions; identify a cybersecurity coordinator who can be available 24/7; and report the results of a review of security measures to TSA and CISA. Firms can be assessed daily financial penalties (pegged to the severity of the incident) if they fail to notify CISA of a breach. TSA is “considering follow-on mandatory measures,” according to a DHS press release. Asked to clarify, a DHS spokesperson declined to “speculate on what may or may not happen in the future” when it comes to “issuing permanent regulations.” The first attack on an American electric utility made public occurred in the West in 2019 and briefly knocked out firewalls that controlled communications between control centers and remote generating sites, but did not affect power. However, the utility had not deployed an
update released before the attack. The intruder was never identified. The North American Electric Reliability Corporation (NERC) oversees the electric grid and has established a set of mandatory compliance standards for energy companies, such as knowing what levels of access to the network are held by particular individuals and how a company plans to handle and recover from an attack. The Federal Energy Regulatory Commission has proposed rules to establish voluntary incentives to persuade companies to go above and beyond the NERC requirements. POWER magazine notes that the Industrial Energy Consumers of America, composed of large manufacturing firms, has called for natural gas pipelines to adhere to the same physical and cybersecurity mandates that the electricity sector does. Colonial Pipeline’s exceptionally bad PR is likely to persuade some CEOs that paying a ransom is preferable to being summoned to Capitol Hill for a grilling. Cybersecurity experts have called for express prohibitions on paying ransom; so far, CISA and the FBI advise against it. Some companies and individuals have paid ransoms but never got the keys to release their data. The partial recovery of Colonial’s ransom may give false hope to companies that the feds might be able to recoup at least some portion of their money. Then there are the companies that just may take the write-off. Since ransoms are considered theft, some losses may be tax-deductible. Companies can save money on
beefing up information security and instead pay ransoms where necessary (with the government kicking in a portion), and potentially come out ahead. If Congress wants to reduce private-sector complacency about the national-security threat that is cyber extortion, revisiting this section of the tax code may be in order. In June, Sen. Mark Warner (D-VA), the Senate Intelligence Committee chair, released a draft Cyber Incident Notification Act of 2021 that would require entities in critical infrastructure sectors and federal law enforcement to report cyber intrusions to CISA within 24 hours and provide limited immunity for reporting companies that would remain confidential. The proposed legislation does not address ransom payments; Warner has said that companies should at least disclose if they have paid a ransom. The upheaval in the cyber attack insurance industry as ransomware attacks increase could speed shifts in the private-sector mindset. Insurers are requiring clients to document the specific procedures employed to avoid breaches as a condition of coverage. A Washington Post report noted that insurers are also raising premiums and scaling back coverage. The “lesson learned” guidance that NERC issued after the 2019 attack is full of reminders to pay closer attention to the basics, such as managing software patches that need to be made, relying on fewer “internetfacing” devices, and using virtual private networks that allow users to create private networks over public internet connections. Confronting cyber threats requires a fundamental shift in thinking away from fortress-building—preventing hackers from getting in—and toward mitigating disruptions and getting back online. “When [companies] do their cybersecurity plans for their organizations, those plans must contain some aspect of their contingency plans, in other words, what are you doing to make sure that the damage is minimized?” says Stuart Madnick, an information technology professor emeritus at the MIT Sloan School of Management. “My suspicion is it gets nowhere near the attention it needs to have.” n
JUL /AUG 2021 THE AMERICAN PROSPECT 11