Cyberattacks on large businesses, government agencies, and even local utilities appear with some regularity now.
Most recent is the ransomware attack on JBS, the world’s largest beef supplier, which temporarily shut down some of the company’s processing plants and is thought to have been perpetrated by a criminal group operated from Russia. Before that, it was the Colonial Pipeline ransomware attack, which caused widespread fuel shortages on the East Coast last month. In February, a less-noticed attack hit the water treatment facilities of a small town in the Tampa metro area, setting the lye levels in the municipal water supply to 100 times their normal level (fortunately, workers witnessed the change in real time and were able to reverse it before anyone was harmed.) And this past December, the sweeping SolarWinds hack, also linked to Russia, was detected after breaching the federal departments of treasury, commerce, and homeland security, among others.
Defending against these threats, whether their origin is foreign or domestic, should be an increasing priority for Washington. Politicians from both major parties speak as if it is, but federal spending and policies tell a different story.
“Across the federal government,” Reuters reported in 2017, “about 90% of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications, and developing the means to disable or degrade infrastructure.”
This is a wildly misplaced priority, and devoting our cybersecurity resources overwhelmingly to offense puts us doubly at risk.
It’s a direct danger because, depending on their nature and severity, these attacks are properly considered acts of war. They can go well beyond data theft, espionage, and market interruptions to physical destruction, and the potential for that destruction will only increase as more vehicles, buildings, and other infrastructures are integrated with the internet. If American cyberattacks claim lives, other nations could conceivably retaliate with traditional warfare.
That should prompt caution in Washington. These attacks should be subject to congressional oversight and constitutional constraints on the initiation of war. Instead, federal guidelines for cyberattacks were loosened under the Trump administration, raising the risk of harming innocents and stumbling into open conflict.
Our government’s imbalanced attention to digital offense is also indirectly risky in that, as the litany of recent hacking stories shows, it leaves vulnerable major organizations in the public and private sectors alike. And what little effort Washington does put into defense isn’t what it could be, as indicated by comments from Colonial Pipeline CEO Joseph Blount at last week’s Senate homeland security committee hearing about the pipeline breach.
Blount was questioned by Sen. Josh Hawley, a Missouri Republican, who asked why Colonial Pipeline hadn’t completed a cybersecurity review offered by the Transportation Security Administration. Blount expressed willingness to do the review, but he also said that “in this case, it would not have resulted in finding” the system vulnerability that made the ransomware attack possible. The TSA doesn’t “actually go into the system,” Blount continued. The review is “a questionnaire form,” he said, and one that covers very similar ground to the security audits the company already has in place. If Blount’s characterization is remotely fair, the review sounds largely useless — which is what one might expect from a department that was itself breached by Russian hackers less than a year ago.
Hawley asked one other question that is worth mentioning because it points to a possible backstop solution if our government can’t manage to preclude these threats. “There was a time, I assume, when you operated the pipeline without today’s computer system,” Hawley said. “Do you have the capability to manually operate the pipeline in the future in the event of an IT attack like this one?”
Blount said it’s feasible on a small scale and that institutional knowledge of the pipeline’s manual operation is being lost as older workers die and retire but that Colonial Pipeline will look into the option moving forward. Other companies and government agencies alike, especially anything providing life-sustaining services, maintaining critical infrastructure, or involved with major weapons systems, should do the same if their systems are also capable of manual operation.
Returning to a less-connected model (not low-tech, necessarily, but perhaps air-gapped or otherwise hardened against remote attack) or at least maintaining it in good order and employee competence will have costs and difficulties, yes. But suffering frequent, successful attacks on key industries and utilities is unacceptable, and it seems our government is too busy digitally attacking other nations to keep targets in the United States safe.
Bonnie Kristian is a fellow at Defense Priorities, contributing editor at the Week, and columnist at Christianity Today. Her writing has also appeared at CNN, NBC, USA Today, the Los Angeles Times, and Defense One, among other outlets.
