Wednesday, May 12, 2021
This article was first featured in Yahoo Finance Tech, a weekly newsletter highlighting our original content on the industry. Get it sent directly to your inbox every Wednesday by 4 p.m. ET. Subscribe
It’s been nearly a week since Colonial Pipeline was hit by a ransomware attack, taking out a critical gas pipeline that ferries gasoline, jet fuel, and diesel from Texas to New Jersey — and causing dire gas shortages spurred by panic buying.
According to the FBI, a criminal organization known as DarkSide launched the attack using ransomware, which encrypts victims’ files and promises the keys to unlock them in exchange for a ransom payment.
The Colonial Pipeline attack isn’t the first of its kind, but its scale is notable. The shutdown has sent the cost of gasoline soaring, with prices rising to their highest levels in nearly eight years, just when the economy is starting to recover from the coronavirus pandemic.
While Colonial Pipeline said Wednesday that it has begun the process of restarting its service to the East Coast, the crisis isn't over. It will still take 15 days for the first drops of gas to make their way from Texas to New Jersey, according to Bloomberg.
This is far from the last ransomware attack we’ll see, but it should be the one that spurs the Biden administration into serious action. President Joe Biden needs to make fighting the rise of ransomware his top cybersecurity priority, as attackers increasingly go after crucial infrastructure like pipelines and even hospitals.
“This is the kind of thing [that] definitely keeps me up at night,” Anton Dahbura, executive director of Johns Hopkins University’s Information Security Institute, told Yahoo Finance. “This should be one of our top priorities to really change the model for how critical systems are managed. And it really requires a coordinated significant effort to do that."
Experts want the government’s help
Cybersecurity researchers have pleaded with the government to stanch the spread of ransomware attacks for years. And as the scope of the attacks has grown, they have spread from a way to scam consumers to a means to attack entire hospital systems.
“This is something we've been talking about for literally 20 years,” Chris Painter, an affiliate of Stanford University’s Center for International Security and Cooperation, told Yahoo Finance. “We need to really treat this as a huge problem and not just say it's another kind of smaller, back burner issue.”
To be sure, Biden has taken cybersecurity more seriously than his predecessor. While former President Donald Trump eliminated the position of cybersecurity czar, Biden recently appointed 28-year National Security Agency veteran Chris Inglis to be the country’s first cyber director as he fills out his cybersecurity team.
Congress has been taking action, too. Just two days before the Colonial Pipeline attack, on May 5, retired Army Major General John Davis, who’s now vice president of security firm Palo Alto Network’s public sector division, testified about the threats of ransomware before a subcommittee of the House Homeland Security Committee.
“It’s no longer a criminal nuisance driven by profit motive,” Davis testified, “and now it’s impacting nation security, economic stability, and public health and safety of the national and international community on a massive scale.”
Davis serves on the Institute for Security and Technology Ransomware Task Force, which has pushed the Biden administration to oversee a government anti-ransomware campaign in coordination with the private sector to better prepare and fight back against cyberattacks.
But Biden needs to move fast if he’s going to stop the next big ransomware attack. According to the Department of Homeland Security, ransomware attacks cost the public and private sector billions a year in lost time and data.
Cybersecurity firm Emsisoft estimated that ransom and total downtime for impacted organizations cost the U.S. more than $9 billion in 2019 — but that number, the firm said, was likely far higher. And that’s not taking into account the explosion in ransomware in 2020 amid the pandemic.
According to The New York Times, the Biden administration is already preparing an executive order that will provide a series of safety standards for federal agencies and contractors. But that falls short of experts’ calls for a broader framework that would protect against or help mitigate another Colonial Pipeline-type incident.
The risk is already massive
While the Colonial Pipeline attack is top of mind at the moment, ransomware attacks have been crushing hospital systems and local governments across the U.S. Emsisoft found more than 560 health care organizations were hit with ransomware attacks in 2020 alone, according to a February 2021 report by the Department of Health and Human Services.
Universal Health Services, a major health care system with locations in 38 states, spent $67 million recovering from a single ransomware attack, despite not even paying the ransom, the Wall Street Journal reported in February.
The attacks on hospitals are particularly insidious in light of the ongoing coronavirus pandemic, highlighting the real-life dangers of cyberattacks. But it might be the pain Americans are feeling at the pump that will have them screaming for change as ransomware attackers get more creative at finding ways to disrupt the lives of everyday people.
“The problem with ransomware as a species of new activity, or relatively new activity is that it could have huge second or third order consequences, especially when it's going after critical infrastructure,” Painter, of Stanford University’s Center for International Security and Cooperation, told Yahoo Finance. “And the disruption of that critical infrastructure will affect public health and safety and that's what we're seeing.”
Editor's note: This story was updated with news that the pipeline was being turned on.
More from Dan: