Newt Gingrich would like to send SEAL Team Six busting through the doors of whoever authorized the Colonial Pipeline hack. Or maybe a Hellfire missile through the sunroof of some hacker godfather’s Lexus. Many Americans would likely agree and favor similar treatment for robocallers and email spammers, which sounds good until you remember that this would involve U.S. troops carrying out military actions on the soil of Russia or its satellites.
One universal prescription for every kind of mishap is resilience. The Jones Act, a foolish, century-old law that reserves domestic ship-borne trade for U.S-crewed ships, is anti-resilience. If gas station owners weren’t bound by anti-gouging laws, they likely would never run out of gas. They’d jack prices high enough to persuade their customers that filling up every jerry can and topping off the Tahoe when it’s three-fourths full isn’t so necessary after all.
As with the SolarWinds hack, the public can expect to be scantily informed about the Colonial Pipeline hack compared with other major crimes and news events. News outlets can only speculate that the hack started with a typical email phishing scam. If so, this would be good to know. If the vulnerability in the overwhelming number of cases now is a human being clicking on an email link or foolishly confiding a password, then we are making progress on system security. The weak point is us.
Colonial has said its pipeline shutdown was precautionary, hinting that malware didn’t infect its industrial controllers. This would explain a few things. Hackers likely don’t know much about the companies they’re attacking—might have had little idea what Colonial does or that freezing its HR and customer accounts data might lead to gasoline shortages on the East Coast. Don’t dismiss the weird statement from a presumed Russia-associated hacking group apologizing for the Colonial complications and “creating problems for society.”
All sophisticated national governments and many that aren’t sophisticated operate continually in the cyber sphere, collecting intelligence, engaging in cyber operations. Let’s not kid ourselves about this. The U.S. tends publicly to disclose Chinese and Russian hacking exploits, perhaps because our system is more open but also likely for strategic reasons: Hiding such attacks, perversely, connotes weakness. Try to think of a case where Moscow or Beijing owned up to or publicized a cyber intrusion at the hands of the U.S. It’s not because such intrusions don’t happen. In all likelihood, the U.S. is the biggest, baddest cyber actor out there and these governments don’t want to advertise their vulnerability to their own citizens.
DarkSide, a Russian outfit said to have a supplier-client relationship with ransomware groups, is the putative author of this week’s apology. One interpretation is that criminal groups operating in this market don’t want to be perceived as crossing the line from criminal nuisance to national-security threat, exposing their host governments to escalation. After all, Russia’s version of SEAL Team Six is more likely to come bursting through the door than ours is.
When I was working decades ago in Hong Kong, a moment came when the world found it necessary to stop pretending that then-rife piracy in the South China Sea wasn’t abetted by the Chinese government, using off-duty military or police personnel. Now surreptitiously extending China’s sovereignty into international waters has apparently become a job for China’s “fishing” fleet.
Russia’s behavior is best understood in terms of your favorite mafia show. By multiple reports, DarkSide malware uses language filters to avoid attacking victims who might be protected by the Russian government. Cyberattacks on outside interests, however, are useful to the Kremlin as one more way to make it necessary for the West to deal with
President Biden spoke carefully on Thursday: The Colonial hack wasn’t a Russian government operation but the Russian government was in a position to do something about it.
Meanwhile, U.S. government advice not to pay ransom goes unheeded and unenforced because the U.S. government has yet to offer a better alternative. Colonial is reported to have paid $5 million. Now its pipeline is painstakingly coming back to life. But the biggest lesson of the episode belongs to Russia’s hacking godfathers: if they didn’t know before, the extreme sensitivity of gasoline prices and availability to U.S. presidents and voters. The response they risked was not worth the $5 million they collected from Colonial.
In the meantime, I doubt the secrecy that surrounds the U.S. action in this realm, and our own interactions with cybercriminal groups, will be sustainable or scandal-free in the long run.
Correction: A scene described in Wednesday’s column occurred in the
movie “10,” not “Arthur.” Sorry for the error.
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8