How to Prevent Another Colonial Pipeline

How to Prevent Another Colonial Pipeline
In an aerial view, a fuel holding tank is seen at Colonial Pipeline's Dorsey Junction Station in Woodbine, Md., on May 13, 2021. Drew Angerer/Getty Images
Stephen Bryen
Updated:
Commentary

Some small-minded sages in America are chortling that people with electric cars don’t have to worry about the Colonial Pipeline—recently shut down due to a cyberattack—because they can get their “gas” from the electric company. They go on to argue for more electric cars.

Of course, if it was the power company that was knocked out, the electric cars wouldn’t run. And power companies have been knocked out. The Russians killed one in Ukraine, putting it offline for some time.

There is, unfortunately, a related argument in Washington, in the CIA and the Pentagon. The idea? To put everything in the cloud. In other words, create a single point of failure, ripe for attack by both state and non-state actors.

The CIA has already taken the plunge; the Pentagon tried in a $10 billion project, but it’s tied up in litigation.

The Department of Defense (DoD) and CIA cloud ventures illustrate, better than anything else, just how dumb government officials are when it comes to security. And those working in the Pentagon are specialists in creating monstrosities and single points of failure, such as the F-35, which is supposed to replace just about everything “tactical” in the Air Force, even though the plane has never been in combat. Crazy.

When it comes to cybersecurity and dealing with cyberattacks, the U.S. government—even though it has spent hundreds of billions of dollars since 1988—is worse off today than ever. So is the critical infrastructure associated with it, which includes energy, transportation, water supplies, food supply, communications, chemicals, critical manufacturing—most of which today is offshore—financial services—including the U.S. Treasury, banks, stock markets—health care and more.

In the United States, most of the critical infrastructure, other than government and the military, is handled by private firms. The U.S. Congress decided in 1988, when the first Computer Security Act was passed, not to require that the private sector meet certain network and computer standards, leaving it free to decide on its own what the right amount of protection might be.

To be fair, no one knows what the right amount of protection is in this modern age, because no one actually knows how to protect any computer system with any degree of certainty.

Virtually all the computers used in the United States are made abroad, other than highly specialized supercomputers and certain processors made for defense applications. This includes not only machines that perform information processing, but specialized controllers used in manufacturing and operating power grids and pipelines.

These are known as supervisory control and data acquisition (SCADA) systems. The same SCADA boxes that help run power plants and pipelines, control water supplies, and manage transportation and critical manufacturing are commercial devices produced mostly abroad.

One of the most famous SCADA systems is made by Siemens in Germany. It’s the same one that runs Iran’s uranium centrifuges and will help assure Iran can have nuclear weapons.

While it’s possible to build some security “walls” around computer networks and SCADA systems, most of them have been penetrated in one way or another. For example, most computer networks are open and store data without any protection. Operating systems, likewise, are commercial—off the shelf—and are not encrypted. Network protocols and the internet all rest on standards that are shared globally and easily hacked.

Even much of the Defense Department’s intellectual property is stored without encryption protection because of the obsolete rules followed by the Pentagon. These rules say that if an item isn’t classified, it isn’t supposed to be stored in an encrypted format. The National Security Agency (NSA) controls encryption in the U.S. government, and the strict separation of classified from non-classified information is their mantra.

While the Pentagon has begun characterizing some information as “sensitive, but unclassified,” it’s not entitled to NSA-sponsored encryption. Whether sensitive, but unclassified information can be protected by law from disclosure appears highly questionable, because DoD says it isn’t national security information.

Unfortunately, this is complete nonsense. Probably 80–90 percent of DoD information is unclassified and much of it relates to technology and weapons systems information. It’s ridiculous to say it isn’t vital to national security.

A key example: China stole almost all the plans and data for the stealthy F-35 fighter plane, most—if not all—of it unclassified and unencrypted, thereby seriously compromising a front-line defense program that will cost taxpayers in excess of $1.5 trillion over its life cycle. If this information is not related to national security, what is?

When it comes to cyberattacks, DoD and the FBI are on a little firmer ground in the sense that they understand the magnitude of the threat. But does the U.S. response reflect the danger to U.S. national security?

DoD, the military departments, and other government agencies continue to buy computer and network equipment from China while attempting to put in place security measures. Virtually all of that equipment is commercial.

Despite buying billions in computers, laptops, modems, tablets, cell phones, routers, hard drives, and tons of other equipment, such as GPS and internet-enabled security cameras—with a free backdoor to connect Beijing to U.S. military bases—DoD has no hardware or software vetting system. In other words, they buy equipment without knowing if it’s compromised or full of malware.

If DoD is sloppy, you can imagine what the rest of the government is like, or just how “protected” their critical infrastructure is.

The Colonial Pipeline case raises another big red flag, since “ransomware” is a major threat in three ways. The first is that ransomware disables computer networks, including SCADA systems, from working by encrypting everything with an unbreakable code that you have to pay to get lifted.

The second is that ransomware often includes the theft of information before the ransom encryption kills the network. The stolen information is used partly as a threat to force the network operators to pay the bribe.

And the third matter is that even if you pay—and Colonial has paid $5 million in cryptocurrency that can’t be traced—there is no assurance that the unlock key will work or work effectively. Colonial apparently paid the bribe early on—without telling anybody—but the decryption key they got was working very slowly, if at all. In other words, Colonial got the shaft from the ransomware perpetrators.

Suppose that next time, the U.S. Strategic Air Command is shut down?

It’s clear that commercial networks including hardware and software—much of it from foreign sources—isn’t the right way to protect critical infrastructure to safeguard national security.

Adversary nations have set up elaborate and well-trained teams who focus on specific targets and work full time to take them down. And disciplined semi-independent teams of hackers, like the ones who have hit Colonial, are criminal operations. Yet we tolerate both.

Here are a few suggestions before the next disaster happens:
  1. Put in place a national program to create secure networks that use hardware built by secure vendors.
  2. Require all critical infrastructure networks to be vetted by in a third-party audit for security under the aegis of NSA or any other security agency capable of doing it.
  3. Vet all hardware before it is used by the U.S. Government or critical infrastructure components.
  4. Go after malefactors, domestic or foreign, and impose stiff penalties on perpetrators.
  5. Make it clear to foreign governments that if they sponsor or shelter criminal operations they will find their networks destroyed.
So far, our government has always promised to make things better—though that never seems to happen—and doesn’t act as if our national security was at stake. It isn’t clear if this will continue, but if it does it'll have a devastating impact on the United States.
Stephen Bryen is regarded as a thought leader on technology security policy, twice being awarded the Defense Department’s highest civilian honor, the Distinguished Public Service Medal. His most recent book is “Technology Security and National Power: Winners and Losers.”
Views expressed in this article are opinions of the author and do not necessarily reflect the views of The Epoch Times.
Stephen Bryen
Stephen Bryen
Author
Dr. Stephen Bryen is regarded as a thought leader on technology security policy, twice being awarded the Defense Department’s highest civilian honor, the Distinguished Public Service Medal. A Senior Fellow at the Center for Security Policy, Senior Fellow, Yorktown Institute, his most recent book is “Technology Security and National Power: Winners and Losers.”
Related Topics