Newt Gingrich
would like to send
SEAL Team Six
busting through the
doors of whoever
authorized the Colonial Pipeline hack.
Or maybe a Hellfire
missile through the
sunroof of some
hacker godfather’s
Lexus. Many Americans would likely agree and favor
similar treatment for robocallers and
email spammers, which sounds good
until you remember that this would
involve U.S. troops carrying out military actions on the soil of Russia or
its satellites.
One universal prescription for
every kind of mishap is resilience.
The Jones Act, a foolish, centuryold law that reserves domestic shipborne trade for U.S-crewed ships, is
anti-resilience. If gas station owners weren’t bound by anti-gouging
laws, they likely would never run
out of gas. They’d jack prices high
enough to persuade their customers
that filling up every jerry can and
topping off the Tahoe when it’s
three-fourths full isn’t so necessary
after all.
As with the SolarWinds hack, the
public can expect to be scantily informed about the Colonial Pipeline
hack compared with other major
crimes and news events. News outlets can only speculate that the hack
started with a typical email phishing
scam. If so, this would be good to
know. If the vulnerability in the
overwhelming number of cases now
is a human being clicking on an
email link or foolishly confiding a
password, then we are making progress on system security. The weak
point is us.
Colonial has said its pipeline
shutdown was precautionary, hinting
that malware didn’t infect its industrial controllers. This would explain
a few things. Hackers likely don’t
know much about the companies
they’re attacking—might have had
little idea what Colonial does or that
freezing its HR and customer accounts data might lead to gasoline
shortages on the East Coast. Don’t
dismiss the weird statement from a
presumed Russia-associated hacking
group apologizing for the Colonial
complications and “creating problems for society.”
All sophisticated national governments and many that aren’t sophisticated operate continually in the cyber sphere, collecting intelligence,
engaging in cyber operations. Let’s
not kid ourselves about this. The
U.S. tends publicly to disclose Chinese and Russian hacking exploits,
perhaps because our system is more
open but also likely for strategic
reasons: Hiding such attacks, perversely, connotes weakness. Try to
think of a case where Moscow or
Beijing owned up to or publicized a
cyber intrusion at the hands of the
U.S. It’s not because such intrusions
don’t happen. In all likelihood, the
U.S. is the biggest, baddest cyber actor out there and these governments
don’t want to advertise their vulnerability to their own citizens.
DarkSide, a Russian outfit said to
have a supplier-client relationship
with ransomware groups, is the putative author of this week’s apology.
One interpretation is that criminal
groups operating in this market
don’t want to be perceived as crossing the line from criminal nuisance
to national-security threat, exposing
their host governments to escalation. After all, Russia’s version of
SEAL Team Six is more likely to
come bursting through the door
than ours is.
When I was working decades ago
in Hong Kong, a moment came when
the world found it necessary to stop
pretending that then-rife piracy in
the South China Sea wasn’t abetted
by the Chinese government, using
off-duty military or police personnel.
Now surreptitiously extending
China’s sovereignty into international waters has apparently become
a job for China’s “fishing” fleet.
Russia’s behavior is best understood in terms of your favorite mafia
show. By multiple reports, DarkSide
malware uses language filters to
avoid attacking victims who might
be protected by the Russian government. Cyberattacks on outside interests, however, are useful to the
Kremlin as one more way to make it
necessary for the West to deal with
Vladimir Putin. President Biden
spoke carefully on Thursday: The
Colonial hack wasn’t a Russian government operation but the Russian
government was in a position to do
something about it.
Meanwhile, U.S. government advice not to pay ransom goes unheeded and unenforced because the
U.S. government has yet to offer a
better alternative. Colonial is reported to have paid $5 million. Now
its pipeline is painstakingly coming
back to life. But the biggest lesson of
the episode belongs to Russia’s
hacking godfathers: if they didn’t
know before, the extreme sensitivity
of gasoline prices and availability to
U.S. presidents and voters. The response they risked was not worth
the $5 million they collected from
Colonial.
In the meantime, I doubt the secrecy that surrounds the U.S. action
in this realm, and our own interactions with cybercriminal groups, will
be sustainable or scandal-free in the
long run.