The Colonial Pipeline cyberattack in May 2021 exposed the urgent need to safeguard and upgrade the critical infrastructure systems in the United States. Congress acknowledged that the government lacks the authority to require private companies – which own, operate, and protect 85% of the nation’s critical energy infrastructure assets – to adopt the necessary levels of cybersecurity. The cyberattack underscored how vulnerable vital infrastructure industries are to assaults on virtual computer networks, exposing a failure to avert attacks on private energy sector partners.
The economics of providing cybersecurity have become a significant challenge due to finite resources that could limit or reduce attacks targeting U.S. industries on private infrastructure networks. Additional comprehensive congressional legislation to enforce greater private industry reporting parameters is needed but has often failed due to partisan disagreement and the inadequate resources of private sector entities.
Laws, Policies, and Historical Background
There is debate within cybersecurity circles that the Department of Homeland Security (DHS) could be far more effective in providing security alongside its missions of traditional protection roles. DHS should focus more efforts on coordinating cybersecurity and critical infrastructure requirements to bridge the growing gap between publicly and privately owned and operated infrastructure systems and attempt to have federal cyberprotection efforts extend to all energy sectors. This new focus could rebalance DHS toward emerging trends and cybersecurity threats.
Adversarial forces such as China and Russia demand greater control of their cybersecurity environments and limit openness in communications. Such divergent approaches create a continuous challenge for an open society such as the United States, where democracy and free speech ideals exist. By contrast, to sustain massive oversight and censorship, China employs more people to monitor cybersecurity and intrusion than those who serve in the country’s military forces. Foreign intrusive forces are part of the greater conflict in cyberspace, as witnessed with the Russian hacking of political campaigns during the 2016 U.S. presidential election, attempting to weaponize information to their advantage. The Colonial Pipeline attack was purportedly carried about by a ransomware group called the DarkSide, which is based in Russia or possibly elsewhere in the former Soviet Union.
Within the realm of cybersecurity, the United States operates in many disconnected and disparate silos. There needs to be more centeralized approach.
Since 9/11, numerous administrations and Congress have stressed the critical importance of public-private partnerships to make the nation safer against attacks including cyber. This has not become the intended reality largely because the private sector’s capabilities, assets, and intentions needed to avoid future cyberattacks have not been adequately addressed. Advanced integration of the private sector energy entities should include all phases of disaster management and be integrated in public-private partnerships as part of DHS security policy creating a more robust public-private partnership endeavor.
Repeatedly, presidential administrations and Congress have not made the private sector security a top priority and have taken a hands-off approach with the thought that market forces would encourage levels of security sufficient to address modern security threats. Some barriers to forming a better partnership have been the lack of information sharing, mistrust, and misinformation. This crisis needs to be urgently addressed because government and law enforcement entities possess critical threat assessment knowledge that can be shared with private entity partners. Sharing knowledge through the engagement of law enforcement agencies such as the Federal Bureau of Investigation (FBI) and the United States Secret Service can effectively deter, disrupt, and help to prevent future cyberthreats. Law enforcement can work diligently with private industry to assist in the apprehension of cybercriminals through notification and help secure networks and vulnerability mitigation. A partnership with law enforcement would help the private sector confront the challenges created by technical barriers such as encryption technologies, which are needed to gather time-sensitive information.
As a result of recent cyberattacks, President Biden signed a national security memorandum on 28 July 2021 to significantly improve critical infrastructure systems and cybersecurity guidelines. The National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems concludes that the systems communities depend upon, which are often private entities, are becoming more vulnerable. Critical energy systems are interconnected in nature, and a major disaster might be hard to recover from as there could be significant outages cascading into multiple critical sectors. Attacks on privately owned older industrial control systems (ICS) and their respective operations technology (OT) have the potential to create enormous physical damage and create a danger to human lives. This risk is increasing as private company ICSs were historically designed for reliability and safe operations but not necessarily for cybersecurity, and many of these systems predate the internet. Not long ago, ICS and other OT devices were used in isolation, and information technology (IT) professionals did not worry about security as the systems were closed off from traditional IT networks. However, today the OT and IT networks have converged, and there are increased cybersecurity risks.
Energy pipelines appear to be an area of great opportunity targeted by hackers, and there is concern that oil and gas companies are ill-prepared to withstand major attacks. Large networks of power plants, electric grids, and energy pipelines in the U.S. remain highly vulnerable to continued cyberattacks, according to Chris Krebs, the former director of the DHS Cybersecurity and Infrastructure Security Agency (DHS CISA). The increase in recent attacks shows that energy organizations continue to experience a large and disproportionate series of attacks compared to other industries such as transportation and health care.
To further enhance CISA’s effort, the CISA Cybersecurity Advisory Committee was established in June 2021 as a collaborative board comprised of industry, state, local, tribal, and territorial government leaders. This board brings together subject matter experts from critical infrastructure sectors and the needed exchange between public and private cybersecurity partnerships. CISA has also created the Cyber Awareness Program as a national public awareness effort to increase the understanding of cyberthreats with the goal to use social media platforms to help both public and private partners combat ransomware attacks.
On the legislative front, a necessary CISA cyber-incident reporting requirement was defeated in the compromise fiscal year 2022 National Defense Authorization Act (NDAA) on 7 December 2021. The failure of this requirement set back a major bipartisan effort to have critical infrastructure operators report cyberattacks to the government through a CISA 72-hour cyber-incident reporting requirement for companies operating within the 16 U.S. critical infrastructure sectors. Although specific provisions were not included in the 2022 NDAA, the bill authorized CISA to establish a National Cyber Exercise Program to simulate a complete or partial shutdown of critical infrastructure networks by a cyber incident. The bill also gives DHS the authority to enter into voluntary public-private partnerships with internet ecosystem entities to detect malicious cyber actors.
Congress also needs legislative initiatives to force private companies to adhere to specific cybersecurity standards. Currently, electric utilities are further ahead in preventing and preparing for cyberattacks than the oil and gas industries. Renewed congressional pressure on all private entities could mandate minimum cybersecurity standards. However, there remains a roadblock by industry lobbyists who prefer to hinder such efforts due to the inherent costs and added burdens placed upon private sector energy-providing businesses. Nonetheless, there is an urgent need to work collaboratively with the private sector to implement greater controls to avoid the ever-increasing cybersecurity problems as 85% of critical energy infrastructure suppliers are in the private sector with many being small businesses. These companies can be more vulnerable to cyberattacks because they frequently have less resources dedicated to cybersecurity than large businesses. In order to address this, the Federal Trade Commission – in concert with DHS, the National Institute of Standards and Technology, and the Small Business Administration – initiated a national education campaign in 2018 to assist small business owners in understanding cyberthreats and how to better protect their businesses (see Figure 1).
Impact on Military Operations and Readiness
Experts in the U.S. military have also pointed out how the Colonial Pipeline hack could impact future operations. The U.S. Transportation Command (TRANSCOM) has acknowledged that, although this attack did not directly assault military networks, the event questions the viability and safety of commercial companies and their affiliated networks – a crucial element of the Defense Department’s logistics network. TRANSCOM relies on commercial vendors for gas, jet fuel, and the movement of troops and supplies, including sea freight transportation. Without reliable commercial vendors, the military services are limited in their ability to remain supplied and agile. Hacking the supply chain is a constant threat to every military system, making the Department of Defense’s cybersecurity challenges even greater. Part of the threat is due to a growing dependence on cloud-based systems and supply chain host databases, which can expand the Pentagon’s vulnerabilities and attack surface.
The Need for a Centralized Approach
Within the realm of cybersecurity, the United States operates in many disconnected and disparate silos, and there needs to be a more centralized approach. Government agencies address cyber regulation and threats through the 16 different infrastructure sectors that CISA has identified, which is inefficient and ineffective. Although there are certain specific needs for each individual infrastructure sector, there is also an opportunity to centralize cyber-defense objectives and regulations. Vulnerabilities are often similar across sectors and industries, and a centralized approach could find similar solutions to cyberthreats. Other industrialized democracies have adopted a more centralized approach, such as the Network and Information Security Directive in the European Union. The goal of this directive is to propose uniform cybersecurity standards across industries and among its 27 member nations. Other nations such as Britain, Canada, and Australia have also moved in this direction, consolidating their cybersecurity functions under one agency that can more readily work with the private sector.
Conclusion, Recommendations, and Future Actions Needed
Cyberspace and cybersecurity have become increasingly vulnerable and an active threat to homeland security. Although legislative steps have been taken to improve cybersecurity at the congressional level, there remains a greater sense of urgency on cyber-incident reporting. These steps would take a bipartisan political effort. One solution would be a provision to set a five-year term for the CISA director, giving this agency the needed leadership to move cybersecurity forward. This position is a president-nominated and senate-confirmed agency position and should not be subject to political infighting in Congress. CISA’s director position is too important and needs to remain stable through turbulent political times, and interim leaders will diminish this mission. As cyberattacks continue to grow in frequency, CISA must have stable leadership guiding the nation’s cyber preparedness.
Another important action requires developing a cyberthreat information collaboration environment within DHS. There is an urgent need to continue developing an integrated and networked approach for collaborative sharing between federal, state, and local governments and the private sector. However, there are multiple barriers, including cultural, organizational, and legal impediments between the various levels of government, private sectors, and nonprofits. At present, these processes operate on an ad-hoc basis. Suggestions include creating a Collaborative Defense and Analysis Centers network at the CISA regional offices and creating a cultural shift to overcome barriers and stovepipes hindering the collaboration and sharing needed to streamline interagency processes.
In summary, cybersecurity is a national security imperative. Cyber activities are part of a network spread approach, whether perpetrated by nation-state actors or criminal enterprises. The network spread concept is now more applicable to the threat versus a traditional time-bound homeland security approach and, therefore, reactive emergency management responses do not work today. Instead, a systematic, sustained, and concerted network approach is necessary to address the growing cybersecurity threats and the needed public-private collaborative defense and threat sharing efforts in the cyber domain.
Raymond (Ray) Walker has over 44 years of experience leading and managing complex, multidisciplinary, and highly sensitive programs within the Department of Defense and other federal agencies. Throughout his working life, he has served with distinction as a U.S. Marine Corps Officer, federal employee with the Central Intelligence Agency (CIA), and as a supporting contractor with the Departments of Defense, Justice, State, and Homeland Security. Many of the programs he managed throughout his career range in breadth and scope from strategic level/worldwide systems to special use applications of science and technology. He earned undergraduate degrees in Political Science and Business Management from Salve Regina University in Newport, Rhode Island, a Master’s in Business Administration from Chaminade University of Honolulu, Hawaii, and executive level certifications as a Chief Information Officer from the University of Maryland and the U.S. General Services Administration in Washington, DC. He currently teaches online undergraduate and graduate level courses in the Emergency Management & Homeland Security program with Post University, located in Waterbury Connecticut.
Chandler Lofland is currently a graduate student at Post University Master’s Degree Program in Public Administration with a concentration in Emergency Management and Homeland Security. Graduate of the University of Connecticut with a degree in General Studies, Magna Cum Laude. He will pursue employment in a government agency upon graduation in Fall 2022.