Colonial Pipeline was cyber wake-up call; Ukraine war is escalator

One year ago, the Colonial Pipeline was hit by a disruptive ransomware attack forcing it to shut down operations for nearly a week.

The incident, which caused gas shortages in several states as fuel prices spiked, was a major wake-up call for critical industries to start taking cyber threats seriously and invest more in cybersecurity. 

However, experts say that the war in Ukraine has put even more pressure on companies to expedite the investments they had begun a year ago as cybersecurity became front and center – both domestically and globally.

“The biggest escalator beyond Colonial last year has just been the war in Ukraine and the potential spillover into the U.S. and other developed parts of the world,” said Peter Lund, a cyber expert and chief technology officer at Industrial Defender.

“That’s really what’s gotten everyone on edge and rushing to mature their security programs,” he added.  

Lund said that companies had started implementing more robust cybersecurity measures after the Colonial Pipeline attack but the war in Ukraine has certainly been the biggest motivator.

Brandon Wales, executive director at the Cybersecurity and Infrastructure Security Agency (CISA), who spoke at a cyber webinar on Thursday hosted by the Advanced Technology Academic Research Center (ATARC), said he has seen more engagement from industry leaders, including from chief information security officers who have told his agency that they need more resources now than ever before as the cyber threat environment has increased amid the war in Ukraine. 

“I definitely think there has been a change in the tone and in the willingness to fully engage in this even for those sectors, where this has not been front and center in the way that it has for places like finance historically,” Wales said.

Wales, who described the Colonial Pipeline attack as a “galvanizing event for the country,” added that his agency has long recommended that critical industries follow the “Shields Up” guidance, which are steps companies can take to shore up their cyber defenses including implementing multi-factor authentication and using encryption. 

“Many companies have put their Shields Up, they are taking this issue more seriously and they’re more prepared today,” Wales said. 

“And we want them to continue to be prepared because this conflict is not over yet,” he added. 

Following the attack last year, the government has introduced several legislations and initiatives intended to tackle cyber threats and mitigate security risks. 

For instance, President Biden signed an executive order last May aimed at improving federal cybersecurity. The order requires the establishment of baseline cybersecurity standards for all software sold to the federal government. It would also require that software developers working with the government make their security data publicly available. 

Lawmakers have also contributed to these efforts by introducing numerous cyber bills, including some that passed in Congress with bipartisan support and went on to become law. One requires that companies in critical sectors report significant cyberattacks within 72 hours and ransomware payments within 24 hours to CISA.

Wales, who called the new incident reporting law a “game changer” for the agency, said they are still in the process of implementing it before releasing further details.

“It will take time because we want to make sure that rulemaking is done right,” Wales said. 

“We want to make sure that we are able to gather input from the private sector to make sure that we benefit from their expertise because they’re the ones that are going to have to respond and provide this information to the government,” he added. 

In a statement to The Hill, Rep. Yvette Clarke (D-N.Y.), who chairs the House subcommittee on cybersecurity, infrastructure protection and innovation, said that over the past year, she has worked with her colleagues on both sides of the aisle to pass cyber legislations, fund $1 billion in state and local cyber grants, and authorize the CyberSentry program, which enhances the cyber resilience of organizations that own or operate critical infrastructure. 

“Last year, Colonial Pipeline suffered a ransomware attack from a criminal hacking group, halting pipeline operations and crippling gas supply across the entire East Coast,” Clarke said. 

“This highly disruptive cyberattack and the related fuel shortages exposed glaring cybersecurity issues facing the nation,” she added. 

Clarke also said that the government must continue to mature its public-private partnerships to ensure that critical sectors are cyber resilient and are also accelerating their efforts to safeguard their operational technology systems. 

“The cyber threats we face are serious, but Congress has a bias toward action I have not seen before and I am optimistic that we’ll be able to continue to make meaningful progress to defend ourselves,” Clarke added. 

Industry leaders in the private sector have welcomed the recent government initiatives, including increased collaboration and information sharing, but have warned that it should take less of a regulatory role as it sometimes doesn’t understand the complexities of cybersecurity.

During a congressional hearing held in April, Amit Yoran, chairman and CEO of cybersecurity firm Tenable, said the federal government should be less of a regulator and more of a partner for critical infrastructure as public and private entities respond to warnings of Russian cyberattacks amid its war on Ukraine.

“I don’t think the U.S. government should be in the cyber defense role where they’re defending critical networks and critical infrastructure where they might not understand the changes that they might make, and how those might impact critical infrastructure,” Yoran said.

He added that “it’s incumbent upon those operators [working in those critical sectors], who understand how the systems operate, to defend those networks with help from intelligence and information from their government partners.”

Eric Greenwald, general counsel at Finite State, who shared the same sentiment, said although the government has played a major role in sharing threat intel and improving its relationship with companies, it still has limited resources compared to the private sector.

“There’s no question that the government can be of assistance to the private sector, but not nearly so much as the private sector can help themselves,” Greenwald said. 

“In order for the United States to become less vulnerable to cyberattack, private companies have to take action as well,” he added.

This story was updated at 4:09 p.m. May 10.