This op-ed is part of a series published by The Dallas Morning News Opinion section to explore ideas and policies for strengthening electric reliability. Find the full series here: Keeping the Lights On.
There are more than 190,000 miles of petroleum pipelines and over 2.4 million miles of natural gas pipelines crisscrossing the United States, according to the American Petroleum Institute. The largest pipeline system in the U.S. is the Colonial Pipeline, which delivers nearly 45% of all petroleum to the East Coast. Despite this, most people had never heard of the Colonial Pipeline until earlier this month, when it shut down as a result of a ransomware attack. Bloomberg has since reported that the pipeline paid nearly $5 million in ransom to reopen.
Unfortunately, the Colonial Pipeline attack is not an isolated instance. Cyberattacks on U.S. infrastructure, though often unreported, are becoming increasingly common, according to a long-running Temple University study.
Last year, there were more than 560 ransomware attacks on U.S. health care facilities, according to Emsisoft, a leading cybersecurity firm. These attacks effectively force health care providers to choose between paying off cybercriminals and risking the personal health data of patients.
And, in February, the FBI issued a nationwide alert after a hacker accessed the control system of a water treatment plant in Oldsmar, Fla., in an effort to add lethal doses of sodium hydroxide, the active ingredient in drain cleaner, to the town’s drinking water. Thousands could have been poisoned if not for an attentive on-site employee who, according to Wired, noticed his computer mouse cursor moving on the screen and took quick action to override the plant’s automated system.
Many of the vulnerabilities exploited in these attacks are common to much of America’s critical infrastructure, which relies largely on outdated and minimally secured technology. In most instances, the physical capabilities of America’s infrastructure simply predate modern network connectivity, meaning that network and cybersecurity capabilities, if any, are almost always retrofitted without many of the built-in safeguards that most of us take for granted. For example, the FBI investigation into a hack of the water plant in Oldsmar revealed that the incident occurred in part because the plant’s network could not automatically update its operating system or implement dual-factor authentication, basic cybersecurity measures that many of us take for granted in our everyday lives.
Another thing many of us take for granted is that the government will keep us safe. Yet the U.S. government, the same government that paused the Johnson & Johnson COVID-19 vaccine after just six confirmed cases of blood clots, has been conspicuously slow to take meaningful regulatory action to keep our critical infrastructure safe from cyberattack.
Less than a year after the Cuyahoga River started burning in 1969, President Richard Nixon established the Environmental Protection Agency and Congress subsequently vested the EPA with the power to regulate environmental standards and bring enforcement actions against those who did not comply. By comparison, the Cybersecurity and Infrastructure Security Agency was founded in 2018 but still lacks the authority to implement cybersecurity regulations and bring enforcement actions against those who fail to comply. The result is that, more often than not, there is no legal requirement for how to secure America’s critical infrastructure systems from cyberattack.
The U.S. instead relies almost entirely on remedial measures, voluntary frameworks and corporate partnerships. While President Joe Biden issued an executive order mandating certain cybersecurity requirements for the federal government, the order was framed as an effort to lead by example because its requirements will explicitly not apply to the thousands of state, local and private actors who actually own and operate America’s critical infrastructure. Neither the Colonial Pipeline nor the Oldsmar water plant would have been subject to any requirement in Biden’s executive order.
This dynamic needs to change. America’s critical infrastructure cybersecurity must be regulated by trained and knowledgeable cybersecurity experts in the same way that environmental concerns are regulated by the EPA’s trained and knowledgeable environmental scientists or pharmaceutical safety is regulated by the Food and Drug Administration’s trained and knowledgeable health professionals. By requiring critical infrastructure operators to implement reasonable cybersecurity protections on the front end, we can reduce the risk of cyberattacks on the back end.
Implementing new regulations is an admittedly slow process. And thousands of critical infrastructure operators, particularly public operators, are so underfunded that they may struggle to comply with new regulations while also continuing their existing day-to-day operations. But these limiting factors are precisely why it’s time to start talking about regulating cybersecurity for America’s critical infrastructure. By acting now, while the Biden administration disburses funds from the American Rescue Plan Act and Congress mulls a once-in-a-generation infrastructure bill, we can put a comprehensive plan in place to fund, improve and secure our cybersecurity infrastructure.
So far, America has been lucky: As far as we know, no lives have yet been lost to the cyberattacks on our infrastructure. We need to act now to keep it that way.
Anthony J. Hendricks and Jordan E.M. Sessler are attorneys who advise clients and critical infrastructure operators on cybersecurity issues as members of Crowe & Dunlevy’s Cybersecurity and Data Privacy practice group. They wrote this column for the Dallas Morning News.
Got an opinion about this issue? Send a letter to the editor and you just might get published.