After a ransomware attack that disrupted operations of a major oil pipeline that provides nearly half of the gasoline and jet fuel supplies to the East Coast, President Joe Biden issued a cybersecurity-focused executive order that his top officials argue will end the cycle of the nation simply “waiting for the next incident to happen.”
A 5,500-mile pipeline that funnels up to three million barrels of oil a day between Texas and New York, the Colonial Pipeline ground its operations to a halt after a ransomware attack that the FBI attributed to the Eastern European hacking group, DarkSide. The company’s operations started up again on Wednesday, with White House Press Secretary Jen Psaki announcing there is an “end in sight” for a shutdown that prompted long gas lines by panicked consumers anticipating the worst.
The White House now says it is taking steps to prevent or gird for the next attack: The order creates an “Energy Star” type system apprising consumers of the safety of their software, establishes a newly formed Cybersecurity Safety Review Board, standardizes the federal response to cyber incidents, and facilitates information sharing between the federal government and the private sector.
“Earlier tonight, President Biden signed an executive order to chart a new course to improve the nation’s cybersecurity,” Psaki said in a statement Wednesday. “This incident demonstrates that Federal agencies and the private sector must work collaboratively to learn the lessons of this incident, strengthen cybersecurity practices, and deploy technologies that increase resilience against cyberattacks.”
The order also aims to improve detection and logging of cybersecurity incidents.
Asked during a press briefing about a single hack shutting down roughly 45-percent of the U.S. energy supply, Transportation Secretary Pete Buttigieg replied that the incident called for energy resilience and flexible infrastructure.
“We’ve now had, you could argue, two major wake-up call experiences—one in Texas, and now one here—each with a different cause, but both reminding us about the work that we have to do as a country,” Buttigieg said.
Some of the effects of the hack were bleak: The Consumer Product Safety Commission sent out a tweet on Wednesday warning people on not to fill up plastic bags with gasoline, and more than half of the gas stations in Virginia were reportedly out of fuel.
If you’re wondering where that warning against filling plastic bags with gas came from, at least one video has gone viral showing someone doing exactly that (though the video is from 2019).
“Of course, we understand the concern in the areas where people are encountering temporary supply disruptions, but hoarding does not make things better,” Buttigieg said. “Under no circumstances should gasoline ever be put into anything but a vehicle directly or an approved container, and that, of course, remains true no matter what else is going on.”
Senior administration officials emphasized to reporters in a press briefing that Colonial Pipeline hack did not fall in a vacuum.
“Cybersecurity incidents like SolarWinds, Microsoft Exchange, and now the Colonial Pipeline incident are a sobering reminder that both U.S. public- and private-sector entities are very vulnerable to constant, sophisticated, and malicious attack — from nation-state adversaries to run-of-the-mill criminals,” a senior administration official told reporters in a press briefing on Wednesday.
“For too long, we failed to take the necessary steps to modernize our cybersecurity defenses because doing so takes time, effort, and money,” the same official added later. “And instead, we’ve accepted that we’ll move from one incident response to the next.”
Former FBI assistant director Frank Figliuzzi, now a national security contributor for NBC News and host of the podcast “The Bureau,” gave the executive order high marks.
“We’ve all been saying this stuff for years,” Figliuzzi told Law&Crime. “Supply chain emphasis is great. Mandated service provider advisements are good, though that has been developing well. I would have liked to go a step further and mandate private sector standards when that sector involved a key infrastructure.”
(Photo by LOGAN CYRUS/AFP via Getty Images)