Op-ed views and opinions expressed are solely those of the author.
Over the past few days, members of Congress grilled the CEO of Colonial Pipeline during a hearing regarding last month’s hack that affected 45% of the fuel supply chain in the East Coast of the United States. Part of the questioning focused strictly on the $4.4 million payout that was scored by Russia’s DarkSide Ransomware Gang, the group responsible for the attack.
Many lawmakers were disturbed by the decision to pay the ransom, as that behavior will likely encourage future attacks against America’s critical infrastructure. Paying ransoms is not only discouraged by government officials, but it can also lead to civil penalties for companies found to be paying sanctioned entities.
Late last year, as the Trump administration was winding down. the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an groundbreaking advisory that outlined penalties for American businesses found to be in violation of OFAC’s new directives related to ransomware attacks.
The advisory targeted payouts to individuals or groups under US sanctions and stated that, “ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States,” and added that “ransomware payments may also embolden cyber actors to engage in future attacks.”
Colonial CEO Joseph Blount has previously admitted to The Wall Street Journal in May that because of uncertainty regarding the scope of the breach and the questions surrounding the length of time it would take to restore pipeline services that affect over 40% of the East Coast’s fuel supply, he made the decision to authorize the ransom payment of $4.4 million.
Blount was also aware of the OFAC directive and told lawmakers this week, “I do know that repeatedly throughout the process, the fact of whether DarkSide was on the sanctions list or not was fact-checked repeatedly.”
Generally, pro-business GOP lawmakers will attempt to allow these private sector issues to work themselves out, but as the frequency of major attacks has increased even some of the more libertarian-leaning members of congress are seeking increased oversight into cyber matters. The issue of cybersecurity is no minor expense to taxpayers, especially as the intelligence community remains involved in resolving hacks for private businesses. In just the last few weeks, the FBI invested significant time and resources to aid Colonial Pipeline in recovering most of the $4.4 million in ransom ($2.3 million in Bitcoin) paid to the DarkSide hackers.
Most of the issues considered when weighing whether to pay a ransom come down to cost. Reconstructing a network carries a massive cost for large companies like Colonial Pipeline. In addition, most companies carry cybersecurity insurance. Some experts feel that the insurance issue incentivizes hackers to remain in business. In a recent column for the NY Daily News co-written by former National Coordinator for Security, Infrastructure Protection, and Counterterrorism for the United States between 1998 and 2003, Richard Clarke, and Senior Fellow at the Council on Foreign Relations (CFR), Robert K. Knake, they opined, “Usually (victims of a cyber-attack) it is a corporation that never tells the public about the attack. The companies do tell their insurance carriers, and they, in turn, pay up. It’s cheaper for the insurance companies to pay the hackers to unlock the networks than to pay computer security companies to rebuild the corporate network from scratch.”
With insurance-based resolutions being the norm for several years and cybercriminals being aware that in most cases, businesses and insurance companies want a fast closing to the matter, will the established trend lead lawmakers to seek additional governmental intervention in the private sector?
Well, actually the government is already dipping both hands into the matter. After the Colonial attack in May, the Department of Homeland Security (DHS) established new cyber guidelines aimed at America’s leading pipeline companies. The guidelines require the companies to report all cyber incidents to the federal government.
Internationally, another recent major attack recalled the 2017 WannaCry attack and targeted the Irish healthcare system in the days following Colonial Pipeline Hack. The attack shut down most IT systems connected to the Irish hospital system and locked many healthcare providers out of their networks and provided a chilling preview of what may await America in the future.
According to Ireland’s prime minister, Micheál Martin, the incident was, “a heinous attack, it’s a shocking attack on a health service, but fundamentally on the patients and the Irish public.”
The constant struggle between cybercriminals, the private sector and bureaucrats remains a complicated situation. We can already see many statists in the government attempting to exploit this crisis in order to further regulate the private sector. But with the current Democrat majorities on Capitol Hill, can the Biden administration be trusted carry this out suring up American cyber defenses without saddling businesses with unnecessary costs related to compliance? The next few months will bring additional changes at the Cybersecurity and Infrastructure Security Agency (CISA) and with the attitudes currently seen in congress, we should receive a swift answer to that question.
Julio Rivera is a business and political strategist, the Editorial Director for Reactionary Times, and a political commentator and columnist. His writing, which is focused on cybersecurity and politics, has been published by websites including Newsmax, Townhall, American Thinker and BizPacReview.