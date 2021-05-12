The ransomware attack that shut down a major East Coast pipeline is a wakeup call the country shouldn’t have needed. Attacks against infrastructure aren’t new, nor is ransomware. The nation’s sluggish response to both cannot continue.
There’s no reason to think this latest attack will be the last. There’s also no reason to believe we’ll always be as lucky as we were this time. The results this time are primarily inconvenience and a rise in gas prices. An attack designed to damage infrastructure and harm people rather than extort money is probably inevitable.
In fact, we’ve already come close to that happening. In February a hacker took control of the water treatment system’s computers in Oldsmar, Florida. The hacker raised the sodium hydroxide in the community’s water to dangerous levels.
Fortunately, an alert employee was paying attention, saw the change, and reversed it immediately. Much about that incident remains unknown, including whether the hacker was intentionally trying to harm or just see what systems they could infiltrate.
Had that incident taken place while the employee was distracted, it could have been much worse. As it is, there was no harm done. It could quite easily have been a different story.
Traditional enforcement of laws in these cases isn’t simple. Police can’t arrest the people behind such attacks in most cases. The most serious attacks are often carried out by foreign actors, people living in other countries whose governments have no interest in handing them over for trial. So prison isn’t a risk they run.
If we can’t dissuade people by arresting and prosecuting the perpetrators, we have to find other ways to protect ourselves. We need to harden our systems so they’re less vulnerable. We need to design them with the likelihood of an attack in mind.
Such steps won’t prevent all attacks. But they can limit damage when they happen. And if criminals know they’ll have to work harder to gain access, they’re more likely to go off in search of easier targets.
The catch? Taking appropriate steps to protect public utilities and infrastructure isn’t cheap. Making them more difficult targets means updating old computers and systems. It means installing programs to detect and deflect attacks. It means training employees in how to identify attacks and in basic computer safety. Chronically underfunded, most utilities simply cannot afford the additional costs.
In the past we’ve watched as the nation confronted that reality, shrugged, and went back to other pursuits. That’s not a good enough response. This isn’t just a question of convenience or preference. It’s a genuine question of national security.
The latest attack shut down a pipeline. What if it had been directed against the power grid? Imagine the electricity going out for an extended time in the middle of a -20 cold snap in the winter. What happened last winter in Texas would be multiplied. Many more people would die.
State and federal authorities know the risk and they say they’re taking it seriously. But we have yet to see a plan designed to address the needs. That needs to change.
This cannot be allowed to bog down into partisan bickering. Most malicious hackers could not possibly care less whether the Republicans block a bill or Democrats do, nor do they particularly care who gets hurt. They just care about whether they can break in to the system, and partisan sniping will only keep the window open longer.
Fixing the weaknesses we have now will take time. It will take money. It will take the political will to see a long-term project through. And then it’s going to need to be an ongoing effort to ensure that we don’t fall back into the bad habits that got us here in the first place.
This has to be done, though. We can’t depend on luck to protect critical systems. We can’t depend on always having someone looking at just the right screen to reverse a potentially lethal change.
The solution is obvious. It’s clear how we can reduce the risk to our nation’s technological infrastructure. This isn’t a case where agonizing over whether a response is appropriate is needed. We just need to do the work.
And we need to do it quickly.