Newt Gingrich would like to send SEAL Team Six busting through the doors of whoever authorized the Colonial Pipeline hack. Or maybe a Hellfire missile through the sunroof of some hacker godfather’s Lexus. Many Americans would likely agree and favor similar treatment for robocallers and email spammers, which sounds good until you remember that this would involve U.S. troops carrying out military actions on the soil of Russia or its satellites.
One universal prescription for every kind of mishap is resilience. The Jones Act, a foolish, century-old law that reserves domestic ship-borne trade for U.S-crewed ships, is anti-resilience. If gas station owners weren’t bound by anti-gouging laws, they likely would never run out of gas. They’d jack prices high enough to persuade their customers that filling up every jerry can and topping off the Tahoe when it’s three-fourths full isn’t so necessary after all.
As with the SolarWinds hack, the public can expect to be scantily informed about the Colonial Pipeline hack compared with other major crimes and news events. News outlets can only speculate that the hack started with a typical email phishing scam. If so, this would be good to know. If the vulnerability in the overwhelming number of cases now is a human being clicking on an email link or foolishly confiding a password, then we are making progress on system security. The weak point is us.
Colonial has said its pipeline shutdown was precautionary, hinting that malware didn’t infect its industrial controllers. This would explain a few things. Hackers likely don’t know much about the companies they’re attacking—might have had little idea what Colonial does or that freezing its HR and customer accounts data might lead to gasoline shortages on the East Coast. Don’t dismiss the weird statement from a presumed Russia-associated hacking group apologizing for the Colonial complications and “creating problems for society.”
All sophisticated national governments and many that aren’t sophisticated operate continually in the cyber sphere, collecting intelligence, engaging in cyber operations. Let’s not kid ourselves about this. The U.S. tends publicly to disclose Chinese and Russian hacking exploits, perhaps because our system is more open but also likely for strategic reasons: Hiding such attacks, perversely, connotes weakness. Try to think of a case where Moscow or Beijing owned up to or publicized a cyber intrusion at the hands of the U.S. It’s not because such intrusions don’t happen. In all likelihood, the U.S. is the biggest, baddest cyber actor out there and these governments don’t want to advertise their vulnerability to their own citizens.