What is Infrastructure? The Colonial Pipeline Cyber Attack Tells Us
Well, here we are. A cyber attack (in this case ransom ware) was used to cripple the Colonial Pipeline. Quite possibly the attack originating overseas in a nation-state sponsored laboratory, if such environments can be equated to weapons development. Two weeks ago, I could have asked a hundred people if they could describe the Colonial Pipeline and wouldn’t have received even one knowledgeable response. Today, everyone east of the Mississippi River can likely draw a relatively accurate representation of its route on a map. Everyone is suddenly aware of the importance the Colonial Pipeline plays in the distribution of petroleum products up and down the East Coast. At this writing, citizens are rushing their cars, trucks, SUVs, motorcycles, all-terrain vehicles, lawn mowers, and surplus gas cans to stations looking to fill up before the supplies at the consumer point of sale dry up, so to speak.
This is what true national infrastructure looks like. This is not the poll-tested, happy face definition of infrastructure that has played a central role in the last two presidential elections. That version of infrastructure is presumed by voters to mean multiple billions of tax dollars that will ultimately affect their quality of life by finally repairing that perennial pothole on Walnut Street while providing a smiling green-energy government employee (a former coal miner) to install solar panels on their roof.
We should all be aware by now of the nature of poll-tested words and phrases in attempting to shape opinions and attract voters. Phrases such as common sense gun control, a living wage, and, of course, infrastructure investment have all been determined to garner positive responses among a large bloc of voters. Infrastructure investment conjures up thoughts of new, leafy bicycle paths, soaring suspension bridges, and armies of green energy workers recruited from the ranks of the under- and unemployed.
The Trump administration was rightly pilloried for not putting emphasis on infrastructure (and specifically cybersecurity) during his time in office. Trump sacked his Director of DHS’ Cybersecurity and Infrastructure Security Agency, Christopher Krebs, after the election. Mr. Krebs then took to the media and social media to lambaste the administration over accusations of tampering and malfeasance in the 2020 election results. In the wake of this kerfuffle, I would hope we could reprise Mr. Krebs to fill us in on other keys aspects of his oversight at DHS — infrastructure protection of the sixteen critical sectors. Let’ focus on energy, shall we?
The Biden administration touted infrastructure investment as a priority only to immediately cancel the Keystone XL Pipeline project – the Midwestern version of Colonial and a key infrastructure improvement. Apparently, his ardent supporters believe thousands of smoke-belching diesel trucks and gas and coal-burning trains carrying petroleum along highways and train beds is somehow better for the environment than a pipeline winding its way through the pastoral landscapes of Oklahoma, Kansas, and Nebraska.
This could quickly evolve into a sidebar about the vexing fixation so many people have with trains. I get it — train travel can be fun and relaxing. I have ridden trains through several European and South American countries. I often used the Acela corridor between DC and NYC while working as a consultant, and I once rode a bullet train between Tokyo and Kyoto. For better or worse, an expansive train network simply isn’t a viable option for the United States in the 21st century. To avoid the requisite discussion of demographics, topography, and national economics, let’s just move on.
Nearly two decades ago, the nascent Department of Homeland Security established the critical infrastructure security realm — now consisting of sixteen sectors including energy which is focused primarily on protection of the distribution networks for electricity and gas as well as nuclear generation facilities. Since that time, much of the ersatz work that has gone into the protection of these sectors has been accomplished by the development of standards, guidelines, frameworks, checklists, lexicons, proposals, indices, glossaries, addenda, and the ubiquitous public/private partnerships. These partnerships are established by government bureaucrats who are getting paid to draft all these documents and private companies who assign additional duties to some employee so a contractor is on hand to pick up the bar tab at all these partnership meetings.
The zeal for cybersecurity partnerships for protecting our infrastructure expanded dramatically after the Stuxnet virus incident of 2007 – now a decade and a half ago. In the intervening years, what hath our documents and partnerships wrought? The CEO of the private entity gets a photo-op with a senior government wonk as they shake hands over a piece of paper destined for long-term storage along the lines of the ending of Raiders of the Lost Ark. With all these documents and partnerships, one could be forgiven for wondering how a relatively basic ransom ware attack in 2021 was so successful against such a vital national target as a major oil pipeline.
The administration has now decided to toss off fifteen years of effort when the press secretary was asked about whether a ransom had been paid, Jen Psaki said it was up to the “private company” to determine if they should pay the DarkSide crooks — probably with nation-state entity involvement.
It seems the attacker had a private/public partnership.
We deserve a much more effective one ourselves.