The 2021 hack of Colonial Pipeline, the biggest fuel pipeline in the United States, ended with thousands of panicked Americans hoarding gas and a fuel shortage across the eastern seaboard. Basic cybersecurity failures let the hackers in, and then the company made the unilateral decision to pay a $5 million ransom and shut down much of the east coast’s fuel supply without consulting the US government until it was time to clean up the mess.
From across the Atlantic, Ciaran Martin looked on in baffled amazement.
“The brutal assessment of the Colonial hack is that the company made decisions off of narrow commercial self-interest, everything else is for the federal government to pick up,” says Martin, previously the United Kingdom’s top cybersecurity minister.
Now some of the US’s top cybersecurity officials—including the White House’s current Cyber director—say the time has come for a stronger government role and regulation in cybersecurity so that fiascos like Colonial don’t happen again.
The change in tack comes just as the war in Ukraine, and the heightened threat of new cyberattacks from Russia, is forcing the White House to rethink how it keeps the nation safe.
“We’re at an inflection point,” Chris Inglis, the White House’s national cyber director and Biden’s top advisor on cybersecurity, tells MIT Technology Review in his first interview since Russia’s invasion of Ukraine. “When critical functions that serve the needs of society are at issue, some things are just not discretionary.”
The White House’s new cybersecurity strategy consists of stronger government oversight, rules mandating that organizations meet minimum cybersecurity standards, closer partnerships with the private sector, a move away from the current market-first approach, and enforcement to make sure any new rules are followed. It will take its cue from some of the nation’s most famous regulatory landmarks, such as the Clean Air Act or the formation of the Food and Drug Administration.
With looming threats from Russian hackers, the FCC is planning for the prospect of Russians hijacking internet traffic, a tactic they’ve seen Moscow employ in the past. A new FCC initiative, announced March 11, aims to investigate if US telecom companies are doing enough to be secure against the threat. However, it’s a real test for the agency because it doesn’t have the power to force companies to comply. They are relying on the possibility of a national security crisis to get them to toe the line.
To support MIT Technology Review’s journalism, please consider becoming a subscriber.
For many officials, this almost total reliance on the goodwill of the market to keep citizens safe cannot continue.
“The purely voluntary approach [to cybersecurity] simply has not gotten us to where we need to be, despite decades of effort,” says Suzanne Spaulding, previously a senior Obama administration cybersecurity official. “Externalities have long justified regulation and mandates such as with pollution and highway safety.”
Crucially, the White House’s top officials concur. “I’m a strong fan of what Suzanne says and I agree with her,” says Inglis.
Without a dramatic change, advocates argue, history will repeat itself.
“It’s no secret that companies don’t want strong cybersecurity rules,” says Senator Ron Wyden, one of congress’s loudest voices on cybersecurity and privacy issues. “That’s how our country got where it is on cybersecurity. So I’m not going to pretend that changing the status quo is going to be easy. But the alternative is to let hackers from Russia and China and even North Korea run wild in critical systems all across America. I sincerely hope the next hack doesn’t cause more damage than the Colonial Pipeline breach, but unless Congress gets serious it’s almost inevitable.”
A shift won’t be easy. Many experts, both inside and outside government, worry that poorly written regulation could do more harm than good and some officials have misgivings about regulators’ lack of cybersecurity expertise. For example, the Transportation Security Administration’s recent cyber regulations on pipelines were “screwed up” due to what critics say are inflexible, inaccurate rules that cause more problems than they solve. Detractors point to it as the result of a regulator with a huge remit but not nearly enough time, resources, and expert staff to do the job right.
Glenn Gerstall, who was general counsel at the National Security Agency until 2020, argues that the current scattershot approach–a host of different regulators working on their own specific sectors–doesn’t work and that the US needs one central cybersecurity authority with the expertise and resources that can scale across different critical industries.
Pushback against the pipeline regulations signals how difficult the process might be. But despite that, there is a growing consensus that the status quo—a litany of security failures and perverse incentives—is unsustainable.
The Colonial Pipeline incident proved what many cyber experts already know: most attacks are the result of opportunistic hackers exploiting years-old problems that companies fail to invest in and solve.
“The good news is that we actually know how to solve these problems,” says Glenn Gerstall, general counsel at the National Security Agency until 2020. “We can fix cybersecurity. It may be expensive and difficult but we know how to do it. This is not a technology problem.”
Another major recent cyberattack proves the point again: SolarWinds, a Russian hacking campaign against the US government and major companies, could have been neutralized if the victims had followed well-known cybersecurity standards.
“There’s a tendency to hype the capabilities of the hackers responsible for major cybersecurity incidents, practically to the level of a natural disaster or other so-called acts of God,” Wyden says. “That conveniently absolves the hacked organizations, their leaders, and government agencies of any responsibility. But once the facts come out, the public has seen repeatedly that the hackers often get their initial foothold because the organization failed to keep up with patches or correctly configure their firewalls.”
It’s clear to the White House that many businesses do not and will not invest enough in cybersecurity on their own. In the past six months, the administration has enacted new cybersecurity rules for banks, pipelines, rail systems, airlines, and airports. Biden signed a cybersecurity executive order last year to bolster federal cybersecurity and impose security standards on any company making sales to the government. Changing the private sector has always been the more challenging task and, arguably, the more important one. The vast majority of critical infrastructure and technology systems belong to the private sector.
Most of the new rules have amounted to very basic requirements and a light government touch—yet they’ve still received pushback from the companies. Even so, it’s clear that more is coming.
“There are three major things that are needed to fix the ongoing sorry state of US cybersecurity,” says Wyden. “Mandatory minimum cybersecurity standards enforced by regulators; mandatory cybersecurity audits, performed by independent auditors who are not picked by the companies they are auditing, with the results delivered to regulators; and steep fines, including jail time for senior execs, when a failure to practice basic cyber hygiene results in a breach.”
The new mandatory incident reporting regulation, which became law on Tuesday, is seen as a first step. The law requires private companies to quickly share information about shared threats that they used to keep secret—even though that exact information can often help build a stronger collective defense.
Previous attempts at regulation have failed but the latest push for a new reporting law gained steam due to key support from corporate giants like Mandiant CEO Kevin Mandia and Microsoft president Brad Smith. It’s a sign that private sector leaders now see regulation as both inevitable and, in key areas, beneficial.
Inglis emphasizes that crafting and enforcing new rules will require close collaboration at every step between government and the private companies. And even from inside the private sector, there is agreement that change is needed.
“We’ve tried purely voluntary for a long time now,” says Michael Daniel, who leads the Cyber Threat Alliance, a collection of tech companies sharing cyber threat information to form a better collective defense. “It’s not going as fast or as well as we need.”
The view from across the Atlantic
From the White House, Inglis argues that the United States has fallen behind its allies. He points to the UK’s National CyberSecurity Centre (NCSC) as a pioneering government cybersecurity agency that the US needs to learn from. Ciaran Martin, the founding CEO of the NCSC, views the American approach to cyber with confused amazement.
“If a British energy company had done to the British government what Colonial did to the US government, we’d have torn strips off them verbally at the highest level,” he says. “I’d have had the prime minister calling the chairman to say, ‘What the fuck do you think you’re doing paying a ransom and switching off this pipeline without telling us?’”
The UK’s cyber regulations work so that banks must be resilient against both a global financial shock and cyber stresses. The UK has also focused stronger regulation on telecoms as a result of a major British telecom being “completely owned” by Russian hackers, says Martin, who says the new security rules make the telecom’s previous security failures illegal.
On the other side of the Atlantic, the situation is different. The Federal Communications Commission, which oversees telecommunications and broadband in the US, had its regulatory power significantly rolled back during the Trump presidency and relies mostly on voluntary cooperation from internet giants.
The UK’s approach of tackling specific industries one at a time by building on the regulatory powers they already have, as opposed to a single new centralized law that covers everything, is similar to how the Biden White House strategy on cyber will work.
“We have to exhaust the [regulation] authorities we already have,” Inglis says.
For Wyden, the White House strategy signals a much needed change.
“Federal regulators, across the board, have been afraid to use the authority they have or to ask Congress for new authorities to regulate industry cybersecurity practices,” he says. “It’s no wonder that so many industries have atrocious cybersecurity. Their regulators have essentially let the companies regulate themselves.”
Why the cybersecurity market fails
There are three fundamental reasons why the cybersecurity market, worth hundreds of billions of dollars and growing globally, falls short.
Companies have not figured out how cybersecurity makes them money, Daniel says. The market fails at measuring cybersecurity and, more importantly, often cannot connect it to a company’s bottom line–so they often can’t justify spending the necessary money.
The second reason is secrecy. Companies have not had to report hacks, so crucial data about big hacks has been kept locked away to protect companies from bad press, lawsuits, and lawmakers.
Third is the problem of scale. The price that the government and society paid for the Colonial hack went well beyond what the company itself would pay for. Just like with the issue of pollution, “the costs don’t show up on your bottom line as a business,” Spaulding says, so the market incentives to fix the problems are weak.
Advocates for reform say that a stronger government hand can change the equation on all of that, exactly the way reform has in dozens of industries over the last century.
Gerstall sees pressure building slowly to do something different than the status quo.
“I have never seen such near unanimity and awareness ever before,” says Gerstall. “This looks and feels different. Whether it’s enough to really push change is not yet clear. But the temperature is increasing.”
Inglis points to the nearly $2 billion in cybersecurity money from Biden’s 2021 $1 trillion infrastructure bill as a “once in a generation opportunity” for the government to step up on cybersecurity and privacy.
“We have to make sure we don’t overlook the stunning opportunities we have to invest in the resilience and robustness of digital infrastructure,” Inglis argues. “We have to ask, what are the systemically critical functions that our society depends on? Will market forces alone attend to that? And when that falls short, how do we determine what we should do? That’s the course ahead for us. It doesn’t need to be a process that lasts years. We can do this with a sense of urgency.”