May 11, 2021 | NBC News

Gas pipeline hack reveals cyber vulnerabilities. But Biden infrastructure plan doesn’t fix them.

The president's proposal includes $400 billion to support home care workers but doesn't address securing vital infrastructure from cyberattacks.
May 11, 2021 | NBC News

Gas pipeline hack reveals cyber vulnerabilities. But Biden infrastructure plan doesn’t fix them.

The president's proposal includes $400 billion to support home care workers but doesn't address securing vital infrastructure from cyberattacks.

Colonial Pipeline, the United States’ largest purveyor of refined fuel, including gasoline, diesel and jet fuel, recently had a bad day. Late last Friday, the company’s information technology systems fell victim to ransomware. The company quickly shut down its operations as a precautionary measure to contain the attack and prevent long-term damage to its physical systems. As of Tuesday afternoon, the pipeline was still largely offline, though Colonial hopes to restore operations by the end of the week.

It was disappointing to see that the Biden administration’s current infrastructure plan falls woefully short in terms of actually securing the infrastructure it proposes to build.

The attack on Colonial Pipeline is one data point in an overall trend of increased attacks from ransomware, malicious software that prevents victims from accessing their data and requires a ransom payment in order to restore their systems. The consequences can range from the economically costly to the downright dire: Businesses get locked out of their computer systems for several hours or days at a time, halting operations, disrupting supply chains and significantly harming consumer trust.

In 2020 alone, nearly 2,400 state and local governments, health care facilities and schools were victims of ransomware attacks. Additionally, the victims of these attacks paid a total of $350 million in ransom, marking a 300-plus-percent increase from the previous year.

And ransomware is just one kind of cyberthreat posed to infrastructure — one of the country’s most prevalent national security risks and one that should be at the top of priority lists for infrastructure needs. Given the severity of the danger, it was disappointing to see that the Biden administration’s current infrastructure plan falls woefully short in terms of actually securing the infrastructure it proposes to build, a failing that has raised eyebrows.

The Colonial Pipeline attack “is a play that will be run again, and we’re not adequately prepared” warned Sen. Ben Sasse, R-Neb. “If Congress is serious about an infrastructure package, at front and center should be the hardening of these critical sectors — rather than progressive wish lists masquerading as infrastructure.”

America’s critical infrastructure as traditionally defined and historically understood is deeply in need of investment and renewal. The backbone of the package must therefore be to safeguard and upgrade these core elements — from airports and highways to mass transit and beyond — and must have significant cybersecurity investments properly baked in.

President Joe Biden’s $2 trillion package does include $621 billion for long-standing transportation infrastructure needs such as bridges, roads and ports and over $300 billion for upgrading electric grids and drinking-water infrastructure and expanding broadband internet access.

However the package stretches the definition of infrastructure beyond its traditional meaning. Under the plan, for instance, $400 billion goes to support the home-based health care workforce, the component of the package described by The New York Times as the “most transformational and polarizing.” Aspiring to transformational change is a leader’s prerogative; but it should be done transparently in a way that does not subvert logic, common sense or pressing national and economic security priorities — in this case, securing infrastructure itself from cyberattacks.

Indeed, malicious actors are more emboldened than ever to take advantage of the vulnerability of American critical infrastructure, from our water supply to our electric grid to our pipelines. The Colonial Pipeline supplies 45 percent of the East Coast’s fuel, transporting nearly 100 million gallons of refined fuel between the Gulf Coast and New York on a daily basis. If the disruption were to continue unabated, the East Coast could be at risk for more distribution problems and price fluctuations, which could prompt other cascading consequences that could jeopardize many systems — airports, businesses and day-to-day travel — that rely on its fuel deliveries. The possible harm to the wider economy could extend even beyond that.

The Biden administration is taking some important steps outside of the infrastructure bill to address the issue of ransomware and cybersecurity more broadly. The recent announcement of a Department of Homeland Security “sprint” to tackle ransomware by raising awareness and disrupting bad actors, a Department of Justice ransomware task force to go after perpetrators and suggestions that a new White House ransomware plan is forthcoming all signal an increased willingness by the federal government to act. But unfortunately, these are inadequate and significant vulnerabilities still exist.

Specifically, the Biden administration’s proposed infrastructure spending plan doesn’t address securing infrastructure from malicious cyber activity. The president’s budget proposal for next year also doesn’t prioritize cybersecurity. The Cybersecurity and Infrastructure Security Agency received only a 5 percent budget increase, compared to the overall 16 percent increase in nondefense spending. Both the budget and the infrastructure plan continue the Trump administration’s failure to sufficiently fund cybersecurity efforts in the nondefense department budget areas.

Read in NBC News

Issues:

Cyber