On Friday, May 7, hackers attacked the computer systems of Colonial Pipeline, which operates a major gasoline pipeline that brings gasoline and jet fuel from Houston refineries up through the southeastern United States as far as New Jersey. Out of concern that the hackers might have obtained data enabling them to do physical damage to their facilities, the pipeline operators shut the pipeline down while it was still under their control.
This may have saved the machinery from damage, but it produced a severe regional fuel shortage that affected everything from flights out of Atlanta to drivers’ vacation plans. As of Sunday, May 16, the pipeline was fully restarted, but the ripple effects of the shutdown meant 88% of Washington, D. C. gas stations were out of gas at one point over the weekend.
This was a ransomware attack by a group calling itself DarkSide with reported links to Russia. According to Bloomberg News, Colonial Pipeline paid DarkSide about $5 million in bitcoin for software to unlock their systems, only to find that it ran so slowly that they ended up restoring service without its help.
This is by far the most serious ransomware attack ever mounted on a U. S.-based facility, and should become a turning point in our response to this sort of attack. Although I’ve stated the following position before in relation to other ransomware attacks, it bears repeating now that millions of people are going without gas, including many in Washington, D. C., and are presumably paying attention to the problem.
Article 4, Section 4 of the Constitution of the United States reads as follows, in full:
“The United States shall guarantee to every state in this Union a republican form of government, and shall protect each of them against invasion; and on application of the legislature, or of the executive (when the legislature cannot be convened) against domestic violence.”
The key word of present interest in this section is “invasion.” An online law dictionary defines invasion as “[a]n encroachment upon the rights of another; the incursion of an army for conquest or plunder.” The Constitution was written at a time when messages travelled fastest by horseback or sailing ship. It is safe to say that the current technological facts of instant global Internet access to a domestic firm’s private infrastructure were not in the minds of the drafters of the Constitution.
But notions of justice and international relations were, and the drafters recognised that a federal government that could not successfully defend its constituent states against invasion, as defined above, was not worth organising. So they put words in the Constitution that gave the federal government the responsibility of defending the states against invasion, and in Article 1, section 8, they also gave Congress the power to “provide for the calling forth the militia to execute the laws of the Union, suppress insurrections, and repel invasions.” There’s that word “invasion” again.
Pardon what may look like a constitutional detour, but what happened to Colonial Pipeline this month amounts to invasion and plunder by agents of a foreign power. The DarkSide criminals may not formally be agents of the Russian government, but they operate with its approval or at least without its hindrance.
Suppose a bunch of Canadians armed with tanks and machine guns charged across the Ambassador Bridge in Detroit and took over the headquarters of Ford Motor Company in Dearborn, Michigan, capturing their main computer centre and demanding $5 million in ransom to turn it loose. This would quite properly be regarded as a foreign invasion, and no one would raise a finger to object to using whatever military force was necessary to repel such an invasion.
I submit that what happened to Colonial Pipeline is morally equivalent to my hypothetical invasion by Canadians. The technological details are different, but the responsibility of the US government to defend those within its borders from invasion and plunder is something that the Founders intended it to do.
So what has the federal government in fact done? Hardly anything — a few warnings not to try keeping gasoline in plastic bags, a few adjustments of shipping regulations to allow more ships to land gasoline from abroad, and that’s about it.
There is a well-known saying that generals always prepare for the last war, not the one they’re fighting now. And that is certainly true in this case. According to one source, the U. S. military has over 200,000 troops stationed abroad in over 170 countries. The vast majority of these are conventional soldiers ready to shoot bullets and drop bombs, and certainly, bullets and bombs haven’t gone out of fashion. But among the more advanced criminal element, it’s much more chic to keep your fingers clean while typing code that will shut down half of the gasoline going to the U. S. East Coast, and make $5 million in exchange for some software that doesn’t even work.
Congress is reportedly drafting legislation to do something about this sort of thing. That is where the process should start, but it’s clear that a vast reorganisation and re-prioritising of the entire domestic and foreign military establishment is called for. Cyberwarfare is where it’s at now. Metaphorically speaking, the Canadians have been rioting through the entire country for years now, and all we have done is have vague discussions about the future of military combat. Don’t people get it? It’s happening now. The fact that nobody was killed in the Colonial hack is due more to the foresight of the pipeline operators than to anyone else, as an out-of-control pipeline can do unimaginable amounts of damage.
But private companies should not have to shoulder by themselves the burden of protecting their facilities against foreign invasion and plunder. That’s one of the most basic services of the federal government, and so far it is failing miserably in its job.
The gasoline shortage Washington now enjoys has fallen equally on Republicans and Democrats. We can only hope that they will unite to make major lasting changes in the structure and priorities of the U. S. military so that we can once more be secure in our persons and property against the depredations of foreign invasion, including ransomware attacks.
This article has been republished with permission from Engineering Ethics.