On May 6 of this year, Colonial Pipeline was hit with a ransomware attack by the Russian-based group DarkSide. Reportedly, DarkSide attacked Colonial Pipeline’s billing system, not its operational technology. But as a precaution, for the first time in history, Colonial shut down its entire pipeline, which supplies 45 percent of all the gasoline and jet fuel consumed on the East Coast of the United States.
This shutdown had an immediate, direct, and far-reaching impact on the day-to-day lives of the American people. Shortages at gas stations popped up across Alabama, Florida, Georgia, North and South Carolina and Virginia. On May 11, 71 percent of gas stations in Charlotte, North Carolina ran out of fuel. On May 14, 87 percent of gas stations in Washington, DC went dry. Gas prices shot up. Panic buying and hoarding occurred. Airports and airlines were affected. Colonial Pipeline paid the $5 million ransom. The pipeline was tuned back on. But one ransomware attack, directed at one company, had far-reaching consequences to our nation, its people, and its national security.
It was as if one water-main break in downtown Houston, Texas caused kitchen faucets to run dry in Arlington, Virginia. Or, as if a single pothole in a runway at the Atlanta airport had delayed every commercial flight in the southeastern United States.
This wasn’t the first cyberattack on energy infrastructure, and it won’t be the last.
In 2015, Russian hackers attacked the power grid in Ukraine, leaving 225,000 people in the dark.1Pavel Polityuk et al., Ukraine’s Power Outage Was a Cyber Attack, Reuters (Jan. 18, 2017), https://www.reuters.com/article/us-ukraine-cyber-attack-energy/ukraines-power-outage-was-a-cyber-attack-ukrenergo-idUSKBN1521BA
In 2012, Saudi Aramco was hit with a cyberattack, likely by the government of Iran, which forced the then-world’s largest oil company to shut down 35,000 computers and go back to operating with typewriters and fax machines.2Jose Pagliery, The Inside Story of the Biggest Hack in History, CNN Business (Aug. 5, 2015), https://money.cnn.com/2015/08/05/technology/aramco-hack/
In February 2021, a hacker infiltrated a water treatment plant in Florida and attempted to increase the water supply’s sodium hydroxide to alarmingly dangerous levels.3Tasha Jhangiani & Madison Lockett, How the Energy Department Can Improve Cybersecurity in the Energy Industry, Nextgov (Aug 4, 2021), https://www.nextgov.com/ideas/2021/08/how-energy-department-can-improve-cybersecurity-energy-industry/184282/; see also Andy Greenberg, A Hacker Tried to Poison a Florida City’s Water Supply, Officials Say, Wired (Feb. 8, 2021), https://www.wired.com/story/oldsmar-florida-water-utility-hack/
In August 2021, a nation-state attempted a cyberattack on the Port of Houston, the largest container port on the Gulf Coast.4Alan Suderman, Port of Houston Target of Suspected Nation-State Hack, AP (Sept 24, 2021), https://apnews.com/article/business-technology-rob-portman-1e9ff8dac8dbb500d15661c816c22084; Statistics,Port Houston, https://porthouston.com/about-us/statistics/
The cyber threat to our energy infrastructure is real and growing. Indeed, it’s not just a threat. It is our current reality.
For three years, I served as Secretary of the Department of Homeland Security (DHS). As a New Yorker who was present in Manhattan on 9/11, and after four years as the senior legal official for the Department of Defense, I came to the job of DHS Secretary with a counterterrorism bent. I told my staff at DHS that counterterrorism needs to be the cornerstone of our mission. I soon learned that a building can have more than one cornerstone, and that cybersecurity needs to be another cornerstone mission for DHS.
Cyberspace is the new 21st century war zone. As reported by the New York Times just a few days ago, the governments of Iran and Israel are actively engaged in covert cyberwarfare right now.5Farnaz Fassihi & Ronen Bergman, Israel and Iran Broaden Cyberwar to Attack Civilian Targets, N.Y. Times (Nov. 27, 2021), https://www.nytimes.com/2021/11/27/world/middleeast/iran-israel-cyber-hack.htmlCyberattacks are replacing kinetic attacks. Covert actors are replacing conventional state actors. US Cyber Command now exists alongside the combatant commands of our nation’s military.
A cyberattack on our nation’s energy sector, or any other sector of critical infrastructure, must be viewed as an attack on the nation itself, warranting a national response.
Under US law, critical infrastructure is defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”6See 42 U.S.C. § 5195c(e) (2018) As declared by DHS, there are eighteen critical infrastructure sectors in this country, including the defense industrial base, financial services, transportation, energy, water, and nuclear reactors.7Critical Infrastructure Sectors, CISA, https://www.cisa.gov/critical-infrastructure-sectors (last visited Dec. 2, 2021) Just before leaving office in January 2017, I added election infrastructure to the list, as a subsector of the government facilities sector. Our government goes to the trouble of declaring these assets critical infrastructure for a reason.
In the energy sector in particular, assets of critical infrastructure are becoming increasingly interconnected and increasingly vulnerable to a cyberattack of widespread consequences. And just as every organ of the human body depends on a healthy heart, all of the other sectors of critical infrastructure depend on the energy sector.
To be sure, there are compelling reasons for the increasing interconnectivity of our energy sector. With climate change comes the need for renewable energy. With renewable energy, wind and solar power, efficient uses of fossil fuels, and smarter uses of electric grids, come the need for digitization and interconnectivity. As a result, the US electricity grid is now referred to as “the largest interconnected machine in the world.”8Don C. Smith, Editorial, Enhancing Cybersecurity in the Energy Sector: A Critical Priority, 36 J. Energy & Nat. Res. L. 373, 373 (2018)
All this leads to cleaner uses of energy. But it need not mean trade-offs for our cybersecurity.
With the recent passage of the new bipartisan infrastructure law, nearly $2 billion will be devoted to making our infrastructure more resilient against the impact of cyberattacks.9See Infrastructure Investment and Jobs Act of 2021, Pub. L. No. 117-58, §§ 40124, 70602, 70612, 135 Stat. 429 (2021) But there are other things we must do to strengthen the cybersecurity of the energy sector and the other sectors of critical infrastructure in this country.
First, and perhaps the easiest, least expensive and most obtainable solution: continue to raise awareness about the threat of spear-phishing. Many of us know what spear-phishing is, but many still fall prey to it. Spear-phishing occurs when a system user is lured into responding to an email from a bad cyber-actor posing as a benign and familiar caller. And once the user answers the knock, opens the door, and lets the bad actor in to the secure zone, that bad actor can pose as almost anyone for any purpose. To this day, many of the most devastating cyberattacks on our nation began by a simple act of spear-phishing. This is preventable. Raising awareness about spear-phishing among those who use a system can go a long way to dramatically reducing the success rate of this form of attack. More broadly, simply raising awareness about weak passwords or the value of two-factor authentication can prevent a large number of attacks that originate due to lack of what we refer to as “cyber hygiene.”
Second, achieve and ensure redundancy. Whether it is the ability to count ballots or control a pipeline, redundancy is key. This is not a new concept. Like the retention of paper ballots after an election, some call for back-up manual control of power grids and pipelines. This may not be doable in all circumstances. The point is to have redundant systems that exist off the internet in the event the primary system is corrupted. Or, at the least, a contingency plan for how services are to be delivered if redundancy is not possible.
Third, Congress should not give up on efforts to legislate certain minimum standards for cybersecurity in critical infrastructure. Most of our nation’s critical infrastructure is in the hands of the private sector. Working with the private sector, the government ought to be able to develop basic, practical and implementable standards. The good news is that many large and sophisticated companies within critical infrastructure are far along in the cybersecurity of their own assets. Others are not, including many new entrants to sectors of critical infrastructure.
In 2012, Congress tried but failed to legislate national minimum cybersecurity standards, and even offered immunity from civil liability as a carrot. That effort failed. Events since then provide further proof of the need for this.
No one size fits all when it comes to cybersecurity standards for the different sectors of critical infrastructure. Certain standards for certain sectors already exist by virtue of regulatory action. Congress should empower regulators of each sector of critical infrastructure to do more. Successive administrations, including the current one, have undertaken to regulate cybersecurity by executive action. This is no substitute for laws passed by Congress. It is also common sense. By federal law, we regulate aviation security, road safety, maritime security, nuclear and chemical facilities. Why not cybersecurity? The need is no less compelling.
Fourth, we must bolster mandatory reporting to the federal government of certain categories of cyber incidents within critical infrastructure. I am disappointed that bipartisan efforts to insert such a requirement in this year’s National Defense Authorization Act failed.10Joseph Marks, Congress can’t even pass the easy cyber stuff, Washington Post (Dec. 8, 2021), https://www.washingtonpost.com/politics/2021/12/08/congress-cant-even-pass-easy-cyber-stuff/ Tom Fanning, chairman and CEO of Southern Companies and a leader in calls for greater cybersecurity of the utility industry, has gone so far as to argue that the country needs “[a] real-time view of [the] battlefield” that allows US Cyber Command to monitor critical systems at the same moment and at the same time as the operators of those systems do.11David Stringer and Heesu Lee, Why Global Power Grids Are Still Vulnerable to Cyber Attacks, Bloomberg (Mar. 3, 2021), https://www.bloomberg.com/news/articles/2021-03-03/why-global-power-grids-are-still-so-vulnerable-to-cyber-attacks
Fifth, we must recognize that a cyberattack on a pipeline or a power grid could now cause as much physical damage and suffering as a natural disaster. The good news here is that the bipartisan Infrastructure Investment and Jobs Act signed into law by President Biden in November creates a Cyber Response and Recovery Fund to be administered by DHS for this purpose.12Infrastructure Investment and Jobs Act of 2021 § 70602
Sixth, I join the many calls for the education, recruitment and retention of a cyber-workforce to meet the urgency of the current threats in cybersecurity. Exchange programs between the public and private sectors should be encouraged. Given the current threats we face, why not a National Cybersecurity College or University for both civilians and military, funded by the Departments of Defense and Homeland Security, to exist alongside our military academies, the National Defense University and the National War College?
Seventh, and finally, we must make it clear to the world that, in the eyes of the United States, a cyberattack from overseas on our nation’s critical infrastructure may rise to the level of an armed attack on the nation itself, warranting a military response (as the term “military” is now understood in the 21st century).
In reaction to the terrorist attacks on 9/11, our government reshaped itself to go to war against terrorist organizations. We reshaped how we think of war. We recognized that warfare can be conducted against unconventional, non-state actors, and that conflict against non-state actors may not be limited to the boundaries of a particular nation.
As I said before, cyberspace is the new 21st century war zone. Covert state and non-state actors launch cyberattacks from overseas on our critical infrastructure that have the potential to cause death and destruction to the same extent and in the same manner as an air strike or a terrorist attack.
In testimony before the House Armed Services Committee in 2018, I said that a cyberattack which causes large-scale death or physical destruction can be considered an armed attack on the United States, warranting a military response.13Cyber Operations Today: Preparing for 21st Century Challenges in an Information-Enabled Society: Hearing Before the H. Armed Servs. Comm., 115th Cong.69 & n.5 (2017) (statement of Jeh C. Johnson)(citing Jack Goldsmith, How Cyber Changes the Laws of War, 24 Eur. J. Int’l L. 129 (2013); Oona Hathaway, et al., The Law of Cyber Attack, 100 Cal. L. Rev. 817 (2012); Charlie Dunlap, Are Cyber Norms as to What Constitutes an “Act of War” Developing as We Would Want?, Lawfire (Sept. 15, 2017), https://sites.duke.edu/lawfire/2017/09/15/are-cyber-norms-as-to-what-constitutes-an-act-of-war-developing-as-we-would-want/) The President has the constitutional authority to take military action to defend the nation, so long as the action does not rise to the level of a war in scope and duration, which only Congress can declare.14See, e.g., April 2018 Airstrikes Against Syrian Chemical-Weapons Facilities, 42 Op. O.L.C. __ (May 31, 2018); Targeted Airstrikes Against the Islamic State of Iraq and the Levant, 38 Op. O.L.C. 82 (2014); Authority to Use Military force in Libya, 35 Op. O.L.C. 20 (2011) Under international law, the United States is authorized to act in self-defense if the host nation is unwilling or unable to address the threat itself within its boundaries.15See UN Charter art. 51; US Dep’t of Def., Law of War Manual ¶¶ 5.10, 5.11 (2016); Daniel Bethlehem, Self-Defense Against an Imminent or Actual Armed Attack by Nonstate Actors, 106 Am. J. Int’l L. 770, 773–77 (2012) (offering principles “that apply, or ought to apply, to the use of force in self-defense against an imminent or actual armed attack by nonstate actors”); Ashley Deeks, “Unwilling or Unable”: Toward a Normative Framework for Extraterritorial Self-Defense, 52 Va. J. Int’l L. 483, 486 (2012) (“More than a century of state practice suggests it is lawful for State X, which has suffered an armed attack by an insurgent or terrorist group, to use force in State Y against that group if State Y is unwilling or unable to suppress the threat.”) And under established principles of the international laws of war, a military response to an attack should be proportionate, but it need not be in kind.16See, e.g., International Strategy for Cyberspace, May 2011, https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf (“When warranted the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners. We reserve the right to use all necessary means – diplomatic, informational, military, and economic – as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests.”)
The United States has offensive cyber capabilities that are second to none. They should serve as both a defense and as a deterrent. I am a recipient of the Ronald Reagan Peace Through Strength Award. Like President Reagan, I believe that peace and security is achieved though strength. In 2018, when I accepted the Reagan Award, I said this:
“Peace is not the default; you have to work for it. Peace is the goal toward which the human race must continually strive, but it is not the natural state of affairs across the globe. Peace must be guarded and protected against the belligerent impulses of far too many on this planet. Strength forges peace, and perceived weakness tempts aggression.”
Jeh Charles Johnson is a partner at Paul, Weiss, Rifkind, Wharton & Garrison, LLP. He served as Secretary of Homeland Security from 2013-2017, as General Counsel of the Department of Defense from 2009-2012, as General Counsel of the Department of the Air Force from 1998-2001, and as Assistant US Attorney for the Southern District of New York from 1989-1991.
This is the text of Secretary Johnson’s public remarks at the Atlantic Council event, “Securing the energy and critical infrastructure sectors from cyberattacks”. A cached replay of the event can be found here.