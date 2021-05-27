It was welcome news that federal officials will replace voluntary cybersecurity guidance for the pipeline industry with mandatory regulations after a cyberattack on the Colonial Pipeline left many motorists in the Southeast lining up for suddenly vanishing gasoline supplies.
Despite two decades of concern and a decade of devastating hacks of American and foreign governments and commercial targets, there are still too many holes in our cyber defenses, ones that if further exploited could cripple the nation. If that problem is not fixed promptly, the United States could find itself unable to defend itself or its allies.
President Joe Biden’s executive order is a step toward addressing major flaws in cybersecurity, but Congress needs to strengthen and broaden it. As a major national security concern, it should be a top priority for Congress this year. And it will not be cheap.
The Department of Homeland Security also responded this week with its first cybersecurity regulations for the pipeline sector in response to the Colonial attack.
The most devastating cyberattacks against U.S. businesses and government agencies have been perpetrated by foreign governments, notably Russia, China, Iran and North Korea, as well as by shadowy cyber criminals who shelter in areas under Russian control.
The Colonial Pipeline shutdown was allegedly caused by one such group, DarkSide, that was able to find software flaws that let it shut down the pipeline and demand a ransom payment, eventually extracting $4.4 million from the company. There is little information available on how the cyber intrusion was accomplished, but Mr. Biden’s order tightens federal cybersecurity operations and creates a Cybersecurity Safety Review Board.
The board will be modeled after the National Transportation Safety Board and will investigate major cyberattacks and recommend fixes. But as the White House Fact Sheet on cybersecurity notes, the Colonial Pipeline incident “is a reminder that federal action alone is not enough. Much of our domestic critical infrastructure is owned and operated by the private sector, and those private sector companies make their own determination regarding cybersecurity investments.”
That is precisely why congressional action is needed. Only Congress can reliably define the powers of a Cybersecurity Safety Review Board to include mandatory fixes. The president rightly addresses the problem of lax security in the development of software — a major cause of last year’s SolarWinds hack by the Russian government — by authorizing security standards for software purchased by the federal government. But he cannot require the private sector to adopt procedures, such as taking the software development process entirely off the internet, that would minimize hacks. Only Congress can do that.
Safeguarding the vulnerability of commercial utility operating systems from compromise by foreign hackers, for example, will require more than the creation of an investigative body. It will require laws. A good model might be our food and drug regulations.
Congress should also consider making software developers bear the burden of exploited software failures that result in major costs.
Mr. Biden’s executive order is a step in the right direction, but the nation needs to leap to a higher level of cybersecurity.
As the Colonial hack showed, our daily lives have become profoundly dependent on the security of their supply networks, and that is now under threat. Congress has the power to create better nationwide cyber defenses. It must act now.