The hacking and week-long shutdown of the Colonial Pipeline last month that spread gasoline shortages throughout the East Coast is only the most visible incident in a series of worrisome cases that may presage something even worse. A recent Bloomberg News report highlights the fact that U. S. utility systems such as oil and gas pipelines, water systems, and electric grids are extremely vulnerable to the same kind of ransomware attack that shut down Colonial's system.
A friend of mine once summarized engineering ethics with a two-word phrase: "No headlines." Properly engineered systems that have adequate safety precautions and other mitigations against potential disaster weather all kinds of threats, from internal failures to external hacking attempts, and just keep going. But as insiders know, beneath the publicly-visible smooth surface there may be many small incidents that engineers manage to catch before they become major problems.
The Bloomberg report cites one: earlier this year, the cybersecurity firm Dragos discovered that a hacker had managed to access hundreds of computers involved in operating water systems across the U. S. Presumably this breach was repaired before any actual damage was done, but gaining access through popular software used by many of the same kinds of enterprises is often the first step in a carefully-planned cyberattack that can take months or years to set up.
What is even more surprising than the attacks themselves is the wall of indifference that many private firms and cybersecurity companies encounter when they try to gain the attention of government agencies such as the FBI or the Department of Homeland Security. The pipeline firm ONE Gas of Tulsa, Oklahoma found last January that a foreign hacker was trying to gain access to the computer system that controls natural-gas traffic across the south central U. S. After fending off the attack, a cybersecurity firm involved in the defense tried to get a response from the FBI, the Department of Defense, and the Department of Homeland Security. Representatives of these agencies listened to the story in a conference call, but that was the end of their involvement.
From the agencies' point of view, their apparent indifference may be justified. Because ONE Gas successfully defended itself against the attack, their story was analogous to a homeowner whose attack dogs scared off a burglar trying to break into the garage. Police might listen politely to such a tale, but because no actual crime was committed, there is not much else they can do. And thereby hangs a dilemma that needs to be resolved if we hope to avoid successful hacking attempts on utilities in the future: whether to keep regarding ransomware attacks as crimes or acts of war.
The dilemma goes back to some fundamental legal definitions.
What has been mostly neglected up to this point is the fact that many cybercrime organizations are hosted by, encouraged by, and possibly operated by foreign governments—China, Russia, and North Korea among them. Readers of this blog are familiar with my position that cyberattacks committed by foreign individuals or entities constitute matters that should be dealt with by the U. S. military. But centuries of traditional thinking about what war amounts to stand in the way.
The U. S. legal code says that an act of war is "an action by one country against another with an intention to provoke a war or an action that occurs during a declared war or armed conflict between military forces of any origin." Right there, we run into problems if we try to consider a ransomware attack by, say, agents of the Russian government, as an act of war.
To be an act of war, and thus a concern of the U. S. military, one would have to show that Russia in that case was either intending to provoke a war, or was doing it during a declared war, or was doing it during an "armed conflict" between military forces, no matter where they came from.
The first condition requires that we somehow divine the fact that Russia, in this hypothetical case, intended to provoke a war. Proving intent in law is notoriously difficult, so let's skip that one.
The second condition requires that a declared war is going on between Russia and the U. S. To say the least, that would lead to other problems, so let's skip that one too.
The third condition requires only that the action happens during an "armed conflict between military forces of any origin." There are two big roadblocks in this phrase. The first is the word "armed" and the second is "between military forces." I'm no lawyer, but it seems that if the armed forces of Russia attacked not our military, but only civilian U. S. targets, it wouldn't be an act of war, at least not by this definition. And the other problem is even worse.
"Armed conflict" means fighting with arms: guns, bombs, and similar armaments, all of which are designed explicitly to kill people. The notion that some guy sitting in his basement in Minsk could hit a few keys and shut off power or water to millions of people in a country on the other side of the world was clearly not anticipated by whoever wrote this definition.
If computers are used to kill or injure people, however indirectly, does that make them "arms"? In our Big Freeze here in Texas last February, power failures led more or less directly to the deaths of over a hundred people. I can imagine that fatalities would also result from a focused effective attack on power or water utilities, and so a lot more than just inconvenience could result.
While I appreciate the reservations that the U. S. military feels about getting involved in what looks to them like simply criminal activity, the day may come when we are faced with a situation that goes beyond anything we have seen so far: a crippling blow to widespread and vital infrastructure, accompanied by a not-so-subtle message from a foreign government that if we will just do thus-and-such, we'll get our water and power back. Legalese aside, that would be an act of war as far as I'm concerned. And the best way to prepare for such an attack is to put resources, including military resources, into making sure that it can't happen here.
Sources: The Tribune News Service article carried by Bloomberg News was picked up in some form by numerous news outlets, including the Arkansas Online website at https://www.arkansasonline.com/news/2021/jun/13/power-water-seen-as-targets/. I also referred to Cornell University's law school website for the U. S. code's definition of an act of war at https://www.law.cornell.edu/definitions/uscode.php?width=840&height=800&iframe=true&def_id=18-USC-1479682157-1415921654&term_occur=999&term_src=title:18:part:I:chapter:113B:section:2331. My column on the Colonial Pipeline hack appeared on May 17, 2021.
No comments:
Post a Comment