Support Intelligent, In-Depth, Trustworthy Journalism.
Nearly a week after a ransomware attack forced Colonial Pipeline to shut down, the company announced it has restored service. The shutdown disrupted gas supplies along the East Coast — full recovery may still take days. The attack has highlighted the vulnerability of U.S. infrastructure to similar attacks. Cynthia Quarterman, a Distinguished Fellow with the Atlantic Council’s Global Energy Center, joins.
Nearly a week after a ransomware attack forced Colonial Pipeline to shut down operations, the company announced on Thursday that it had restored service to its entire pipeline system. The shutdown disrupted gas supplies along the East Coast and caused panic buying, leaving some gas stations without fuel. A full recovery may still take several days. The attack also highlighted the vulnerability of the country's infrastructure to similar attacks. For more on the pipeline hack, I spoke with Cynthia Quarterman, a distinguished fellow with the Atlantic Council's Global Energy Center and former administrator of the US Department of Transportation's Pipeline and Hazardous Materials Safety Administration during the Obama administration.
Miss Quarterman, what is this ransomware attack tell you about just a larger infrastructure question that we should all be grappling with?
That we have a very large infrastructure problem with respect to cybersecurity and being prepared for ransomware and other attacks, whether it be from a nation-state or from private criminal network.
Did we get away lucky this time?
Oh, absolutely. I think we did. I think DarkSide may have bitten off more than they could chew when they attacked Colonial. I think we've had a lot of lucky breaks recently. So we need to now switch from being lucky to being smart.
What's to prevent someone who actually wants to do harm to the United States from creating software, given that they would probably have more resources than a collective group of hackers?
Nothing prevents it. We need to be much better prepared. I think the administration, in their executive order, is moving forward to help the government agencies themselves improve what they're doing. But it's a free market economy. We have set up the system. We've got thousands of pipeline operators out there. And not just pipeline operators, but electric utilities and others who need a lot of help.
So how do we harden this infrastructure? Should this be the kind of spending that we should be engaged in to say, hey, guess what, protecting from a cyber attack should be just like protecting from the weather?
Oh, it is absolutely the same. I agree with you wholeheartedly. We have a huge conundrum here. There is no silver bullet to fix this. There are only a series of steps that we can take to try to prevent this from happening again in the future. And to, if it does happen, to be prepared, as my former partner Stewart Baker said, to fail gracefully.
What are the ramifications if someone decided to hold Colonial or any other pipeline hostage, so to speak, for their information? What happens in America?
If Colonial were not able to come back online immediately, it would take obviously weeks for us to get oil from other sources. If you remember Superstorm Sandy, we had a very similar incident happen. That was all also Colonial Pipeline, it's a big juggernaut.
Most of these operators, if they're in the public markets, they're interested in maximizing their profits and returns to shareholders. What's the case that you would make for them, to them, I suppose, and to all of us to sort of think a little bit bigger?
You know, we have this great free-market economy where we have companies thinking of all these fascinating, creative, innovative things to do. We need to think about the failure, what happens if there's a failure? We have a failure of the imagination about our failures and what are the repercussions if something goes wrong?
So is this likely to be something that needs a regulatory intervention or a legislative one? How do we make sure this doesn't happen again?
Probably all of the above. I think it will happen again, unfortunately. But you need to be prepared. Right now there are guidelines for pipeline companies that are not required. And part of the problem is that it's difficult to make those requirements because you have mom-and-pop pipeline companies and you have Colonial Pipeline Company. Where do you create a regulatory system between those two?
Beyond just the infrastructure we're talking about in pipelines, we're talking about hospitals, talking about education systems, police departments, all of these have been held up, so to speak, by cybercriminals.
And depending on what the industry is, the amount of investment available varies. I'm in a hospital, for example, may not have the kinds of money necessary, which means the government needs to help them. That is a role for government to serve.
Cynthia Quarterman, thanks so much for joining us.
Thanks for having me.
Watch the Full Episode
Support Provided By:
Support PBS NewsHour:
Subscribe to Here’s the Deal, our politics newsletter for analysis you won’t find anywhere else.
Thank you. Please check your inbox to confirm.