What do you think? Leave a respectful comment.

What does the Colonial Pipeline hack tell us about the security of U.S. infrastructure?

The federal government on Monday confirmed that a Russian criminal group is behind the hack of the Colonial Pipeline company. The pipeline — the largest of its kind in the U.S. — was shut down after a cyber extortion attempt. The Biden administration is working with the company to investigate the hack. William Brangham speaks to Megan Stifel of the Global Cyber Alliance about its implications.

Read the Full Transcript

  • Judy Woodruff:

    The federal government today confirmed that a Russian criminal group is behind the hacking of a crucial energy pipeline.

    The Biden administration said it is working with the Colonial Pipeline company to deal with the cyber-hack and its effects. Colonial shut down its pipeline, the largest of its kind in the U.S., after the company learned it was the victim of this cyber-extortion attempt.

    William Brangham is back now with the latest on that story.

  • William Brangham:

    Judy, the FBI said a group known as DarkSide is responsible for the this cyberattack, which used what is known as ransomware.

    Ransomware is malicious computer code that block an owner's access to their computer network until a ransom gets paid. Colonial operates a 5,500-mile long pipeline that carries almost half the jet fuel and gasoline that is delivered along the East Coast.

    The company has so far refused to say whether it paid any ransom, but said it hopes to be largely back online by the end of the week. So far, the impact on gas prices has been small. But this attack is just the latest example of ransomware incidents in the U.S.

    By one estimate, in just the past year, more than 113 federal, state and municipal agencies, 500-plus health facilities, and more than 1,600 schools, colleges and universities have all been attacked with ransomware.

    For more on this and the alarm bells it's sounding, I'm joined by Megan Stifel. She's with the Global Cyber Alliance, which is a nonprofit dedicated to reducing cyber-risk.

    Very good to have you on the "NewsHour."

    This most recent attack on this pipeline, I think largely because it is such a major piece of infrastructure, seems like a real escalation. Is this among the worst type of ransomware attack we have seen so far?

  • Megan Stifel:

    Thanks very much for having me tonight.

    In terms of its household recognition of this being an important issue, I would say yes. But we have seen in the past — for example, WannaCry that happened in 2017 hit victims in 150 countries. So this is a major incident in terms of the impact it can have on the East Coast and infrastructure distribution, but, sadly, more could come and has in the past.

  • William Brangham:

    So, as I mentioned, ransomware is basically holding a computer network hostage for money. And the company behind — the hackers behind this said, yes, that was their goal.

    But does ransomware software allow hackers to do more than just hold the system? Could they sabotage it? Could they use it for nefarious purposes? Does it allow you to do that?

  • Megan Stifel:

    In some cases, yes.

    When an actor gains access to a network such as this, they could have the ability to have very serious consequences on safety. But it also is against their interests to do so. If an individual — or if there's harm done, a significant impact, that in some ways can ruin their brand, so to speak.

    And in this case, and other networks, they say, oh, we're not going to target health care sector. We — I think we're seeing that these folks probably didn't mean to have the impact in this instance that they did.

  • William Brangham:

    So, I touched on these huge, huge numbers. But is this a growing epidemic? Are we seeing a rise in these types of attacks?

  • Megan Stifel:

    Yes, particularly over the past year. You mentioned some figures that, to me, I think add up to this one that well, which is 2,400 school systems, governments and health care facilities in 2020 were reportedly the victims of ransomware.

    And that's only the reported victims. The issue too that we see in this space is that not all victims want to come forward to law enforcement. And that really hinders the ability for law enforcement and the government to make an informed decision and develop the best policy options that they have to try and counter this attack.

  • William Brangham:

    So, from a technical perspective, how does ransomware get into a computer network?

  • Megan Stifel:

    Technically, in most cases, ransomware evolves from a suspicious e-mail. Someone clicks on an e-mail that we call these phishing e-mails where someone who you think is an associate or a colleague sends you an e-mail saying, I need you to open this, I need you to do this right now, luring you into clicking on a link.

    That link often reroutes the user to not the intended place they thought they were going, but to a malicious Web site, that then is involved in downloading further malicious software, allowing the perpetrators to gain access to that particular individual's computer and thereby the organization's network.

    And depending on how well the network is architected, they may have access then to a range of places within the network, to very sensitive data, to, in some cases, not-so-sensitive data. But, in most cases, these types of actors will look for data that they know is valuable, and that they can then, again, hold it ransom, so that they can make money.

  • William Brangham:

    It's it's amazing how simple it is, that one click on a dubious e-mail can set off this chain reaction and really imperil huge pieces of infrastructure.

  • Megan Stifel:

    It is.

    And it's — we don't want to overplay the simplicity of it, right? There are a number of steps that can be taken that can frustrate these actors ability to have such an outsized impact, known best practices, such as using multifactor authentication on networks, making sure that there are automatic backups to data, making sure that, as data is — excuse me — software as kept up as up to date as possible, so that vulnerabilities, which is how these exploits are able or these types of activities are able to take advantage of a weakness in the network, making sure that those vulnerabilities are closed.

    So, it takes a range of steps. And, in some cases, they have to be lucky once. And, in some cases, they may have to take it — spend additional time on a victim's network. And the goal here is to make sure that everyone's using best practices, so that it's not their network that's at risk; it's someone else's.

  • William Brangham:

    It seems like you're describing quite a few different holes to patch, both our personal behavior, the way we build software, and then how companies operate this software.

    Do you think that there's a role for the government to play in any of this, in helping these best practices move along?

  • Megan Stifel:


    I was fortunate to lead a ransomware task force that actually convened our — wrapped up our concluding remarks just two weeks ago. And that group came together, over 50 organizations, and identified a range of actions that could be taken, some involving the government.

    In particular, in this — in this instance, we recommended that the government, our government, as well as a number of international partners and allies, work together and determine and make public that the ransomware is an international and national security risk, and, therefore, that they needed to also develop a coalition of governments working to enforce the laws and to bring these perpetrators to justice.

    But, also, in addition to doing investigative, taking — undertaking investigative measures, we have seen that ransomware is the latest symptom of a range of cybersecurity vulnerabilities and weaknesses, as you mentioned, and we therefore think that there needs to be additional incentives.

    And, potentially, there may need to be the need for regulation, particularly of components of critical infrastructure, such as was a victim today. And that will be hopefully the subject of public debate.

  • William Brangham:

    I mean, the Biden administration today pointed the finger at this particular hacking group, DarkSide, but also hinted that they might be based in Russia, and that the Russian government might have some responsibility in all this.

    Do you have a sense of — I mean, let's just say other governments are involved. That's a much trickier nut, if you have to try to get other governments to crack down on actors within their own borders.

  • Megan Stifel:

    It is.

    Unfortunately, we know, in many cases in ransomware, that the actors are operating from something we call safe havens, governments who are unwilling or otherwise unable to help further an investigation of this type.

    And in that case, we have to work with other governments and the private sector to use additional measures to try and bring these perpetrators to justice. That could involve a range of actions, including, as we have already seen from this administration, additional sanctions on Russia, as well as looking at other measures such as foreign military aid, were recommendations from the task force that I was involved in, really looking at all elements of national power to try and bring additional importance and really make an impact on this growing threat.

  • William Brangham:

    All right, Megan Stifel of the Global Cyber Alliance, thank you very much for being here.

  • Megan Stifel:

    Thanks very much for having me.

Listen to this Segment