♪ [ This Week in So uth Carolina opening music].

♪ ♪ ♪ ♪ Welcome to This Week in South Carolina.

I'm Gavin Jackson.

It was a busy week in the state as the General Assembly adjourned sine die, passing several major pieces of legislation.

The governor lifted mask mandates in schools and municipalities.

And after a cyber attack caused the colonial pipeline to shut down, people across the South began panic buying gas, leading to limited supply and higher prices.

We look at both of these issues with our guests, but first more from this week.

This week millions of Americans experienced the threat ransomware poses in our modern world, after hackers breached the Colonial Pipeline company and held its systems ransom, resulting in the company shutting down a key fuel pipeline that led to long lines at some gas stations in the southeast and the state, leading to more than 54% of gas stations in South Carolina to run out of gas due to panic buying.

By Wednesday evening the fuel slowly began flowing again, but concerns remain.

In Columbia, lawmakers returned for their final week of the first year in the two year legislative session.

Several Republican priorities for the year made it to the governor's desk this week, including one that would allow concealed weapons permit holders to openly carry their guns and another bill that would require death row inmates to choose between death by electric chair or firing squad, since the state can no longer require a lethal injection drugs.

Bills not passed this year, remain active when lawmakers return in January.

Governor Henry McMaster issued an executive order requiring counties and municipalities to drop their mask mandates.

He did the same for schools, despite having no legal grounds to do so.

Leading the superintendent of education to rescind the mask mandate amid the chaos his order created.

<Henry McMaster> At some point you just the government has to let the parents when it's, when it's appropriate for parents to make decisions for their children, which is all of the time.

It was time.

And the education establishment, most of it has been resisting these very obvious things that should have been done a long time ago.

<Gavin> McMaster's decision came just days before the CDC announced new mask guidance for those who are fully vaccinated.

>> Considering all of these factors, the data on vaccine effectiveness, the science on their ability to protect against circulating variants and our growing understanding of the low risk of transmission to others, combined with universal access to vaccines for those 12 and older, today CDC has updated our guidance for fully vaccinated people.

Anyone who is fully vaccinated can participate in indoor and outdoor activities, large or small without wearing a mask or physical distancing.

<Gavin> In higher education, the University of South Carolina Board of Trustees accepted president Bob Caslen's resignation, less than a week after he admitted to plagiarizing part of his commencement address.

Former President Harris Pastides will serve as interim president, as the board begins another presidential search, two years after choosing Caslen.

Dr Helmut Albrecht is the medical director of the Center for Infectious Disease, Research and Policy at Prisma Health and the University of South Carolina.

He's joining us today to talk about the latest on the pandemic in the state.

Dr. Albrecht, welcome to This Week in South Carolina.

<Dr.

Albrecht> Thanks for having me.

<Gavin> So, before we jump into the news this week, I want to get your take on where we are as a state, to case numbers, what you guys are seeing at Prisma Health when it comes to hospitalizations and just the vaccination uptake in the state.

>> The good news is this is actually the first week that all counties in South Carolina are orange.

That's not great, but it's not as terrible as it was where we have some in red.

So there's for the first time, we don't have any county really being over run then and having significant problems.

The hospitalization rate, the death rate, the new case rate, they're all going down.

The positivity rate and tests is still too high to signify really good control.

It still signifies to little testing, but overall it's looking up.

<Gavin> It looks, we have about 1.4 million South Carolinians fully vaccinated.

That's about 35% of the population.

Numbers have really been dwindling down ever since it was opened to the two every South Carolinian 16 and older.

Now, we'll be opening it up to those younger.

What your thoughts on that vaccination rate still being so sluggish at this point?

<Dr.

Albrecht> Well, it's massively too low.

And it's actually not terribly surprising.

You always have the folks that want to get it that you can reach by passive efforts, opening up large scale institutions, come all and now we'll run against the vaccine, while it's not people that necessarily don't want the vaccine, but need to be convinced to get the vaccine.

So, there needs to be a more active approach to this.

And there's going to be two million South Carolinians who need convincing.

<Gavin> And how do you do that doctor?

I know it's not a matter of belittling someone or talking down to someone but kind of giving them the facts, maybe, and also giving them a personal story perhaps about how this is affecting people.

We're looking hospitalizations right now, I saw a report that 99% of those people hospitalized at the Cleveland Clinic, for example, are not vaccinated.

These people that are going to hospitals right now are the people that are not vaccinated.

So, how do you make that mesh?

How do you project that message to those that just don't want to get this vaccine?

>> It's a very mixed bag from anti vaxxers, to vaccine hesitancy, to religious, to political reasons, to laziness, to I just haven't had the time yet, priority thing.

So, you need to address them where they are and what needs they have.

Anti-vaxxers you will never completely convince, but others you can and I think a huge step would be to get this into essentially all the medical offices.

Hence, that's going to be a key component for a lot of people who want to look for information and they look to their providers usually.

<Gavin> Well, just this week, we have some other people that you might need to be convincing.

That's parents of 12 to 15 year olds on whether they should get their child vaccinated with the Pfizer vaccine, since the FDA approved emergency use authorization for Pfizer for those adolescents, as well as CDC approving it and now DHEC giving out guidance to providers in the state.

What do you say to parents who are thinking about making this decision for their teens?

<Dr.

Albrecht> If you like your kids get them vaccinated.

If you don't, don't.

It's - for a vast majority of people that now need to be vaccinated, you get vaccinated not only for yourself, but mostly actually for other people, for the person you run into in the store who's undergoing chemotherapy and will not respond that well, for your grandparents, for your parents, people you like who will depend on you to be immune and not bring it in.

So a lot more people need to help the community and their friends and their family out than they do now and 12 to 15, 15 to 18 year old.

And now 12 to 15 is going to be the next step.

They have - they're our main driver of this epidemic because they often have asymptomatic infection and then bring it to grandpa and grandpa will kill over and that's what we see in the hospitals.

Everybody who's vaccinated and gets it, got it from a child essentially.

<Gavin> Yeah, cause I feel like there's been mixed research out there about the transmissibility when it comes to children, especially when we talk about schools and the like and we'll get to that in a moment but it is still pretty transmissible among young children at this point?

>> Kids are not immune.

They are infectious just as anybody else.

They are less symptomatic, typically which helps not to transmit that much, but if you are in a school setting where there's significant other mitigation factors, you can keep infection rates low.

But since asymptomatic infection is a main driver of the pandemic, right now and a lot of these asymptomatics are in this younger age range, there's nothing magical about kids that they can't transmit this to others.

Again, they are more protected from illness but not from infection and when they go home to their multi-generational families, then we see the problem in two generations up.

And I understand it's stress on kids, but they actually would like to wear masks and get vaccinated and not have the stress of being responsible of bringing it home.

That stress you can never get over.

So, think about that what this may cause down the road, if you sort of hesitate on that too much.

<Gavin> Yeah, that's what we're seeing now among these younger children but those under 34 who have been really a sluggish to get vaccinated ever since it's been opened up to the entire population in the state.

I do want to point to some numbers, DHEC has reported that there have been 13,712 cases among school students in the state and 4,386 cases among school employees.

The governor, this week issued an executive order saying that students don't have to wear masks in schools unless they have a parental waiver.

This contradicts DHEC's director, who advises the governor on such matters, for these remaining days in school.

Even the superintendent education was not consulted on this.

She objected to this with the governor's staff.

They proceeded anyway.

What's your take on this decision by the governor?

<Dr.

Albrecht> I don't like it because I come from a public health standpoint and currently the guidance is to not do this.

And I don't understand it.

It's a battle that didn't need to be fought.

Why do you need to die in a battle that you didn't need to enter.

We're 25 less than 25 days away from summer vacation.

We could have sorted this out.

Why now?

It is working.

You just mentioned the case numbers and again, the kids usually do fine but can transmit it then to other people.

And we just cannot call our elders and ill. And we didn't have to go there right now.

It was working.

We didn't test enough.

That's why we have so few cases in school settings, but now to try that out, if that works was entirely unnecessary in my opinion.

<Gavin> Yeah and the superintendent of education did say that she was planning on lifting that order after they finish the school year.

Now, she said it has caused chaos across the state in these remaining few days.

But the governor's executive order also extended to municipalities and counties as well.

We're seeing mask bands being lifted in places like Greenville, soon to be in Columbia, I think.

What concerns do you have right now?

And why should we still be wearing masks if so many are vaccinated, if we are getting closer to this immunity and our cases remain so low?

What's your message to folks about still wearing a mask out and about.

>> That guidance is based on data.

And it is very clear that these mitigation techniques: hand washing, distancing, all these other things plus vaccines work well together.

Vaccine plus masking is better than than either one alone.

35% is simply not enough I'm very comfortable now in a room with a hundred people if they are vaccinated.

I'm not comfortable in a room with five people, if two are not vaccinated.

And then large settings, including school settings you simply don't know who's vaccinated and that still poses the big risks to this.

People that cannot afford to get ill, people on chemotherapy, very elderly and other people and they would require people around them to be vaccinated and 35%, you can cannot mathematically get over the hump.

So we need to at least double that up to get a fair chance to stroll around in Soda City or something like that without a mask.

>> And then, doctor, with about a minute left, I want to ask you, in South Carolina there were 31 total deaths for the week ending May 8th, that's the lowest since April 2020.

There are about 4,000 cases that week, as well.

That's the lowest since last summer.

What fears do you have going forward, at this point, even though we have seen these numbers dropping a lot, hospitalizations dropping?

What fears do you have?

What remains for you?

>> We celebrate 31, right.

This is 31 dead people.

Those are not numbers.

Those are your neighbors, your parents, friends, co-workers.

So, let's not minimize 31 deaths.

The number of cases is still high enough to completely shift the epidemic back into a fire hose with variants coming, so we need to still do better.

>> Gotcha.

Some incredible valuable insight there, Dr. Helmut Albrecht, he is the medical director of the Center for Infectious Disease Research and Policy at Prisma Health and the University of South Carolina.

Doctor, thank you again for joining us.

>> Thanks for having me.

>> Joining me to discuss the latest fallout from the Colonial Pipeline ransomware attack is Megan Stifel.

She's the Executive Director Americas at the Global Cyber Alliance.

That's a nonprofit that works to reduce cyber risk.

Dr Stifel thanks for joining us.

<Megan Stifel> Thanks so much for having me.

<Gavin> So, let's start off with the latest we have on the Colonial Pipeline ransomware attack.

That pipeline supplies 45% of the fuel for the east coast, It fell to attack on May 8th.

Obviously, things have changed since that happened.

We're now understanding that this pipeline is back online and actually they didn't have to pay the ransom is what my understanding is.

Can you just tell us what you know about the situation and how these happen in the first place?

>> Sure, yes, as you noted, this particular structured company fell victim by a ransomware attack late last week, as we understand from public reporting, the incident essentially involves access to the corporate network.

So out of an abundance of caution which is a good thing to think through it for anyone really, they immediately took steps to limit the ability for the actors to move somewhere else in the company's infrastructure or in their information technology components.

In this case we're talking about, of course the pipeline.

So, in many cases, these types of incidents begin but not in all cases through a malicious email, and it sounds like from press reporting that again someone, unfortunately clicked on a bad email that ultimately led to the DarkSide, is the criminal group that's been identified as the actor here to enter the network and obtain files, remove those files and then encrypt those files which means that they will essentially kind of put a new door on those files and take the key with them and the company is unable to access the data without paying a ransom and in this case, the actors often are also now conducting something called double extortion where they not only lock up your files, but they also threaten to make those, the data they've removed from your ability to access it, public.

And now we understand, I think there's new reporting actually this morning that's possible the Colonial did pay the ransom, last week.

<Gavin> Gotcha.

So, was there any word on how much that costs or what these trends are looking like when it comes to how much these type of situations cost companies?

>> The report I'm seeing this morning is that the the ransom paid here was five million dollars.

Again, just recent reporting, so not necessarily confirming it, but in many cases, unfortunately in the past year or so particularly as a result we think of the pandemic, not only the scale, but also the scope of victims has increased.

So, you're seeing more victims of ransomware as well as the demands a ransom increasing dramatically.

<Gavin> Megan kind of tell us how this is even possible in 2021, especially for such critical infrastructure to fall victim to such an attack.

>> It's hard to say that there is one specific reason why this is occurring.

In many cases there are a range of factors that can lead to the scale and scope of ransomware in this particular case.

Ransomware is unfortunately the sign of a broader problem and that probably is reduced interest an ability to implement good cyber hygiene.

Here, we're talking about known best practices, things like multi-factor authentication, the encryption of data at rest and in transit, other practices that companies can develop and really practice, in fact, policies that they can practice that will reduce their likelihood of becoming a victim of a range of cyber crimes.

Again ransomware is just one type of cyber crime.

There are a range of others, business email compromise being an example of another type of malicious cyber activity that can occur when a company or organization, doesn't have to be a for-profit entity.

It's important to note that too.

It is not prioritizing cybersecurity.

We really, I think, are in this situation because we continue to struggle for not only private sector entities but also public entities to recognize the real threat that cyber crime in particularly ransomware in this case poses.

<Gavin> Yeah, I can just personally attest to the fact that here at ETV, our I.T.

people constantly drill us on these things.

We constantly have to be trained on these things, because we did see such a breach of data in the past when it comes to state governments, as well, social security numbers Department of Revenue, a lot of lessons learned there from that breach.

But I'll ask you about your time as a director for International Cyber Policy at the National Security Council.

You've worked there.

You worked in this field for years now, which is why I assume you recently said that, "This isn't a wake up call, rather this is just bed sores."

Can you elaborate on what you meant by that and where we are right now when it comes to these kinds of attacks?

>> Yes.

It's unfortunately I think many times we think in visuals.

So, really the concern is that many folks are calling this Colonial attack the attack on the Colonial Pipeline, corporate network, a wake up call that cybersecurity and ransomware is really a problem and unfortunately cybersecurity has been neglected we would say, much like someone - it's not at all to make light either of those who are unable to remove themselves from positions that would lead to bed sores.

But in this case there are actions that organizations can take.

Resources need to be invested, not only money but also time and training.

And rather than saying, "Oh my gosh, now we need to recognize that ransomware "is a threat, because we weren't able to get gas for four days, we really need to be thinking about - I was shocked that someone had asked, "Should companies put reserves aside to pay ransoms?"

And my first response to that is, "Did you actually spend any money yet on cyber security?"

Probably these actors will find that you've decided to take the policy position that you're going to keep reserves that may make you actually increase target if they're already in your networking looking around.

Let's take some time to spend some money on having good cyber hygiene first.

<Gavin> Yeah and not make this a foregone conclusion.

Right.

That we're all going to be a victim at some point?

<Megan> Yes.

- <Gavin> When we talk about this being not necessarily a wake up call, but perhaps maybe for the general population this kind of was when it comes to cyber security, do you think that this will lead to some change hopefully, because now we've all been you know subjected to the ramifications of this attack and more so than we have in you know maybe some of these other isolated incidents when they attacked a hospital or a local government, or any number any number of entities?

What do you think might be a ramification or outcome of the situation?

<Megan> We're already seeing increased conversation and calls in Congress for additional regulation in this space.

So, even I think the Federal Energy Regulatory Commission director is thinking about the need for mandatory minimum requirements for cybersecurity for pipe lines.

There's also the executive order that the Biden administration made public last night.

There's no direct application of that order to the private sector.

Executive orders can only direct private -excuse me - not private sector entities, such executive branch agencies and there will be some requirements that order is calling for that will flow down though to the private sector.

So, we'll see the likelihood that products will be more secure to market, which will then help consumers as well as the government procure better and buy better more secure devices.

<Gavin> So who needs to take the lead here.

Is this a private sector situation where they need to be making sure that they're up to snuff or do we need the government to jump in and start regulating or passing more legislation to help support those missions?

>> Actually, it's a little bit of both.

We have seen and actually ten years ago now when I was in government, the executive branch proposed a range of cyber security legislative proposals that ultimately, most of them did not come forward and get passed in the legislation.

One might look back on that and say, "Well, would we be in this situation it that's known on that policy made its way through Congress."

Hindsight being 20/20, we really need both the industry, as well as the government to get their own houses in order, as well as to work together to ensure that they're helping consumers in this space because we're all interconnected and that's the real opportunity but also the challenge.

We each need to take steps, whether we're an individual, a small business, a large enterprise, a big company, as well as governments to do our part to make sure that we're being secure and we're being - we have the best cyber hygiene so that we don't - not unlike pandemics and other types of hygiene we're not getting, we're not becoming the weak link that hurts others.

<Gavin> Megan, looking forward we have about three minutes left to keep talking, but I was surprised that DarkSide actually apologized for this attack.

I don't know if you saw the apology I guess they didn't think they would have such widespread ramifications here.

I want to get your thoughts on what that means for them to actually apologize for a situation like that.

Maybe they're feeling some remorse there, because not only was it a small attack, but you have the whole government of the United States kind of going after you at this point responding to this situation at this point.

What do you make of that and also those actors that maybe support these hacker groups like DarkSide?

>> Sure, it's not the first time that we've seen a ransomware group, first of all accept responsibility, but also to apologize or otherwise suggests that they are going to change their behavior.

In fact, Dark Side itself had previously said that they were not going to attack hospitals and others that they perceived to be in of higher importance in terms of remaining, keeping them secure.

But the challenge here of course is that in many cases DarkSide is a group that operates what's called ransomware as a service.

It's actually a quite a dispersed group of individuals and they may not actually know in some cases when they find a victim who the victim is.

And then those actors they don't all know what each other is going to do.

So, someone gains access to the network and they actually sell that access to another member of the group, who is the one who conducts the connaissance so to speak in the victim's network to identify the files that they're going to encrypt.

And the challenge, of course, too is that once that law enforcement is notified and it's important that law enforcement be notified about these types of incidents because they are then able to not only help the victim recover, but also to prevent additional victimization.

Law enforcement in this case and in many cases with ransomware is not able to conduct their investigation as thoroughly as they might like to, because many times these actors are overseas in what are often referred to as safe haven places, countries whose governments are unwilling or otherwise unable to help law enforcement conduct a thorough investigation and in some cases render the actors to the custody of another government so that we can begin to stem the tide of ransomware.

<Gavin> Especially one of those governments would be the Russian government too, like saw with the SolarWinds hack, as well.

There was a hearing in the Senate this week about that hack and some questions whether that might be tied to the pipeline ransomware attack.

Do you have any insight on that or any thoughts on how the two might be connected?

Or maybe what we might be expecting to see in the future as a result of these large scale operations?

>> I don't think there's been any direct connection at this point made between the DarkSide incident and SolarWinds beyond the fact that it's believed that the all these actors particularly the case in someone's are operating from Russia.

And so, it's clear that Russia in many cases operates as a safe haven for cyber crime and other types of malicious cyber activity and therefore as the ransomware task force that I was a part of and I called for, we really need to see an international coalition of governments come together with industry to identify ransomware as a high priority and to begin to focus their diplomatic and enforcement efforts to make clear to Russia that this type of activity can no longer be condoned and at least a blind eye turned to it.

<Gavin> Let's hope somethings change there.

Megan Stifel, she's the Executive Director for the Americas at the Global Cyber Alliance.

Thanks again for joining us.

>> Thanks again for having me.

<Gavin> To stay up to date with the latest news throughout the week, check out the South Carolina Lede.

It's a podcast I host twice a week and can be found on SouthCarolinaPublicRadio.org or wherever you find podcasts.

For South Carolina ETV, I'm Gavin Jackson.

Be well, South Carolina.

♪ ♪