Bigger Government Role Expected to Protect Industry From Hackers
WASHINGTON — Large-scale cyberattacks continued this week in the United States and abroad as computer security experts told a congressional panel Tuesday that more government intervention is needed.
On Monday, Microsoft announced that Russia-backed hackers were trying to steal information technology to disrupt the global supply chain.
On Tuesday, cyberattackers shut down gas stations across Iran. In Germany, a major auto components supplier was hacked, possibly interfering with automobile production throughout the country.
Other attacks were reported this week at schools in Colorado and Wisconsin.
“The threat is evolving much more quickly than our defense,” said Suzanne Spaulding, a Homeland Security International Security Program senior advisor.
She testified to the House Homeland Security subcommittee on cybersecurity as it considers proposals to require transportation companies to meet minimum requirements for protecting their computer systems that operate the nation’s transit systems, airlines, pipelines and railroads.
The Transportation Security Administration is close to finalizing the requirements. They come with a huge controversy for private industry.
Corporations have traditionally relied upon voluntary guidelines to protect their businesses and customers. They argue against the heavy hand of government regulation, along with the fines and court orders that could accompany it.
Witnesses at the congressional hearing said recent events show voluntary guidelines are too weak to adequately protect the public and the nation’s economy.
Spaulding said that until recently she also favored voluntary private market compliance with cybersecurity guidelines.
“Markets are generally more efficient and, important for such a dynamic area as cyber, nimbler,” she said. “However, over the last couple of years, I have reluctantly had to conclude that we cannot rely upon markets alone to ensure the continuity of nationally critical functions upon which the American public relies.”
Lawmakers and witnesses discussed the May 2021 Colonial Pipeline ransomware attack as a prime example of the damage cyberattackers can cause.
Gasoline and jet fuel deliveries along the 5,500-mile pipeline from Houston, Texas, to the East Coast were shut down for five days while the attackers demanded a $4.4 million bitcoin ransom.
Colonial Pipeline officials paid the ransom but also generated disputes that continued this week about whether anyone should need to respond to demands of thieves who use software to extort money.
“Time is not on our side,” Spaulding said.
Rep. Yvette Clarke, D-N.Y., chairwoman of the cybersecurity subcommittee, said lawmakers were “shocked” by weaknesses in Colonial Pipeline’s cybersecurity.
She also said cyberattacks and ransomware are a special threat for her constituents in New York, which is a major hub for airports, rail systems and transit. Six months ago, Chinese hackers infiltrated computers of the New York Metropolitan Transportation Authority.
“Fortunately, they did not gain access to operational systems that control rail cars, but I remain concerned about the cybersecurity of mass transit systems generally and MTA’s network in particular,” Clarke said. “Given the degree to which middle- and low-income people rely on public transportation, a cyberattack affecting mass transit could have a disproportionate impact on these populations.”
She welcomed the Transportation Security Administration’s upcoming cybersecurity standards for transportation companies and agencies.
“They mark a pivotal transition in the federal government’s approach to cybersecurity,” Clarke said.
The new standards could not come soon enough, according to respondents in a survey released last week by Texas-based cloud computing company Rackspace Technology.
The survey of 1,420 government information technology decision-makers showed that less than half believe their personnel are prepared to mitigate or understand all cyber threats.
Tom can be reached at [email protected]
