– This morning, the routine task of filling up your car’s gas tank remains a difficult one for millions of Americans amid a shortage caused by that cyber attack on the Colonial Pipeline. The pipeline originates in Texas and carries about 45% of the fuel used on the East Coast.
The FBI says the attack was the work of DarkSide, a shadowy hacker group that demanded and got what is believed to be a multimillion-dollar ransom. For more on the pipeline attack and the ongoing risk it highlights, we are joined by retired Admiral Mike Rogers, former National Security Agency director and former head of the US Cyber Command.
Admiral, let me start with, it seems like, the two basic questions. How did this happen? And what did we learn? Specifically, let’s start with how did this happen?
MIKE ROGERS: So in this case, this Russian criminal group, DarkSide, was able to use malicious software programs. They gained access to Colonial Pipeline’s information technology segment, if you will. And they were able to lock it down to preclude the company’s ability to access their network. As a result, the company, it appears, opted to, in turn, shut down the pipeline or the operational side of their business to ensure that this didn’t spread any further.
– So are the hackers getting more sophisticated or are companies just simply not upgrading their systems to where they should be?
MIKE ROGERS: Well, I wish I could tell you that it was only one thing. But the reality is you’re seeing, as a result of COVID and the disbursement of workforces from the workplace out to their homes and other areas as we are connecting more and more systems of a business to the internet as more and more entities, criminal groups, start to engage in ransomware because, quite frankly, it’s been very successful and they’re able to generate a lot of money, and as the level of ability of some of these criminal actors grows– the bottom line is you’re seeing a much greater susceptibility to this kind of activity. You’re seeing a much higher number of actors engaged in this kind of activity. And the proficiency level of those actors just keeps growing.
– Admiral, the– this week, the president signed an executive order mandating minimum cybersecurity requirements for companies. Do you think there should be more collaboration between the government and the private sector or is this something that companies, private companies, should be responsible for on their own?
MIKE ROGERS: I think– look, it’s a challenge to ask a company, if you will, to withstand the concerted efforts, in some cases, of nation-states and others, as in this event, a criminal group. I think it’s in our nation’s best interest to collaborate. But I would argue we need to move beyond collaboration in a much more– into an integrated approach to how we’re going to do cybersecurity, particularly in those areas in the private sector that impact the safety and well-being of our citizens as well as our economy, if you will.
I think it’s very disappointing that literally a week into this event, you had the federal government on Friday, yesterday, say, well, we still don’t have all the details from the company on exactly what happened. That’s not a good place to be.
– We– in this case, it appears that the ransom was paid. And that seems to almost always be the case. What is the merit of paying it? And is there really another option for companies that face this, or government organizations?
MIKE ROGERS: So broadly, I’m not a proponent of paying ransom. Number one, there’s no guarantee that if you give the– in this case, the criminal group the money, they’re actually going to unlock your systems. Secondly, the payment of ransom tends to encourage others because they’re engaged in this activity because they can make money from it.
But having said that, I acknowledge it is not an easy decision. You’re a hospital in the middle of a pandemic. And your systems are shut down due to a cyber hack. It’s a tough call to tell them, hey, look, we’ll just shut it down. Don’t pay the ransom. I think this shows you that in some areas, we need a much tighter and a little different relationship between the federal government and the private sector because the government’s got to help here.
– Not easy– but we have got to figure it out. Thank you so much, Admiral Mike Rogers.