The Attack on Colonial Pipeline: What We’ve Learned & What We’ve Done Over the Past Two Years

Today marks two years since a watershed moment in the short but turbulent history of cybersecurity. On May 7, 2021, a ransomware attack on Colonial Pipeline captured headlines around the world with pictures of snaking lines of cars at gas stations across the eastern seaboard and panicked Americans filling bags with fuel, fearful of not being able to get to work or get their kids to school. This was the moment when the vulnerability of our highly connected society became a nationwide reality and a kitchen table issue.

The good news is that since that event, the Biden-Harris Administration has made significant strides in our collective cyber defense, harnessing the full power of the U.S. government to address the full spectrum of the threat. At the Cybersecurity and Infrastructure Security Agency (CISA), we have been laser focused on improving resilience across our Nation’s critical infrastructure. Recognizing that organizations need a simple way to access actionable and timely cybersecurity information, we developed stopransomware.gov to provide a central location for alerts and guidance for businesses and individuals. Recognizing that only cohesive collaboration across government will scale to meet the threat, we launched the Joint Ransomware Task Force with our FBI partners to orchestrate the federal government’s response to the epidemic of ransomware. And recognizing the need to bring together industry, government, and internal partners and tear down siloes that create gaps for the adversary, we established the Joint Cyber Defense Collaborative (JCDC)—a concept born out of the U.S. Cyberspace Solarium Commission on which one of us served as a Commissioner—to catalyze a community of experts on the front lines of cyber defense—from across the public and private sectors—to share insights and information in real time to understand threats and drive down risk to the nation.

Since its establishment, the JCDC led the national response to one of the most extensive software vulnerabilities discovered; played a central role in CISA’s Shields Up campaign to protect critical infrastructure from potential Russian cyber-attacks; and, along with our partners at the Transportation Security Administration (TSA), brought together more than 25 major pipeline operators and industrial control systems partners to strengthen security practices to safeguard the operational technology networks critical to pipeline operations, efforts that complement the Security Directives TSA issued in the aftermath of the attack on Colonial Pipeline. Separately, with the support of Congress, we expanded our capability known as “CyberSentry” which enables heightened visibility into and more rapid detection of cyber threats that could target our nation’s most critical operational technology networks. Finally, we worked to help organizations of all sizes and skill levels prioritize the most impactful cybersecurity investments with the introduction of cybersecurity performance goals, or CPGs.

While we should welcome this progress, much work remains to ensure the security and resilience of our critical infrastructure in light of complex threats and increasing geopolitical tension. The U.S. Intelligence Community issued a stark warning of a potential future in its recent Annual Assessment, noting that “If Beijing feared that a major conflict with the United States were imminent, it almost certainly would consider undertaking aggressive cyber operations against U.S. homeland critical infrastructure…China almost certainly is capable of launching cyber-attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems.”

We cannot afford to dismiss this warning. We must do everything today to be prepared for such a scenario. First, we must ensure that the technology that underpins the services that Americans rely on every hour of every day is safe and secure. For too long, we have sacrificed security for features and speed to market, leaving us increasingly vulnerable, with the burden of security placed on those least able to bear it. As listed in one of the core pillars in the President’s National Cyber Strategy we need security to be built into the creation of new technology—as a foundational imperative—rather than bolted on at the end requiring continuous security updates from consumers. 

Second, we need to prioritize cybersecurity at the highest levels. The days of relegating cybersecurity to the CIO or the CISO must end. CEOs and Boards of Directors must embrace cyber risk as a matter of good governance and prioritize cybersecurity as a strategic imperative and business enabler.

Third, we must continue to invest in the JCDC model of persistent and proactive operational collaboration between government and industry where the default is to share information on malicious cyber activity, knowing that a threat to one is a threat to all.

Finally, we need to normalize cyber risks for the general public with the recognition that cyber-attacks are a reality for the foreseeable future. We cannot completely prevent attacks from happening, but we can minimize their impact by building resilience into our infrastructure and into our society. We need to look no further than our Ukrainian partners for an example of the power of societal resilience.  

These changes are not easy, but we need to hold ourselves accountable to the hard lessons learned from two years ago. Are we going to make the choices that will lead us to a secure, resilient, and prosperous future or are we going to allow inaction to dictate a future in which our national security and our way of life hang in the balance? We have proven that it can be done but only if we act now…together.