Rep. Abigail Spanberger, D-7th, was already focused on cybersecurity for the electric power grid and other critical infrastructure in a modern society before a criminal ransomware attack shut down the Colonial Pipeline and sent the public into a panic over gasoline for their vehicles.
But the temporary shutdown of the East Coast pipeline has left more than half of Virginia’s gasoline dealers short of fuel and raised public awareness of an ongoing danger that Congress and President Joe Biden face as they debate a potential funding package to rebuild bridges, highways, electricity networks and other critical operations.
“I think it speaks to the everyday threats that are ransomware attacks,” Spanberger said on Thursday.
Colonial resumed operation of the pipeline late Wednesday, but only after paying the attackers nearly $5 million in ransom, according to Bloomberg News and other media outlets.
The shutdown raises concerns about combating a potential national security threat that is often veiled by quiet settlements between the owners of critical infrastructure and criminals who commandeer it with computer ransomware.
“There is so much ransomware going on under the surface,” Senate Intelligence Chairman Sen. Mark Warner, D-Va., said in an interview on Thursday. “I think this is the first time that it has shocked the public about how dangerous it can be.”
Warner worries most about cyberattacks by foreign adversaries in Russia and China, but he is considering legislative action to require U.S. companies to report ransomware incidents, with safeguards for confidentiality and civil immunity.
“It can be an existential threat when you see the kind of damage that can be done,” he said.
Sharing information between the government and private companies about cybersecurity breaches is the first goal of an executive order that Biden signed on Wednesday in response to the Colonial Pipeline shutdown.
The order seeks to remove any contractual barriers that prevent private companies from sharing information about attacks that could affect government information technology networks.
Dominion Energy, owner of the largest electric utility in Virginia and two nuclear power plants, said the executive order is helpful.
“Dominion Energy works closely with others in the industry and government security experts to share threat intelligence and ensure we are prepared to protect and defend our networks,” said Adam Lee, the company’s chief security officer.
“The recent Executive Order will assist in that effort through greater awareness of vulnerabilities and cyber events, as well as by enhancing overall security practices for products and services used across the energy industry,” Lee said.
However, Virginia business leaders are cautious about legislation that would impose new regulatory requirements on companies that are the victims of ransomware attacks by criminals to extort money in return for removing the threat, as the FBI said an Eastern European gang called DarkSide did with the Colonial Pipeline.
“I would hope [legislation] would be more focused on research and development and collaborating on protecting data, as opposed to over regulation and reporting requirements,” said Barry DuVal, president and CEO of the Virginia Chamber of Commerce.
“Senator Warner is uniquely situated, with his private sector background and chairmanship of the Intelligence Committee, to work collaboratively with the business community in Virginia and across the country on this subject,” DuVal said.
Virginia Secretary of Public Safety and Homeland Security Brian Moran said the state is aware of constant threats to both public and private IT networks, but also recognizes the sensitivity for businesses that don’t want to publicly reveal their vulnerabilities.
“We’re constantly getting attacked,” Moran said. “Many that we know of and many that we don’t because the victims do not want their clientele to know it, for obvious reasons.”
“It demands and requires a federal response,” he said. “These are obviously attacks not only across state lines, but global threats. The state response is only very limited in scope.”
Still, Virginia has taken significant steps to protect critical assets and networks, including a National Guard unit dedicated to cybersecurity, said Sen. Bryce Reeves, R-Spotsylvania, a member of the Secure Commonwealth Panel and its cybersecurity subcommittee. “We’re in pretty good shape, compared to other states.”
But Reeves admits he was taken aback by the Colonial Pipeline shutdown and panic buying of gasoline by the public.
“You see how volatile one pipeline is and it makes people go wild,” he said. “It’s really unnerving.”
Reeves sought to reassure the public after receiving a briefing Thursday from a state emergency management team about Colonial’s resumption of pipeline operations the previous evening. By 7 a.m. on Thursday, the pipeline was operating at 50% of its capacity, with the expectation that fuel would begin arriving in Richmond by midday.
“This process takes time to ensure the safety of the system,” he said.
Reeves also urged people not to hoard gasoline and delay the market’s return to stability.
“It doesn’t need to be a political issue. ... We’ve got to fix it,” he said.
Biden says he wants to address cybersecurity issues in his infrastructure package, estimated at over $2 trillion but still evolving as legislation.
However, the outline of the president’s plan issued last month speaks only to the need for a “more resilient” and modernized electric power grid to respond to potentially catastrophic threats, such as the widespread outages in Texas because of severe winter weather this year.
Spanberger believes the threats to public safety from both natural disasters and criminal enterprises represent “a national security issue” that the infrastructure package should address. She advocates federal spending on enforcement against financial crimes, research and educational training programs to prepare students for jobs in cybersecurity.
“What we knew before the [Colonial Pipeline] attack is we need to build on our cyber workforce training program,” she said.
Virginia has already made cybersecurity research and training a priority in the Commonwealth Cyber Initiative. The General Assembly created the initiative in 2018 to encourage collaboration by state research universities, led by Virginia Tech at a hub in Northern Virginia with four regional nodes, including one coordinated by Virginia Commonwealth University in Richmond.
Luiz DaSilva, executive director of the initiative, said Thursday that the federal government could play a crucial role in partnership with private companies to oversee security of supply chains and vendors, share intelligence about threats, and fund research among academic institutions, private industry and government.
“Funding for cybersecurity research is crucial to establishing U.S. leadership and staying ahead of the ever-evolving threats,” DaSilva said.
He said the initiative also is “developing a qualified workforce in Virginia with specific expertise in areas such as securing the power grid, mitigating ransomware attacks to health care and other industries, and addressing the new vulnerabilities that come about with the widespread adoption of artificial intelligence.”
Moran, the state’s top public safety and homeland security official, said cybersecurity is both a necessity and an opportunity in a state with a heavy concentration of government and defense installations, private data centers and technology companies.
“It’s imperative we continue to take the lead in cybersecurity,” he said.