Are threats to critical infrastructure growing?
First they came for our water, then our gas; now, our meat.
This Memorial Day, meat processing plants in the United States and Australia owned by JBS, the world’s largest meat supplier, were shuttered by an “organized cybersecurity attack.” The Federal Bureau of Investigation (FBI) has since stated that the attack was carried out by REvil, a Russian-speaking ransomware gang. Luckily, JBS had backup systems in place and was able to get most facilities back into production by June 2. If the disruption had lasted more than a couple of days, the supply crunch might have been more severe. While the ultimate impact is yet to be seen, the attack seems relatively minor. Taken alone, this news story may not have even warranted attention.
We cannot, however, view this attack in a vacuum. In the last few months we’ve seen multiple sieges on other parts of our critical infrastructure, including the Oldsmar, Florida water treatment facility and the Colonial Pipeline. The water facility hack was addressed before anyone was hurt, but the Colonial Pipeline hack ended with a $4.4 million ransom being paid to the attackers. It also led to gas shortages and lines at the pump as panicked buyers attempted to horde gas—apparently in plastic bags. Taken together, such attacks reveal a disturbing trend.
At least, they might, if the United States kept track of these sorts of incidents. Unfortunately, we don’t. The United States is shockingly unaware of what’s going on in our critical infrastructure systems. We don’t even know what percentage of our critical infrastructure is owned by the private sector. That’s why we need a Bureau of Cyber Statistics (BCS). As my colleague Paul Rosenzweig has noted, the Cyberspace Solarium Commission recommended the creation of this bureau as “the government statistical agency that collects, processes, analyzes, and disseminates essential statistical data on cybersecurity, cyber incidents, and the cyber ecosystem.” It would function similarly to the Department of Labor Statistics, providing a centralized body to gather and disseminate information about our nation’s cybersecurity. For instance: how many cyber-attacks on critical infrastructure have occurred in the last year? How does that compare to prior years? Is there a trend of escalating attacks? Without the BCS, we can’t answer these or many other vital questions.
In addition to tracking cyber-attacks and creating metrics for success and failure, we also need to provide adequate authority and resources to the agency tasked with protecting us, which is currently the Cybersecurity and Infrastructure Security Agency (CISA). Unfortunately, the Endless Frontier Act, which is currently being considered by the Senate, still lacks adequate resources for CISA. It boggles the mind that protecting our country from cyber-attacks is not included in the bill designed to counter competition from China. If we want to be competitive, we first need to be secure. Without adequate protections, our networks are vulnerable to hacking and ransomware attacks—just like we’ve seen in recent months.
If we fail to act until a more serious attack occurs, it will be too late. The best time to secure our cyber infrastructure was yesterday. The second best time is today.
