The Washington PostDemocracy Dies in Darkness

Opinion Another week, another ransomware emergency. The government must act.

(Kacper Pempel/Reuters)
Placeholder while article actions load

THE RANSOMWARE crisis continues, this time with an attack not on a local hospital or police department but on a pipeline that carries almost half of the East Coast’s gasoline, diesel and other fuels. The incursion is only the most dramatic of many recent reminders that the whole of the U.S. government must act to quell the threat — now.

Colonial Pipeline’s information technology services were reportedly breached last week by an Eastern Europe-based criminal collective called DarkSide. The company responded by shutting the pipeline itself, partly out of caution that the attackers could have gained access and partly out of necessity: It is impossible to invoice customers when your business network is locked down pending payment to a gang of hackers. The Transportation Department has temporarily relaxed regulations to prevent a supply shortage, and Colonial says it hopes to be “substantially” back online by the end of the week. This may, in other words, end up far from a catastrophe. Yet that says nothing about the damage the next incursion could do. And incursions will continue until Congress and the White House do something to stop them.

Ransomware response remains paramount, whether that has to do with helping victims restore access and weather the cost of the downtime, or discouraging payments to perpetrators who will keep striking as long as it’s profitable. There’s also a need for regulations that keep critical infrastructure safer from the start. President Biden is expected to issue an executive order mandating minimum cybersecurity requirements for federal contractors. But it’s up to Congress to impose similar requirements on those outside the chain of procurement who operate critical infrastructure. In the modern economy, it can prove impossible to isolate that infrastructure from the Internet entirely, so potential targets must protect themselves as best they can, even as they assume that protection will never be total. They must actively hunt for breaches and boot the breachers out.

Finally, targets can’t defend themselves completely on their own. The United States and countries around the world must reduce what these criminals can earn, but they must also increase what those criminals must pay for their sabotage. Designating ransomware a national security threat would allow for the necessary intelligence resources to go toward rooting out syndicates. That could also deter hackers from going after sensitive targets. DarkSide said in a news release this week that “our goal is to make money, and not creating problems for society”; maybe the gang is getting nervous about a possible national response. A new designation would make it easier for authorities to impose appropriate punishment, such as asset forfeiture against bad actors and sanctions against countries that harbor them. Russia is chief among those.

Ransomware attacks are a disaster already happening. The response needs to come from individuals who fail to update their smartphones, businesses that fail to safeguard their systems — and governments that are failing to protect the people they serve, or to write rules that would help those people protect themselves.

Read more:

Read a letter responding to this editorial: The United States should make cyber crime a high priority

Robert M. Gates: The United States has a major hole in its cyberdefense. Here’s how to fix it.

Alex Stamos: Enough is enough. Here’s what we should do to defend against the next Russian cyberattacks.

Jennifer Rubin: Liz Cheney’s other problem

Greg Sargent: Stop saying Republicans are ‘cowards’ who fear Trump. The truth is far worse.

Helaine Olen: A lousy myth about moms, kids and work makes a comeback. Republicans are running with it.