The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: DHS directive out today is ‘step one’ in securing pipelines against hacking

Placeholder while article actions load

with Aaron Schaffer

Stringent new cybersecurity requirements for pipeline companies being released today by the Department of Homeland Security are just the “first step” in a “multi-pronged” effort to prevent a repeat of the devastating Colonial Pipeline ransomware attack, officials say. 

The “Round 1" rules require pipeline companies to notify the Cybersecurity and Infrastructure Security Agency within 12 hours if a cyberattack disrupts their operations or even if it just threatens to disrupt them, according to a draft of those rules shared with The Washington Post.

The companies also must designate a cybersecurity coordinator who can be on call around the clock to talk to DHS officials. And they must report to CISA and the Transportation Security Administration within 30 days if they’re out of compliance with any of TSA’s existing cybersecurity rules. Here’s a preview of the order from my colleagues Ellen Nakashima and Lori Aratani.

In the coming months, DHS plans to go further, releasing “an additional set of rules that require a range of actions to be taken by the [pipeline] sector,” a senior department official said during a call outlining the new directive. 

These are important steps forward and they should be understood as part of a broader strategic plan to ensure that the pipeline sector does what's needed to protect against the kind of cyber incident that we saw with respect to Colonial,” the senior official said. 

The move marks a dramatic shift from DHS's previous approach to pipeline security, which was largely voluntary. 

But the government’s responses may not be able to keep pace with the threat. 

The new rules are coming only after the Colonial Pipeline hack strangled for several days gas supplies in the southeastern United States  — and after the company paid a $4.4 million ransom, which it judged was the only way to unlock its systems.

The company also didn't undergo a requested security review of its systems, the Wall Street Journal's David Uberti reports. That's a blow to the voluntary review system TSA previously used. 

And while the government is getting ready to mandate cybersecurity protections for pipelines, officials haven’t publicly contemplated such mandates for any other critical sectors. That includes schools, finance and agriculture, where a major ransomware attack could be similarly costly or disruptive. 

Officials declined to discuss possible mandates for other industries during the call. 

They stressed, however, they want to move carefully and ensure the new rules make pipelines as secure as possible.  

“We are currently very focused on making sure we are getting this one right and incorporating the lessons learned and working with industry,” a senior official said, “because we do want to avoid creating something that's just a check-the-box kind of compliance regime.”

Officials also hope the new rules and widespread concern about Colonial will spur other companies to get their cybersecurity protections in order

“We're hopeful the attention [to] the Colonial Pipeline incident and the broader range of ransomware attacks in the past several months has created a public consciousness of cybersecurity threats that arguably we haven't seen in the past decade,” a senior official said. 

The keys

Biden’s budget will propose expanding the Pentagon’s cybersecurity force by 10 percent.

The proposed increase of 600 people over two years would be the Cyber Mission Force’s first expansion since it was launched roughly a decade ago, Politico’s Martin Matishak and Lara Seligman report. It comes after years of devastating hacks on the United States and an expanding role for the force of defensive and offensive military hackers.

A Pentagon spokesperson declined to comment ahead of the public announcement of the budget request on Friday. Biden is also requesting $2.1 billion — an increase of $110 million over fiscal year 2021 — for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, according to a budget summary released last month.

Russia remains the world’s largest producer of disinformation, Facebook said.

But groups in other nations are also learning from Russia’s programs to coordinate and manipulate content and information operations on Facebook platforms and are starting disinformation campaigns in their own countries, Elizabeth Dwoskin reports

“It started out as an elite sport, but now we see more and more people getting into the game,” Nathaniel Gleicher, Facebook’s head of security policy, said.

Iran, Myanmar, the United States and Ukraine were also top originators of foreign and domestic disinformation, while the most frequently targeted countries were the United States, Ukraine, Britain, Libya and Sudan, Facebook said.

The Justice Department, in a shift, is charging people for spreading false voting information.

Its first target is a highly influential Twitter user who used the handle Ricky Vaughn and falsely told his followers they could vote by text, Reuters’s Joseph Menn reports. Vaughn, whose real name is Douglass Mackey, was indicted in January. 

Prosecutors plan to go after higher-profile people that could include some of Mackey’s alleged co-conspirators, people familiar with the strategy said.

The plan, however, faces head winds. Zach Thornley, who represents alleged co-conspirator Tim Gionet, said that his client’s tweets were protected under the First Amendment. Gionet has not been indicted in the case, though he was arrested for participating in the Jan. 6 riot at the Capitol.

Prosecutors are investigating whether the tweets were part of a coordinated campaign to mislead voters and whether  it began within the group of Twitter users or with an outside group, perhaps in Russia.

Securing the ballot

He fought Trump’s 2020 lies. He also backs new scrutiny of ballots. (The New York Times)

Global cyberspace

Belgium uproots cyber-espionage campaign with suspected ties to China (CyberScoop)

Cyber insecurity

Hackers release patient data stolen from New Zealand health systems (The Hill)

Hacktivist posts massive scrape of crime app Citizen to dark web (Motherboard)

Possible Chinese hackers pose as UN, human rights group to eavesdrop on beleaguered Uyghur population (CyberScoop)

Encryption wars

WhatsApp says it filed suit in India to prevent tracing of encrypted messages (Wall Street Journal)


  • President Biden plans to nominate Matthew Olsen, Uber’s chief trust and security officer, as assistant attorney general of the Justice Department’s National Security Division, the White House announced.

Chat room

Jan Lemnitzer, the author of “Power, Law and the End of Privateering,” reflected on Cisco unit Talos’s decision to call hacking groups that benefit from governments turning a blind eye to their activities “privateers”:


  • The Senate Homeland Security and Governmental Affairs Committee holds a confirmation hearing for top nominees to the Department of Homeland Security today at 10:15 a.m.
  • Retired Adm. Michael Rogers, the former commander of U.S. Cyber Command and director of the NSA, discusses critical infrastructure supply chain security at an event hosted by the Israeli Economic Missions to North America and Team8 today at noon.
  • Anne Neuberger, the deputy national security adviser for cyber and emerging technology, and Jeffrey Greene, the National Security Council’s acting senior director for cybersecurity, speak at a Center for Strategic and International Studies event today at 2 p.m.
  • Amb. Jürg Lauber, the chairman of the UN’s open ended working group on cybersecurity, and Retired Gen. Keith Alexander, a former director of the NSA and commander of U.S. Cyber Command, speak at an event hosted by The Bridge Foundation and Global Cyber Lab on May 31 at 9 a.m.
  • Rep. John Katko (R-N.Y.), the top Republican on the House Homeland Security Committee, Rep. Ami Bera (D-Calif.) and former Australian Prime Minister Malcolm Turnbull discuss Australia-U. S. collaboration on issues like cybersecurity to compete with China on June 1 at 6 p.m.
  • Microsoft’s two-day European Cyber Agora conference kicks off on June 2.
  • Dr. Joseph Evans, the Pentagon’s Principal Director for 5G, and other officials speak at the Billington Cybersecurity 5G Security Summit, on June 3 at 11 a.m.

Secure log off