The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: TSA is about to announce new ransomware protection requirements for pipelines

with Aaron Schaffer

The Transportation Security Administration is today mandating that pipelines implement protections against ransomware and other cyberattacks, according to a statement shared with The Cybersecurity 202.

The action marks the first time the federal government has required specific cyber protections for pipelines. It comes in the wake of a May ransomware attack on Colonial Pipeline that disrupted gas supplies to the southeastern United States and prompted panic buying. In that case, the Russia-based hackers locked up Colonial’s computers for days until the company paid a $4.3 million ransom. 

A previous directive from TSA in May required pipelines to report all cyber incidents affecting their computer systems to federal authorities. 

The new mandates are part of a dramatic rethinking of government’s role in protecting critical U.S. industries against cyberattacks after Colonial and a slew of other ransomware attacks exposed the ability of Russia-based cybercriminals to wreak havoc on the U.S. economy and national security. 

The lives and livelihoods of the American people are reliant upon secure critical infrastructure,” Secretary of Homeland Security Alejandro N. Mayorkas said. “Through this security directive, the department can ensure that the pipeline sector takes the necessary steps to safeguard their operations from rising cyber threats and thereby better protect our national and economic security.”

The TSA isn’t sharing the detailed cybersecurity requirements, but says they include “specific mitigation measures to protect against ransomware attacks and other known threats” to both the operational technology systems that manage transporting hazardous liquids and natural gas, and the conventional computer systems that interact with them. 

Pipeline owners must also develop and implement contingency and recovery plans in the event of a cyberattack and conduct cybersecurity reviews. DHS’s Cybersecurity and Infrastructure Security Agency assisted TSA in developing the requirements. 

“This new security directive will require that covered pipeline owners and operators implement proven and tested cybersecurity best practices to protect their systems from attack,” a DHS spokesperson said. “The directive is designated as security sensitive information and, as a result, its distribution will be limited to those with a need to know.”

Bloomberg earlier reported that such a directive could come as early as this week. 

The move comes as Congress is mulling a major expansion of government’s authority to set cybersecurity rules for critical infrastructure. 

A proposed measure that may be debated as early as this month would require companies in critical sectors such as energy, transportation and agriculture to report all cyber incidents to federal authorities. The rules would also apply to government contractors and cybersecurity companies. 

It’s part of a sea change in the cybersecurity community embracing stricter cyber mandates for industry. It also reflects a general assessment that companies haven’t voluntarily stepped up their cyber protections enough in response to the growing threat. 

Prior to May, TSA dealt with pipeline cybersecurity primarily through a process of voluntary in-depth reviews that began in 2018. Colonial discussed scheduling such a review with TSA but it never occurred before the May ransomware attack that shook the industry. 

The DHS directive is also part of what’s effectively an all-fronts battle against ransomware by the Biden administration.

On the foreign policy side, that’s included a tense showdown in which President Biden demanded Russian President Vladimir Putin crack down on the criminal ransomware gangs that operate from Russian territory. 

The Justice Department has also gotten more aggressive, including clawing back the ransom Colonial Pipeline paid to the Dark Side group. 

Other actions include an international effort to make it more difficult for ransomware gangs to accept and transfer funds using cryptocurrency; and a State Department program offering rewards of up to $10 million for information that helps halt or punish hackers.

The keys

Americans using foreign phone numbers are vulnerable to hacks by NSO Group's Pegasus software.

The overseas phone numbers of about a dozen Americans were on a list of more than 50,000 phone numbers that included documented surveillance targets of Israeli cybersurveillance firm NSO Group's software, Craig Timberg, John Hudson and Kristof Clerix report. The numbers were used by journalists, aid workers and diplomats, among others. 

The U.S. phone numbers of other Americans were also on the list, including President Biden’s lead Iran negotiator Rob Malley. Malley’s phone was added to the list when he led the International Crisis Group in 2019. He declined to comment. Without obtaining access to phones belonging to Malley and other Americans, it’s not possible to determine whether they were hacked. 

The revelations are part of an investigation by The Washington Post and 16 other media organizations into how nations, including authoritarian regimes, have used NSO tools to broadly snoop on their citizens. Our colleagues also have two other must-read reports out this morning about Indian activists whose phone numbers were on the list, and the suspicions U.S. and European security officials have about NSO’s links to Israel.

NSO, for its part, says it is “technologically impossible” to target phone numbers with the United States’s +1 country code. The company also said that phones geographically located in the United States can’t be targeted. But it’s less clear whether Americans’ foreign phones can be hacked. NSO spokeswoman Ariella Ben Abraham did not answer a question about whether this is possible.

Top United Nations and European Union officials condemned the reported surveillance of journalists and human rights activists and called for private surveillance companies to be reined in.

From Sen. Ron Wyden (D-Ore.): “If surveillance companies like NSO are working with our adversaries to spy on American government employees working overseas, they need to be held accountable. These spy-for-hire firms are a threat to U.S. national security, and the administration should consider all options to ensure that federal employees are not targeted.”

A judge granted Microsoft’s request to seize 17 domains set up by hackers.

A West African hacking group appears to have used the domains to target U.S. small businesses, according to Amy Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit. It’s the 24th time Microsoft took legal action against hacking groups since 2010.

The hackers targeted Microsoft Office 365 customers, the company said in a court filing. After getting access to Office 365 accounts, the hackers set up fake domains that impersonated legitimate businesses to get employees to send money, according to the filing.

China roundup

Biden administration debating whether and how to sanction China for ransomware attacks (CNN)

China rejects hacking charges, accuses US of cyberspying (Joe McDonald | AP)

Norway ties cyberattack on parliament to China (Reuters)

Chinese hackers accused of hiding data inside Trump picture (Motherboard)

How China Transformed Into a Prime Cyber Threat to the U.S. (New York Times)

Chat room

Here's a revealing back-and-forth on the prospects for U.S. cyber sanctions against China from Chris Painter, State Department cyber coordinator during the Obama administration, and Silverado Policy Accelerator executive chairman Dmitri Alperovitch:

More on Pegasus

French prosecutor opens probe after Pegasus spyware complaint (Reuters)

Hungary’s spyware scandal is a crisis for Europe (Ishaan Tharoor)

Apple Has ‘Major’ iMessage Security Problems, Says Pegasus Spyware Expert (Forbes)

Government scan

The Pentagon is bolstering its AI systems — by hacking itself (Wired)

Justice Department curtails seizure of reporters’ phone and email records in leak investigations (Devlin Barrett)

Global Cyberspace

Saudi Aramco data breach sees 1 TB of stolen data for sale (Bleeping Computer)


  • A House Intelligence Committee panel holds a hearing on microelectronics security and innovation today at 10 a.m. 
  • The House Committee on Small Business holds a hearing on small businesses’ cybersecurity today at 10 a.m.
  • A House Energy and Commerce Committee panel holds a hearing on ransomware today at 10:30 a.m. 
  • The Senate Intelligence Committee holds a hearing on President Biden’s nominations of officials to top posts today at 2:45 p.m.
  • The Senate Committee on Environment and Public Works holds a hearing on cybersecurity vulnerabilities in physical infrastructure on Wednesday at 10 a.m.
  • The Atlantic Council hosts an event on Russia and cybercrime on Thursday at 1 p.m.

Secure log off