The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

One year ago, Colonial Pipeline changed the cyber landscape forever

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! The filmmaker Orson Welles would have turned 107 today. Check out this great Dick Cavett interview where he talks about crossing paths with Churchill and Hitler in his youth. 

Below: Spain's intel chief acknowledges some hacks of Catalan officials using Pegasus spyware, and Russians are rushing to anonymizing tools to buck Kremlin censorship and surveillance. 

The Colonial Pipeline attack stirred the government to more action over the past year

The Colonial Pipeline ransomware attack, which took place one year ago tomorrow, is a strong contender for the most consequential cyberattack in history. 

It marked a seismic shift in which a cyberattack had real-world implications for tens of thousands of average Americans who spent hours in gas lines and fretted about price surges and being unable to fill their tanks. 

The attack by the DarkSide cybercriminal gang — and Colonial’s decision to shut down operations for five days while the company recovered — gained an unprecedented amount of public attention. 

Previous hacks had sent shock waves through the White House and Pentagon and sent corporate executives scrambling to limit their legal liability and reputational damage. But none had produced so much popular awareness and anxiety. 

Justin Fier, director of cyber intelligence and analytics at the cybersecurity firm Darktrace, was in the thick of it:

The government response was also unprecedented. 

  • The attack — along with other ransomware strikes against the meat processor JBS and the IT provider Kaseya — prompted a diplomatic confrontation between President Biden and Russian President Vladimir Putin during a Geneva Summit. Biden demanded that Putin prevent Russia-based cybercriminals from targeting U.S. critical infrastructure including pipelines, energy and financial firms — a move U.S. officials had not taken six months earlier when the Kremlin hacked into a slew of U.S. government agencies.
  • The attack also arguably led directly to congressional passage of the most substantial cyber requirements for critical infrastructure firms in history —  obligating them to alert the government within three days if they’re hacked and within one day if they pay a ransom to hackers.
  • The top U.S. pipeline regulator proposed a roughly $1 million fine for Colonial’s safety violations yesterday, Reuters reports.

Tony Anscombe, chief security evangelist at the cyber firm ESET:

I asked cyber pros on Twitter for other big takeaways on the Colonial Pipeline anniversary. Here’s what they said:

Giving cybercriminals their due: Nation states including Russia, China, Iran and North Korea traditionally dominated U.S. officials’ list of cyberthreats. But Colonial showed that criminal hackers can be just as disruptive. 

Brett Callow, threat analyst at the cybersecurity firm Emsisoft: 

Andrew Thompson, senior manager at the cybersecurity firm Mandiant: 

Security researcher Kevin Beaumont:

No more foot dragging: Congress had held plenty of hearings about the ransomware threat and made plenty of statements, but it had done comparatively little at that point to raise potential victims’ cyberdefenses. Now they’re starting to move. 

Megan Stifel, chief strategy officer for the Institute for Security and Technology and a former White House cyber official: 

Everyone knows someone: Part of the power of the Colonial Pipeline attack was that everyone knew someone who’d been affected by it. Or they knew someone who knew someone. 

Charles Henderson, head of IBM’s X-Force threat management team, compared it to the “Six Degrees of Kevin Bacon.” 

The Swift on Security cyber parody account put it more succinctly:

Show me which hacks a nation freaks out about and I’ll show you its values: Ransomware had been hitting schools and hospitals for years, disrupting American lives on a more micro scale. Some found it galling that it took a hack affecting gas supplies to rock the American consciousness. 

Selena Larson, senior threat intelligence analyst at the cybersecurity firm Proofpoint:

Opening the door to regulations: The government has imposed basic cyber standards on pipelines and a handful of other industries where it has regulatory authority during the past year — a move that would have seemed highly unlikely before Colonial. 

“Post-Colonial, we saw dramatic calls for regulation,” Brian Harrell, former assistant director for infrastructure security at the Cybersecurity and Infrastructure Security Agency, told me by direct message. “While mandatory standards are helpful, they are only one tool in the toolbox. Compliance checklists, with minimum baseline standards, will not stop a sophisticated cyberattack by a determined nation state adversary.”

The power of extortion: DarkSide is among a number of ransomware groups that didn’t just lock up a company’s data and demand payment to unlock it, but also threatened to leak the victim’s sensitive data to compel them to pay up. That has proved a useful strategy in the year since Colonial. 

Adam Meyers, senior vice president of intelligence at the cybersecurity firm CrowdStrike: 

Law enforcement punching back: One big post-Colonial development came from the Justice Department, which cracked into the criminals’ bitcoin wallet and recovered $2.3 million – that was the bitcoin equivalent of the $4.3 million ransom that Colonial Pipeline paid because the value of bitcoin dropped substantially during the interim.

Allan Liska, principal threat adviser at Recorded Future:

Fewer walls in security: The Colonial Pipeline hackers never actually reached the operational technology systems that send oil through the pipelines. But they caused so much panic by locking up the information technology systems that run the company’s computer systems that operators shut down the pipeline anyway. One big lesson is that the cyber folks and the operational folks need to be in better contact to understand the risks of such an attack.

Harvard University professor and Obama administration Department of Homeland Security official Juliette Kayyem:

Not much: One common response was that the nation actually learned comparatively little from Colonial and that developments in the past year haven’t remote equaled the scale of the threat. 

Ronnie Tokazowski, principal threat adviser at Cofense:

The keys

Spanish intelligence chief acknowledges Spain targeted 18 supporters of Catalan independence with spyware

The spy agency got court orders to spy on politician Pere Aragonès, now president of Spain’s autonomous Catalonia region, and 17 other supporters of Catalan independence, El País’s Miguel Gonzalez, Xose Hermida and Javier Casqueiro report.

  • The 17 other targets all had alleged links to a protest group that called for shutting down Barcelona’s airport in 2019 to support Catalonian self-determination, Spanish spy chief Paz Esteban told Spanish lawmakers in a closed-door hearing. 
  • Esteban showed the lawmakers the court orders that her agency got to use Pegasus on the victims, Hermida and Casqueiro report. 
  • Aragonès is demanding that the orders be immediately declassified.

Spanish politicians were also hacked. Spanish officials have found traces of Pegasus on a device belonging to Interior Minister Fernando Grande-Marlaska, El País reported. If analysts find that Grande-Marlaska was hacked with Pegasus, he would be the third confirmed Spanish Cabinet-level official to be hacked. 

It’s not clear who was behind the string of hacks on Spanish officials, but they came amid a diplomatic spat between Spain and Morocco, which has been accused of using Pegasus. Morocco has denied acquiring the spyware.

NATO cyberdefense hub adds three new members amid Russia threat

South Korea’s spy agency says participating in the transatlantic alliance’s cyberdefense center will help it level up its ability to respond to cyberattacks, the Yonhap News Agency reports. It’s the latest enlargement for the Cooperative Cyber Defence Centre of Excellence (CCDCOE), which also welcomed Canada and Luxembourg as new members.

Ukraine also recently joined. In March, the country became a “contributing participant.” Its participation “could bring valuable firsthand knowledge of several adversaries within the cyber domain to be used for research, exercises and training,” CCDCOE’s director, Col. Jaak Tarien, said at the time.

CCDCOE is staffed and funded by its members. While it’s not an “operational unit belonging to the NATO Command Structure,” it’s part of a network of NATO-accredited centers of excellence, CCDCOE says.

Russian use of online anonymization tools has skyrocketed

Russians have been turning in droves to virtual private networks, which let them get around Russian government censors and surveillance, Anthony Faiola reports.

“Since the war began in February, VPNs have been downloaded in Russia by the hundreds of thousands a day — a massive surge in demand that represents a direct challenge to President Vladimir Putin’s attempt to seal Russians off from the wider world,” Anthony writes. “By protecting the locations and identities of users, VPNs are now granting millions of Russians access to blocked material.”

Government scan

CISA's got two factors to paradise

The agency is “beginning a month-long mission to rock the message that multifactor authentication keeps you more secure,” CISA Director Jen Easterly announced in a rock music reference-rich blog post. “It’s like More Than a Feeling, but instead it’s More Than a Password!” the agency says of the system for using a texted code, fingerprint or other identifying feature along with a password to access websites and data. 

Federal agencies likely to get new cybersecurity guidance ‘in coming weeks’ (NextGov)

Privacy patch

Location data firm provides heat maps of where abortion clinic visitors live (Motherboard)

Global cyberspace

More details emerge on China's widespread Ukraine-related hacking efforts (CyberScoop)

National security watch

NSA, Cyber Command tap new election security leaders (The Record)

On the move

  • Matt Hayden has joined General Dynamics Information Technology as vice president of cyber client engagement. Hayden previously worked at Exiger, the Department of Homeland Security and CISA. 


  • Director of National Intelligence Avril Haines and Scott Berrier, who leads the Defense Intelligence Agency, testify on worldwide threats at a Senate Armed Services Committee hearing on Tuesday at 9:30 a.m.
  • A House Science Committee panel holds a hearing on open-source software cybersecurity Wednesday at 10 a.m.

Secure log off

Thanks for reading. See you Monday.