Ransomware attacks are striking every eight minutes, crippling hospitals, police departments, NBA basketball and minor league baseball teams, even ferries to Martha’s Vineyard.
Written by Nicole Perlroth
Leon Panetta is one of the few US government officials who can look around at the nation’s rolling cyber disasters and justifiably say, “I told you so.”
In a 2012 speech that many derided as hyperbolic, the former secretary of defense was among the first senior leaders to warn us, in the most sober of terms, that this would happen. He didn’t foretell every detail, and some of his graver predictions have yet to play out. But the stark vision he described is veering dangerously close to the reality we are living with now.
In the past few months, hackers were caught messing with the chemical controls at a water treatment plant in Florida, in what appeared to be an attempt to contaminate the water supply just before Super Bowl weekend in Tampa. Ransomware attacks are striking every eight minutes, crippling hospitals, police departments, NBA basketball and minor league baseball teams, even ferries to Martha’s Vineyard.
This past week, the targets were one of the world’s largest meatpacking operators and the hospital that serves The Villages in Florida, America’s largest retirement community. The week before that, it was the pipeline operator that carries half the gas, jet fuel and diesel to the East Coast, in an attack that forced the pipeline to shut down, triggered panic buying and gas shortages and was just days from bringing mass transit and chemical refineries to their knees.
And those are just the attacks we see. Beneath the surface, US businesses are quietly paying off their digital extortionists and burying breaches in hopes that they never see the light of day. China continues to cart off America’s intellectual property, most recently in an aggressive cyber assault on the defense industrial base and, curiously, New York City’s Metropolitan Transportation Authority.
Russia’s government hackers have shut off the power in Ukraine twice. They’ve reached the control switches at American power plants, and breached nuclear plants, too. And Russia’s elite intelligence agency, the SVR, slithered its way through hundreds of US companies and government agencies for nine months before it was caught. In the process, it wrecked confidence in the software supply chain. And, officials concede, its agents are quite likely still inside.
To anyone who has been paying the slightest bit of attention, none of this comes as a surprise. We are racing toward — in fact have already entered — an era of visceral cyberattacks that threaten Americans’ way of life. And yet, despite the vulnerabilities these attacks reveal, individuals, organisations and policymakers have yet to fundamentally change their behaviour.
“If not this, then what?” Panetta asked. “What will it take?”
He fears it really will take the “cyber Pearl Harbor” he predicted nearly a decade ago, when he warned of what would come if Americans didn’t shape up: a coordinated cyberattack on critical infrastructure that “would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.”
In the decade that followed, cybersecurity experts quibbled with his word choice — “cyber Pearl Harbor” — arguing alternately that it was overly alarmist or infantilising, that the use of war lingo leaves everyday Americans and mainstream organisations with the impression they are helpless to combat illusive “cyber bombs.”
That, Panetta says, was never his intention. “I got some complaints about using the word ‘Pearl Harbor,’” Panetta conceded. “They said you should be very careful about using that word, and my response was, ‘Call it whatever the hell you want.’ It’s a national security threat. Don’t try to fool yourself that somehow, just because you don’t like the words, the threat is not real.”
These days, Panetta has swapped analogies. Like most Californians, he has fire on his mind. The former secretary of defense resides on his family’s old walnut farm turned vineyard in the parched Carmel Valley, where the surrounding hills are still singed from last year’s fires. The entire state is bracing for another inferno. And Panetta can’t help seeing our digital woes through a ring of fire.
“You know cyber is a little bit like playing with fire,” he reflected on a recent afternoon. “You’re not quite sure just how something is going to play out. It could blow back on you from a dozen different directions.”
Before Panetta served as defense secretary, he was director of the CIA. During his tenure there, in 2009 and 2011, the United States, in partnership with Israel, set in motion the first major act of cyber destruction against Iran.
That attack, which began under President George W. Bush but accelerated under the Obama administration, used a computer worm called Stuxnet to infiltrate the computers that controlled the rotors that spun Iran’s uranium centrifuges at Natanz nuclear facility. Over a period of many months, Stuxnet sped the centrifuges up, while slowing others down, in a series of attacks designed to look like natural accidents.
By the time the worm escaped Natanz in 2010, and the ruse was up, Stuxnet had quietly destroyed roughly 1,000 centrifuges. Short term, it was a resounding success: It set Iran’s nuclear ambitions back years. Long term, it demonstrated the destructive power of code and lit a fire that, very quickly, started blowing back on the United States from a dozen different directions.
Less than two years later, Iran launched its own destructive attacks. The first targeted Saudi Aramco, the world’s largest oil company, where Iranian hackers used malware to destroy data on 30,000 Aramco computers and replace it with an image of a burning American flag.
“That was their way of saying, ‘Hello,’” Panetta said.
In a matter of months, Iran’s hackers came for the United States. As oil was to the Saudis, so was finance to the U.S. economy, and in the fall of 2012, Iran’s hackers started pounding U.S. banks with unprecedented waves of web traffic in what is known as a denial-of-service attack. One by one, websites belonging to Bank of America, the New York Stock Exchange and dozens more banks sputtered or collapsed under the load.
It was in the midst of those attacks that October that Panetta gave his “Pearl Harbor” speech.
“It was like looking behind you and seeing that what you created could very well come back to get you,” Panetta said. “Once those capabilities fell into the wrong hands, I was witnessing firsthand how they could be used to really hurt us, to damage our country, our national security, and was still frustrated by the failure to have a coordinated approach to dealing with the threat.”
A decade later, he’s still frustrated. “It’s like there’s a fire and you’re ringing a bell, but the fire department doesn’t show,” he said.
With ransomware attacks ramping up, the Biden administration has been racing to establish long overdue cybersecurity measures. President Joe Biden recently signed an executive order that raises the bar for the cybersecurity of federal agencies and contractors. If companies do not meet that bar, they will be blocked from doing business with the federal government. And after the ransomware attack on Colonial Pipeline in May, Biden forced new cybersecurity requirements on the pipeline industry, using the Transportation Safety Administration’s oversight powers.
But with so much of the nation’s critical infrastructure — 85% — in private hands, government can only do so much.
So, what is it going to take to keep Americans safe? It’s a big question. The answers, though, can be small. The kindling for these raging digital infernos is buggy and out-of-date software nobody bothers to patch. It is companies that don’t back up their data or have a security plan for ransomware attacks, despite their ubiquity. It is the failure to use different passwords and turn on two-factor authentication. The hackers who tried to contaminate Florida’s drinking water exploited the fact that employees shared the same password and ran a decade-old version of Windows software. At the pipeline, it came down to the lack of multifactor authentication on an old employee account.
It’s “cyber hygiene,” the accumulation of day in, day out investments and inconveniences by government, businesses and individuals that make hackers’ jobs harder. And some are very low tech.
Among the few high-profile organisations that was not actually hacked last year was the Democratic National Committee. Going into 2020, Bob Lord, the DNC’s first chief information security officer, employed a novel approach to help ensure that hackers stayed out of DNC emails this time. He posted signs over the urinals in the men’s room and on the wall in the women’s room reminding everyone to run their phone updates, use the encrypted app Signal for sensitive communications and not click on links.
Panetta, watching from afar, has his own simple solution for staying safe — and specifically making sure his internet-connected Lexus isn’t hacked. A few years ago, he fixed up his dad’s old 1951 Chevy truck, and that is what he uses to get around.
When he does drive the Lexus, he has careful instructions for his passenger: “I tell my wife, ‘Now be careful what you say.’”