Pipeline Companies Will Have To Report Cyberattacks To The Government
For the first time, the Department of Homeland Security has decided it needs to regulate cybersecurity in the pipeline industry. It's expected to require such key infrastructure companies to report cyber incidents to the federal government.
The move, first reported by the The Washington Post, means a new set of rules to safeguard pipeline companies against cyberattacks such as the ransomware that crippled Colonial Pipeline this month. The attack forced it to shut down, creating panic and fuel shortages for days across the Southern and Eastern United States.
In testimony before Congress this month, Chris Krebs, who was the first director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, described a looming "digital pandemic, driven by greed, a vulnerable digital ecosystem and an ever-widening criminal enterprise."
Because companies aren't currently required to report ransomware attacks, "we don't really understand how bad the problem is," Krebs said in an interview Wednesday with NPR's Rachel Martin on Morning Edition.
"And one of the things that I would greatly encourage is anyone that has a ransomware event notifies the government so the government can take action needed," he said.
Krebs said that includes "working with our foreign partners as well as some of the countries that may be harboring these ransomware actors, so that we can put an end to this now."
Following are highlights of the interview, edited for length and clarity:
On why pipelines need their own set of regulations
The operating conditions of pipeline is one of our critical infrastructures; they have some unique aspects. And given the way that the U.S. government divvies up the oversight and management of the various critical infrastructure sectors, pipelines, oddly enough, fall under the Transportation Security Administration. You might think, sounds like an Energy Department area.
Ultimately, a pipeline is a mode of transportation. And there are multiple products that move through pipelines, including water and chemicals and gases. And so what you really think about is not the product that flows through the pipes, but it's the modality itself, it's the infrastructure itself. And TSA is uniquely situated to be helpful here. And so what you're seeing is the first security regulation from TSA over pipelines, and it's an incremental step, at least for the moment.
On what is going to change
For one, this specific directive ... it's going to require reporting of security incidents to TSA and to my old agency, CISA, and that's it. But there's additional authority that may take a little bit more time to develop where you may see things like security standards or baseline standards of performance for security measures.
On whether private companies would want to reveal when they've been hacked
Well, that's the interesting thing, right? When you think back to the initial days of the Colonial Pipeline hack a couple of weeks ago ... there wasn't a lot of information available to the federal government because it's not required to report on incidents. And I think that's a key element that has to change across all of our critical infrastructures, not just pipelines. But these companies need to report to the government, because if we don't really know how big the problem is, it's hard to make informed policy and operational decisions going forward.
On how the regulations can be enforced
There are a number of different ways they can do that. First, it's just through the kind of the wag your finger, and you engage them all the way up to security fines and shutdown of operations. These are the sorts of directives the TSA issues and implements all the time at airports — just recently mask mandates on commercial air travel. So there's a regime in place. There are relationships with the pipeline sector. And now it's just a matter of getting it out there and helping these organizations understand who they need to talk to and how to do it.