In the wake of the Colonial Pipeline and JBS ransomware attacks in recent months, the head of the nation’s leading cybersecurity agency says these events are a harbinger of what’s to come on the cyber front and there needs to be a greater focus on shoring up the defenses of America’s most important assets.
“Both of those incidents highlight the actual real world consequences of cyber incidents, targeting our critical infrastructure. And while today those attacks have impacted Americans at the gas pump and at the supermarkets, our concern is where could this go next,” Brandon Wales, the current acting director of the Cybersecurity and Infrastructure Security Agency, told CNN’s Pamela Brown in an interview.
While attacks like the ones on JBS and Colonial Pipeline are not new, they have increased in recent years, according to Wales, and they’re bolder than ever — leading criminal attackers to look for bigger targets for more ransom money, including targets that have real world consequences.
“We are concerned about where this could go in the future,” Wales said. “I think our concern is that more targeting of the industrial control systems, those things that actually enable critical infrastructure to operate — whether in water systems or power systems, the manufacturing base of the country — those are targets, and unless we take urgent action, we are really concerned about the disruptive effects that this could have on the American people.”
Both JBS and Colonial Pipeline paid ransoms to their criminals to unlock their systems, but Wales warned about the danger of such moves for the country as a whole.
“It has both short and long term impacts for the cybersecurity of the country and for the potential of cybersecurity for those individual companies,” Wales said. “A recent study found that 80% of companies that have paid ransom have been hit again. And so the adversaries know that they are a target who’s willing to pay.”
Why Americans should care
No company is too big or too small to fall victim to a ransomware attack, Wales said, and he advised all companies and organizations to take steps to shore up their cyber defenses. Part of CISA’s job is to not only ensure that critical infrastructure is protected but to also help groups take steps to better enhance their cybersecurity.
While a cyberattack may seem like a far-off idea for many, Wales said the number of potential victims “is almost endless.”
“We have seen ransomware target large companies and small multinational corporations and mom and pop shops, nonprofit organizations, almost anyone who’s operating an internet enabled business in the United States is potentially vulnerable,” Wales said. “We need to be doing more every single day to make sure that no adversary can execute an attack that causes such catastrophic effects.”
He said Americans’ daily lives are intrinsically connected to cyber and therefore vulnerable to attack.
“If it’s not 100% for most people, it’s probably pretty close,” Wales said. “You can just imagine, you get up in the morning and you try to turn on your lights and they don’t come on, you try to brush your teeth, and the water is not, it’s not there, it’s not clean. You try to log on to check your email and it’s not working, you can’t execute a financial transaction, because critical infrastructure in this country has been compromised in some way by a cyber incident.”
Cybersecurity after the Biden-Putin summit
Wales said it’s too soon after President Joe Biden’s summit with Russian President Vladimir Putin earlier this month to determine if there have been any major changes from Russia on the cyberattack front, but he did respond to Energy Secretary Jennifer Granholm’s interview with CNN’s Jake Tapper on “State of the Union” earlier this month when she warned in stark terms that foreign adversaries have the capability of shutting down the US power grid.
“So we know that multiple nation states want to target our critical infrastructure to hold it at risk at a time and place of their choosing. We assume that that would likely be in the, in the event of some type of conflict, they want to hold our infrastructure at risk, to try to affect US political decision making during those environments or during those times,” Wales said.
Brown asked Wales if they are basically holding leverage over the United States when doing that, to which Wales responded, “That’s their goal.”
Wales warned that the United States government needs to do more to protect its cyber infrastructure, but it’s also the job of the American people and American companies to take the issue seriously and to be “cyber smart.”
“The threats we face in the cyber world are real and they’re growing,” Wales said. “We’re not helpless, there are things that we can do, as the American people, as the US government, as our private sector community, can do working together to tackle this problem and we need to view it in this whole of government, whole of nation way, because only then are we really going to be successful against the adversaries that we face.”