Colonial Pipeline ransomware attack's unexpected legacy

Looking back at the legacy of the Colonial Pipeline ransomware attack, experts are still unclear on why this was the incident that sparked such a massive sea change across policymaking and boardrooms.

Flashback: This weekend marks two years since a Russian ransomware gang targeted Colonial's pipeline, which provides roughly 45% of the fuel used on the East Coast.

• The ransomware attack led to a six-day shutdown of the pipeline, prompting gas shortages and an emergency declaration in D.C. and 17 states.
• The attack brought ransomware to everyday Americans' attention for the first time, inspired Congress to pass new laws, and prompted various federal agencies to institute new cybersecurity requirements.

The big picture: The legacy of the incident is often called into question over one simple distinction: Russian ransomware hackers didn't shut down the pipeline themselves; Colonial did.

• The ransomware only infected computers tied to the pipeline's billing systems, but Colonial has said it decided to stop the flow of fuel through the pipeline as a precaution to prevent the file-encrypting malware from spreading to its operations.
• But in the days following the attack, several reports suggested Colonial also shut down the pipeline in part because the company couldn't figure out how to properly bill customers.
• Even so, experts told Axios this week that if Colonial hadn't shut the pipeline down and the malware had spread to the pipeline, the long-term impact could have been more devastating. Colonial declined to comment for this story.

Zoom out: Ransomware was already wreaking havoc on local governments, hospital services and schools before Colonial Pipeline captured the nation's attention.

• The difference here, though, was the regional impact Colonial had, said Ben Miller, vice president of services at critical infrastructure security firm Dragos, which had a small role in helping Colonial recover from the mess.

What they're saying: "What I've later learned is, I guess, there's a certain amount of attention you get when there's a real impact to human lives," Charles Carmakal, senior vice president at cyber firm Mandiant, who helped investigate the Colonial incident, told Axios.

• "But when you impact gas and meat, people really care," he added.

Between the lines: Even if Colonial wasn't a precise example of the impact ransomware can have on critical infrastructure, the attack forced people to take these security threats seriously and implement policies that had been languishing, experts said.

• Before Colonial, getting the federal government to prioritize implementing requirements for critical infrastructure security was a difficult task, Mike Hamilton, CISO at Critical Insight and former CISO for the City of Seattle, told Axios.

• Subsequent ransomware attacks on critical infrastructure later in 2021 — including one on meat producer JBS Foods around Memorial Day — added to pressure on policymakers, regulators and executives.

The intrigue: The swift succession of attacks inspired boardrooms and executives to revisit their own ransomware response plans.

• "That became a focal point within the board that previously hadn't had that same level of tension," Miller said. "The level of questions they were asking [about ransomware preparedness] was much more detailed."

Yes, but: The regulatory and industry changes sparked by Colonial still need to go further, experts said.

• Wendi Whitmore, senior vice president of Palo Alto Networks' Unit 42 threat intelligence team, told Axios she'd like to see continued bilateral agreements between countries to crack down on ransomware.
• "It's not just the technical detection capabilities; we need true deterrence," she said.
• Companies are also still behind "where we want to be" on protecting critical security systems, Miller said, but "we are building towards that."

Sign up for Axios’ cybersecurity newsletter Codebook here