Looking back at the legacy of the Colonial Pipeline ransomware attack, experts are still unclear on why this was the incident that sparked such a massive sea change across policymaking and boardrooms.

Flashback: This weekend marks two years since a Russian ransomware gang targeted Colonial's pipeline, which provides roughly 45% of the fuel used on the East Coast.

• The ransomware attack led to a six-day shutdown of the pipeline, prompting gas shortages and an emergency declaration in D.C. and 17 states.
• The attack brought ransomware to everyday Americans' attention for the first time, inspired Congress to pass new laws, and prompted various federal agencies to institute new cybersecurity requirements.

The big picture: The legacy of the incident is often called into question over one simple distinction: Russian ransomware hackers didn't shut down the pipeline themselves; Colonial did.

• The ransomware only infected computers tied to the pipeline's billing systems, but Colonial has said it decided to stop the flow of fuel through the pipeline as a precaution to prevent the file-encrypting malware from spreading to its operations.
• But in the days following the attack, several reports suggested Colonial also shut down the pipeline in part because the company couldn't figure out how to properly bill customers.
• Even so, experts told Axios this week that if Colonial hadn't shut the pipeline down and the malware had spread to the pipeline, the long-term impact could have been more devastating. Colonial declined to comment for this story.

Zoom out: Ransomware was already wreaking havoc on local governments, hospital services and schools before Colonial Pipeline captured the nation's attention.

• The difference here, though, was the regional impact Colonial had, said Ben Miller, vice president of services at critical infrastructure security firm Dragos, which had a small role in helping Colonial recover from the mess.

What they're saying: "What I've later learned is, I guess, there's a certain amount of attention you get when there's a real impact to human lives," Charles Carmakal, senior vice president at cyber firm Mandiant, who helped investigate the Colonial incident, told Axios.

• "But when you impact gas and meat, people really care," he added.

Between the lines: Even if Colonial wasn't a precise example of the impact ransomware can have on critical infrastructure, the attack forced people to take these security threats seriously and implement policies that had been languishing, experts said.

• Before Colonial, getting the federal government to prioritize implementing requirements for critical infrastructure security was a difficult task, Mike Hamilton, CISO at Critical Insight and former CISO for the City of Seattle, told Axios.
• Subsequent ransomware attacks on critical infrastructure later in 2021 — including one on meat producer JBS Foods around Memorial Day — added to pressure on policymakers, regulators and executives.

The intrigue: The swift succession of attacks inspired boardrooms and executives to revisit their own ransomware response plans.

• "That became a focal point within the board that previously hadn't had that same level of tension," Miller said. "The level of questions they were asking [about ransomware preparedness] was much more detailed."

Yes, but: The regulatory and industry changes sparked by Colonial still need to go further, experts said.

• Wendi Whitmore, senior vice president of Palo Alto Networks' Unit 42 threat intelligence team, told Axios she'd like to see continued bilateral agreements between countries to crack down on ransomware.
• "It's not just the technical detection capabilities; we need true deterrence," she said.
• Companies are also still behind "where we want to be" on protecting critical security systems, Miller said, but "we are building towards that."

A judge sentenced Joe Sullivan, the former chief security officer at Uber, to three years' probation and 200 hours of community service on Thursday for hiding a 2016 cyberattack from authorities and obstructing a federal investigation.

Why it matters: Sullivan's case is likely the first time a security executive has faced criminal charges for mishandling a data breach, and the response to the case has split the cybersecurity community.

Catch up quick: In October, a jury found Sullivan guilty of obstructing an active FTC investigation into Uber's security practices and concealing a 2016 data breach that affected 50 million riders and drivers.

• Uber paid the hackers $100,000 to keep the attack quiet and not release any stolen data. Sullivan and his team routed the payment through the company's bug bounty program, which good-faith security researchers usually use to report flaws.
• The hack wasn't publicly disclosed until 2017, shortly after Dara Khosrowshahi stepped into the CEO role.
• Khosrowshahi fired Sullivan in 2017, telling the jury last year that he thought the decision to conceal the breach was "the wrong decision."
• Sullivan then joined Cloudflare as its chief security officer in 2018, and he stayed there until last July, when he stepped down to prepare for his trial.

What they're saying: "If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison," U.S. District Judge William Orrick said during the sentencing Thursday.

• "When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off," Orrick added.

Details: Sullivan's team pushed for probation in a letter to the court ahead of Thursday's sentencing case.

• Prosecutors pushed the court to sentence Sullivan to 15 months in prison.

The intrigue: Orrick said he received 186 letters from Sullivan's friends, family and industry peers ahead of the sentencing.

• One of those letters in support of Sullivan's character was from former Uber CEO Travis Kalanick, which perplexed the judge overseeing the case during sentencing, since neither Kalanick nor Uber participated in the trial.
• Orrick noted that among those letters were ones from CISOs sharing that they were afraid of jail time themselves if Sullivan went to prison. "I'm not sure that they understand what the facts are," the judge said.

The White House is backing an "independent exercise" at security conference DEF CON this summer that will probe the most popular generative artificial intelligence tools on the market, Axios' Ashley Gold reports.

Driving the news: The exercise is just one part of the White House's multipronged, AI-related executive actions released Thursday ahead of a meeting with top tech CEOs.

• Other actions include providing $140 million in funding to create seven new National AI Research Institutes, as well as plans to release draft policy guidance this summer on the use of AI systems in the federal government.

Why it matters: Technology usually develops faster than government action can keep up, and the rapid rise of generative AI systems has raised alarm bells for governments around the world.

Details: The event will take place as part of DEF CON's AI Village, where thousands of AI experts, hackers and other partners will determine how popular AI models align with the administration's blueprint for an AI Bill of Rights.

• Participating developers include Anthropic, Google, Hugging Face, Microsoft, NVIDIA, OpenAI and Stability AI, per a White House fact sheet.

What they're saying: "AI is one of the most powerful technologies of our time, but in order to seize the opportunities it presents, we must first mitigate its risks," the White House fact sheet reads.

• "Importantly, this means that companies have a fundamental responsibility to make sure their products are safe before they are deployed or made public."

@ D.C.

💰 The FTC is proposing changes to a 2020 privacy order with Meta that would prohibit the company from profiting off data it collects from users under the age of 18. (Axios Pro)

😳 The Pentagon's AI chief says he's "scared to death" of the impact of generative AI tools. (Nextgov)

@ Industry

🔑 Google officially rolled out alternatives to passwords on all personal accounts. (Wired)

👔 Google also launched a new six-month cyber certificate training program for entry-level positions. (Wall Street Journal)

📲 A reporter reckons with why TikTok's parent company spied on her last fall. (Financial Times)

@ Hackers and hacks

👾 A ransomware attack forced the City of Dallas to shut down key services, including the 911 dispatch systems and courts. (TechCrunch)

🆘 Hackers hijacked Virginia-based Bluefield University's emergency alerts system and used it to issue threats to students and faculty. (NBC News)

🏠 The National Guard is investigating a cyberattack that took down the Raleigh Housing Authority's computer systems and business operations. (ABC11)

For all the coronation watchers this weekend, my colleagues Eleanor Hawkins and Erin Davis have a fun story out about how the British royal family communicates through their wardrobe.

• It starts: "Queen Elizabeth II only gave one sit-down television interview during her lengthy reign — but she still found ways to provide cultural commentary without saying a word." 🔥 🔥 🔥