After Colonial What Next?
Who doesn't understand that Colonial Pipeline's payment of terrorist demands for $5 million dollars was driven by what must be disastrous polling by the Zhou regime? This is of a piece with the Zhou regime's similar turn-on-a-dime change of Covid policy--off come the masks, open the school doors! Clearly the Zhou regime understands that half the country--including many Dem voters--regard the current occupant of the White House as illegitimate. Their internal polling presumably matches the published polling by Rasmussen Reports. This explains their panicked responses to what has become a drumbeat of negative developments--desperate attempts to placate the public and to douse fires at whatever cost.
Presumably hostile foreign powers--both state and non-state actors (terrorists)--have taken note of this abject panic on the part of the Zhou regime and they will plan accordingly. The Zhou regime's attempts to minimize or explain away its actions, both regarding Covid as well as Colonial, have sent a signal that cannot have been missed. I'd be very surprised if we don't experience further asymmetrical attacks sooner rather than later. The attempts to pass the Colonial attack as mere blackmail of a foreign government by "hackers" may fool some of the usual fools, but no one else.
In that regard, Jonathan Turley has an excellent article at The Hill today, in which he delves into the related legal issues--which happen to be key for getting a firm grasp on this situation:
Why the White House won't define pipeline attack as terrorism
It's important to understand that Turley is not simply an alarmist with regard to terrorism. He has, in fact--consistently with his record as a leading old style civil libertarian liberal--vocally resisted the usual drive to define all criminal acts as "terror" whenever possible or conceivable. But in this case he has no doubts:
... the White House and the media have referred to the Colonial Pipeline ransomware attackers simply as “hackers.” “DarkSide” is not just a collection of hackers — it's a group of terrorists. And the only thing more concerning than the failure to label them correctly is the possible reason for not doing so.
Once you understand and accept the obvious conclusion that Darkside conducted a terrorist attack things get very disturbing. Turley sets out the applicable law, and it's very clear:
While definitions vary, DarkSide meets key elements of terrorism crimes. Key provisions such as 18 U.S.C. 2331 focus less on the motivation of terroristic acts as opposed to the intent: "(i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping." ... Cyber terrorism can have either economic or political motivations or both. Indeed, gangs can be enlisted or enabled by foreign powers such as Russia or Iran to carry out such attacks.
Intimidate or coerce a civilian population? You betcha.
When you coerce an entire population, you are a terrorist — whether you do so for Allah or for moolah.
This was no ordinary blackmail. The Zhou regime wants us to accept that this was a "private sector decision". Please! Turley and everyone else knows better--this decision to pay the blackmail was not done without regime input:
Colonial just paid a ransom to terrorists. Moreover, gas pipelines are not just “a private company” but a highly regulated industry that closely follows the government’s directions.
Everyone in the world that matters knows this. And they know the reason: The Zhou regime is on such shaky ground after just 100 days of playing pretend--yes, see the NYT dissection of Zhou in that regard--that it can be counted on to panic and cave when the going gets rough. Or moderately so. As Turley says, this ransom was not just a nuisance cost for Colonial--it was blackmail against the US government. We should expect further attacks, now that the regime's mental state and stance is clear:
We have long maintained a policy of not yielding to terrorists, and outsourcing ransom payments does not change the implications of this decision. DarkSide and other cyber terrorists now know they not only can succeed but can do so surprisingly quickly. Indeed, ransomware has been profitably used around the world for years with businesses. This incident, though, was different. It was designed to cause widespread social and political havoc among our population.
If the Biden administration did not want to pay terrorists, it could have used a wide array of powers to pressure Colonial not to pay. Colonial is tied into our infrastructure and largely exists by the grace of federal and state agencies. If Biden declared publicly that the company should not yield to terrorists, he would have presented no less of an existential threat to the company than DarkSide did.
It may be true that the Biden administration concluded we are defenseless to cyber terrorism despite years of ransomware attacks and hundreds of billions of dollars in cybersecurity programs. If that is the case, the public should be informed. The failure of Congress and our government to defend against such terror attacks is a national security failure of breathtaking proportions. The Colonial Pipeline attack was the cyber equivalent of Pearl Harbor.
Chris Wray, where are you?
After you read Turley--and I urge you to do so--there are two other items that are worth looking at. First comes an article at The Atlantic:
The Colonial Pipeline Attack Is a Dark Omen
Our digital world wasn’t built with security in mind .
Yeah, I know what you're thinking--whose fault is that? Didn't we all think that the first and overriding duty of any government is national security? What's our government been doing for the last umpteen years, besides spying on conservatives and undermining electoral integrity--and rebranding mostly peaceful dissent as "white supremacist terrorism"?
Well, anyway, the author makes some legit points, while skirting some hard truths. For example:
Adding security after the fact to a digital system that wasn’t built for it is very hard.And we are also surrounded by “technical debt,” programs that work but were written quickly, sometimes decades ago, and were never meant to scale to the degree that they have. We don’t mess with these rickety layers, because it would be very expensive and difficult, and could cause everything else to crumble. That means there is a lot of duct tape in our code, holding various programs and their constituent parts together, and many parts of it are doing things they weren’t designed for.
Our global network isn’t built for digital security. As I wrote in 2018 , the early internet was intended to connect people who already trusted one another, such as academic researchers and military networks. It never had the robust security that today’s global network needs. As the internet went from a few thousand users to more than 3 billion, attempts to strengthen security were stymied because of cost, shortsightedness, and competing interests.
...
Many problems like these aren’t fixed, because of what economists call “negative externalities”: Shipping software or devices like these is free, and fixing any issues that come up is expensive. Taking the latter, more expensive route provides no immediate reward. It’s like telling factories that they can pollute as much as they want, dumping their waste into the air or a nearby river, or they can choose to install costly filtering systems, in a setup where the pollution isn’t quickly visible through smell or appearance. You can guess what happens: The companies don’t worry about it, because they don’t have to.
Color me cynical--and, by the way, I'm no tech expert--but I have to question some of this. Is Congress a "negative externality"? How about Deep State regulation? C'mon guys, couldn't Congress have passed some laws about infrastructure digital security? Or did "the companies" pay campaign contributions so those laws wouldn't get passed? I'm sure others more knowledgeable than I could poke a few more holes.
One who does poke some holes is Karl Denninger (a few says ago--I've been siting on this):
Denninger's post is more or less a rant. The theme is simple: Companies take the easy way. Sometimes it's because they have stupid people in their IT department, other times they're lazy and cater to employee convenience. That's stupid, too. The fixes aren't necessarily technically complicated, and sometimes they're not even expensive. A few years ago I had a new furnace and thermostat installed. The installers wanted to help me connect it all to the internet! Uh, no. Just no. Why in the name of all that's holy would I want to connect any appliance in my host (computer excepted) to the internet? Is that so different, conceptually, from what Denninger asks:
Pipeline operator? Heh, you don't have a right-of-way from one end to the other already, do you? Oh, wait, you do? Then why didn't you run fiber along said right-of-way and have your own transport infrastructure that is impervious to electrical disturbances, other than at the repeaters of course which require power. Why wasn't it true that every computer that could in some way interact with said control system, including billing, and the control system itself wasn't on a sanitary network on private infrastructure with exactly zero outside connectivity of any sort -- and no exceptions? If you needed to work from home why wasn't it done like the DOD does it, where the machine has a nailed VPN that cannot be overridden, the employee has no administrative access, yes, even the CTO and CEO, the USB ports don't work and for the love of God you can't get on Facebook from it because said machine only connects back to a sanitary network with no outside links !
...
Nobody wants to do it and Warner, along with the rest of the screaming goats in Congress and elsewhere know damn well how to do it because the DOD in fact does it.
He has lots more to say, so follow the link. If the people running our government weren't so intent on making money from China this all would have been done long ago.