Colonial Pipeline Cyberattack Gives Democrats Opportunity to Get Tough on Foreign Hacking | Opinion

The events of the past month make it glaringly apparent that an agonizing reappraisal of the effectiveness of Washington's policy approach to cybersecurity is long overdue. On May 7, a cyberattack forced the shutdown of one of the largest energy pipelines in the United States, disrupting our vulnerable energy infrastructure. The attack forced Colonial Pipeline to shut down 5,500 miles of pipeline, carrying 45 percent of the East Coast's fuel supplies, and at least 11 states up and down the Eastern Seaboard experienced gas shortages for the first time in memory. According to the assessment of cybersecurity experts, this was only the latest in a string of foreign-sponsored cyberattacks that constitute one of the biggest current threats to U.S. national security.

It isn't as if we haven't had sufficient warning. The biggest cyber breach in history started in March 2020, when foreign hackers compromised IT management software from cybersecurity company SolarWinds. The attack compromised information systems across the federal agencies as well of those of major U.S. tech companies. The FBI and NSA joined the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence in saying the hack was "likely Russian in origin."

The new administration has already acknowledged that our current federal policies of counter-measures to discourage and punish foreign-sponsored hacking are woefully insufficient. On April 15, 2021, the White House responded to the continuous cyberattacks committed by Russia over the SolarWinds hack. This move by the Biden administration to sanction Russia is a welcome start and sends a signal to Russia that a new sheriff is in town.

But it is clearly insufficient. In its statement announcing the sanctions, the White House acknowledged the "undue burden on the mostly private sector victims who must bear the unusually high cost of mitigating" foreign-sponsored cyberattacks.

Mark Weatherford, former deputy undersecretary for cybersecurity at DHS in the Obama administration, was even stronger, stating that sanctions alone were clearly "not enough." The response to recent foreign cyberattacks, he insisted, "should be attention-getting and so painful that it makes future adversaries take pause to consider those actions. Chess, not checkers."

The massive SolarWinds hack, the disastrous effects of which are still being assessed, was the culmination of years of neglect of the grave dangers to our national security posed by unchallenged foreign-sponsored cyberattacks. There was no excuse for being caught unaware. The foreign cybersecurity threat is nothing new. Over the past decade, we have seen Russian-backed cyberattacks against everyone from American military spouses to the Democratic National Committee, North Korean hacks and blackmail against Sony Pictures and China's cyberattack on the Office of Personnel Management, which involved the theft of the personal data of more than 22 million people.

The Senate had a golden opportunity in the last Congress to do something about rampant foreign hacking in the form of the HACT Act. Last July, the Democratic House overwhelmingly passed the bill as an amendment to the National Defense Authorization Act (NDAA) by a bipartisan vote of 336-71. The amendment would have, for the first time, given American victims legal recourse in the cases of malicious hacking conducted by foreign governments or their agents. It would do so by carving out a cyberattack exception to the Foreign Sovereign Immunities Act (FSIA), which currently shields foreign state actors from American lawsuits, protecting them from any form of accountability in cases of state-sponsored cyberattack. Foreign-sponsored cyberattacks are not only targeting our energy sector, but perhaps even more appalling during the coronavirus pandemic, threatening our health care system and the lives of millions of Americans.

The HACT Act provided a perfect opportunity to push back against the increasingly aggressive cyberwarfare on the part of malign foreign actors. Instead, foreign governments engaged in a concerted effort with conferees to get the amendment stripped from the final version of NDAA, and it was successfully removed from the bill at the behest of certain countries to protect their cyber-operations.

Essentially, the HACT Act was stripped out of the final version of NDAA in House-Senate conference because of the objections of anonymous senators influenced by lobbyists for foreign nations who would be liable to legal action under the new law, and who want to continue their hacking activity unhampered.

Key members of Congress claimed they had no fundamental problems with the bill but could not support it because of objections from the diplomatic community and from intelligence agencies. That, of course, is no surprise, since the very same diplomatic community was united in their opposition to the Justice Against Sponsors of Terrorism Act (JASTA) and the prospect of U.S. victims of foreign-sponsored terrorist activity having recourse to the American court system. In that case, Congress saw fit to override those objections and overturned former President Barack Obama's veto by a resounding margin. Fears that JASTA would complicate crucial diplomatic relations and lead to unfair judicial reciprocity against American citizens on the part of foreign courts have proved completely unfounded.

Pumps are empty at a gas station
A note is posted to let motorists know the pumps are empty at a gas station in Arlington, Virginia, on May 13, 2021. ANDREW CABALLERO-REYNOLDS/AFP via Getty Images

While many in the diplomatic community theoretically prefer a sanctions regime as a means of deterring cyberattacks sponsored by foreign governments, the track record of foreign policy decision makers imposing and implementing sanctions that serve as an effective deterrent to foreign cyber espionage is non-existent. The State Department possesses a toolbox of sanctions that is not being used, and foreign cyber-terrorists continue to exploit the crisis with impunity. Sanctions as a method of dealing with the metastasizing cybersecurity threat are a failed strategy. On the other hand, the prospect of the seizure of foreign assets held in the United States is a strong and practical disincentive to future cyberattacks sponsored by foreign governments aimed at harming our citizens and our institutions.

Despite rhetorical support for cracking down on foreign-sponsored cybercrime, neither Congress nor the last administration did enough to stop these crimes or for assisting the victims as the volume and intensity of foreign hacking reached an unprecedented volume.

Nothing effective has yet been done to deter the escalating cyberattacks on the national security of the United States, and our intelligence agencies and policy experts tracking the issue are gravely concerned.

Congress can demonstrate that they take the foreign cyberthreat seriously by incorporating the HACT Act into the next coronavirus relief act to help protect America from foreign cyberattacks at this crucial juncture. The Biden administration should make the passage of the HACT Act a policy priority.

Politically, this would be a golden opportunity to distinguish the new administration's determination to get tough on foreign hacking from the previous administration's inaction. Congress must take the lead in protecting our government, our corporations and our citizens against one of the most pressing foreign threats to our national security.

Fred Turner, senior vice president at BGR Group, previously spent 25 years working on Capitol Hill. Most recently he was chief of staff to Senate Foreign Relations Committee chair Bob Menendez and previously served as staff director of the U.S. Helsinki Commission.

The views expressed in this article are the writer's own.