For our project, we decided to focus on something highly relevant – the hacking of the Colonial Pipeline that took place just last month. We wrote an in-depth opinion piece that both investigates the causes and consequences of the hack, and presents a vision for how to stop something like this from happening again — namely, government intervention in the energy industry. We also focused on a potential secondary benefit of more intense federal intervention – a greater focus on tackling the climate crisis. You can read our OpEd here (The Hack to Understanding the Colonial Pipeline Incident), but below we’re going to talk you through our process.
We began by conducting high level due diligence on the hacking itself to better understand the stakeholders and technologies involved. This due diligence was a three step process: we first conducted an overview of the news, then we read through government and company policy briefs, and finally we looked through websites of third party cyber security firms to get a grasp of the technology involved in the hacking. The net result was the first section of our report on event logistics, company response, media reporting, consequences, and responsibility. For the initial news overview, we wanted to focus on three broad categories of news sources— reliable mass media, tech journals, and company communications with the public. The main disparity in the sources had to do with their presentation of the ethics of hacking. Conventional media sources (NYT, the New Yorker etc.) took a more stern stance on DarkSide and associated organisations; they also insinuated that connections between DarkSide and Eastern European political parties. There was little discussion of the ethics of hacking and a greater orientation towards policy outcomes, taking the ethics as a given. The company briefs took the entire event as a given and focused on the impact, response, and next steps. Tech journals made more of a genuine attempt to understand DarkSide’s business model, their associations, and their technology. Together these sources gave us a holistic view of the media sources and information we needed to write the aforementioned five sections. With this methodology, we discussed the RaaS model used by DarkSide and how it links to the consequences of the Colonial Pipeline hack. These consequences were broken down into the short and long term with special emphasis given to socio-economic consequences. The political consequences were further discussed in the following section. Thus, the insights we drove from this section were fundamental in the policy and climate change related discussions in later sections of the op-ed.
A central part of this hacking that we wanted to address was the role that the US government plays in cybersecurity incidents at this point in time––as well as historically––so that we could assess the evolution of their stance. The first thing that struck us was that the Colonial Pipeline hack was something that the US hadn’t foreseen because it was launched by a criminal ring. The majority of the cases that the government had dealt with in the past related to countries who are enemies of the United States like China, Russia, and Iran. The fact of today is that technological advances have moved at such a pace that it is no longer governments that are capable of advanced hackings but also corporations who endeavor to steal information simply as a means of profit. This problem becomes so immense and challenging because the only way these situations are resolved is through yielding to extortion––exemplified by Colonial Pipeline’s admission of $5 million to DarkSide. This is evidently not a resolution as it fails to address the root issue which is the way that such a group was able to shut down one of the biggest suppliers of energy within the United States. The issue of cybersecurity becomes all the more alarming as we realized that it plagues some of the most important companies in our lives, leaving civilian Americans vulnerable to these unknown, ominous aggressors.
Biden’s executive order, declared on May 12th, marks a fundamental shift in the State’s cyber strategy. For the first time in history, there will be established channels of information between the US government and private industry leads in order to better advice companies about the threats that they face and address cyber threats directly. One of the main problems in the past has been that corporations do not disclose when they’ve experienced such an attack as releasing an announcement can hurt consumer confidence and shock the share price. So, they agree to pay large sums of money in order to make the problem disappear. This means that criminal rings are able to repeat strategies and extract profits from different companies without any curb. Biden’s push for transparency will end this pattern as corporations will be forced to tell others when they are faced with a cyber threat. His Cybersecurity Safety Review Board will convene after attacks to analyze code and see what the root cause of the threat was, informing others about the issue as a means of future prevention. This will fundamentally transform the relationship between the public and private sectors with regards to cyber issues. Still, we feel like this change will be enough to confront a threat as fast and pervasive as cybersecurity and ultimately concluded that the issue has to be faced directly from the angle of climate change.
Lastly, we turned our attention to climate change. We spent a good amount of time navigating our way through a Sierra Club investigation into utility companies’ commitment to addressing climate change. What the study found is that there was little correlation between companies proclaiming a climate-forward action plan and those same companies actually carrying out the steps needed to achieve those goals. This pointed us to the overlap with the issues posed by cyberwarfare that we had hypothesised. What we saw was that, on their own, private corporations are simply not willing to take on aggressive action to protect the long term interests of their customers – be those interests privacy related (and therefore threatened by hacking) or personal well being related (and therefore threatened by climate change). This cemented our thinking with regards to the necessary response – government intervention and investment to force companies to act strategically and selflessly. This thinking was bolstered by the research we did into existing schemes to nationalise or municpalise utility companies. The actions around Pacific Gas and Electrics in California were particularly interesting. This is a company that has already demonstrated a disregard for its customers and prioritisation of profit – PG&E customers were literally devastated by the Camp Fire. The push in response to bring the corporation into the power of the state shows how much power the government really does have when it chooses to flex its muscles. Clearly, this shift is already well underway on a state and city scale. Now it is time for the federal government to take this to the next level.
Thus, we came to the close of our project. We went in looking to further connect our studies with what we’re seeing in the world today. We come away not only having made those connections, but also with an impassioned vision for tacking these problems head on. Time shall tell if the Biden administration is brave enough to consider the kind of action we’re proposing, but from the direction states are taking right now, it seems inevitable that greater government intervention around issues of hacking and climate change is entirely inevitable.