Think of the hazards threatened by ransomware as akin to those caused by the Great Coastal Gale of 2007.
Lights go out and furnaces shut down. Communications networks go silent. Gasoline stays in the ground, or in tanks outside the region. Banking grinds to a slow walk, as bankers return to the days of handwritten ledgers.
Residents of the North Coast are accustomed to thinking about natural disasters, from the inevitable Cascadia Subduction Zone earthquake to tsunami to wildfires. But the same kinds of disruptions to daily life can occur when criminals invade computer networks and hold them hostage, as we’ve seen in the last several weeks.
● In May, criminals crippled the network of Colonial Pipeline, not releasing their hold until the gas pipeline company paid a reported $4.4 million in cryptocurrency. While authorities later recovered much of that money, gas shortages occurred on the East Coast while oil supplies were stalled by the attack.
● Also in May, JBS, the world’s largest meatpacking company, halted all cattle slaughtering operations in the United States and Australia after a ransomware attack.
● Earlier in June, cyberthieves disrupted operations of the Massachusetts Steamship Authority, disrupting ferry service to Nantucket and Martha’s Vineyard.
Cyberattacks, like natural disasters, can shut bridges, communications networks and power plants. As the recent spate of ransomware episodes shows, they are a jarring reminder that much of the nation’s critical infrastructure is controlled by private companies, like banks, investor-owned utilities, food producers, hospitals and health care systems. And in the 21st century, any organization is vulnerable to a cyberattack.
Unlike the Cascadia Subduction Zone catastrophe that scientists anticipate, cyberattack disruptions aren’t inevitable, said Pat Massey, the Seattle-based regional director for the federal Cybersecurity and Infrastructure Security Agency.
“Everyone is at risk of a cybersecurity threat,” Massey said in a phone interview. “Ransomware has woken a lot of people up.”
But Massey said he is guardedly optimistic that growing awareness will lead to growing readiness, as it has with planning for the Cascadia earthquake. He said the best protection against disruption of digital systems is what he calls “basic cyberhygiene.” By that he means using up-to-date antivirus software, using strong passwords and multifactor authentication and avoiding opening or clicking on suspicious emails and links.
He also encourages any public agency, from tiny school districts to county governments, port authorities and cities, to join the Multistate Information Sharing Analysis Center, a clearinghouse for cybersecurity information, including conducting exercises and providing guidance on how to respond to attacks. It is free for any public entity to join, but in the lower Columbia River region, few agencies are on the member rolls. They should be.
“Local officials, especially, need to start running tabletops and other scenarios, and get emergency plans in place,” said Charles Jennings, of Portland, a senior fellow at the Atlantic Council and co-author of the digital security book “The Hundredth Window: Protecting Your Privacy and Security In the Age of the Internet.”
“They need to make certain their systems for the delivery of water and electricity are checked and double-checked, and maintained at a high level, even if new federal infrastructure dollars are not forthcoming,” Jennings said in an email. “And Astoria would be a great place for rainwater barrels also — something every Oregonian should have.”
Cybersecurity generally and ransomware in particular have increasingly become the focus for federal law enforcement, starting with the White House, which announced this month President Joe Biden will confront Russian President Vladimir Putin about the prevalence of ransomware attacks that originate in Russia.
“Ransomware is a big issue for the FBI,” said Beth Anne Steele, spokeswoman for the FBI’s Portland office, in a phone interview. The agency is working to educate people and organizations about how to keep their networks safe, and to share information with the agency and with one another when attacks occur.
Attackers are relentless and well-resourced, said Dave Nevin, a computer science professor who leads the Oregon Research & Teaching Security Operations Center at Oregon State University. Nevin, who said by email he was speaking in his personal capacity, said organizations are increasingly gaining access to resources of their own. But security begins at the ground level.
“As we’ve seen from Colonial Pipeline and others, cyberattacks can be costly and damaging to a business. They can result in loss of revenue, inability to deliver key services, theft and reputation damage,” he wrote. “But organizations can do things to limit that damage: practice good cyberhygiene and plan for the inevitability that, at some point in time, you will be the victim of a data breach. Having a good disaster recovery plan that addresses ransomware and other cyberattacks is important. Detection is key: organizations have been able to thwart potential ransomware attacks by early detection — the less time an attacker is inside your network (because it will happen) the better.”
Astoria City Manager Brett Estes said the response to the Great Coastal Gale of 2007 demonstrated Astorians’ resilience and resourcefulness. He said city information technology staffers worked with the manager of Safeway, for example, to figure out how to get gasoline pumping from the store’s underground tanks.
The gale also showed that “we don’t know how tethered we are” until systems are disrupted, Estes said. It’s a lesson echoed by many after the gale.
“The biggest takeaway was that the city needed a truly multihazard emergency response plan,” Jay Raskin, who was a city councilor in 2007, told The Astorian on the 10-year anniversary of the storm. “Our emergency response had been geared for a Cascadia earthquake and tsunami with the idea if we prepared for that we would cover the other hazards,” Raskin said. “The storm taught us that different hazards require different responses.”
The same is true of digital storms, which can break suddenly and catastrophically.