Sunday, May 16, 2021

After Colonial What Next?

Who doesn't understand that Colonial Pipeline's payment of terrorist demands for $5 million dollars was driven by what must be disastrous polling by the Zhou regime? This is of a piece with the Zhou regime's similar turn-on-a-dime change of Covid policy--off come the masks, open the school doors! Clearly the Zhou regime understands that half the country--including many Dem voters--regard the current occupant of the White House as illegitimate. Their internal polling presumably matches the published polling by Rasmussen Reports. This explains their panicked responses to what has become a drumbeat of negative developments--desperate attempts to placate the public and to douse fires at whatever cost.

Presumably hostile foreign powers--both state and non-state actors (terrorists)--have taken note of this abject panic on the part of the Zhou regime and they will plan accordingly. The Zhou regime's attempts to minimize or explain away its actions, both regarding Covid as well as Colonial, have sent a signal that cannot have been missed. I'd be very surprised if we don't experience further asymmetrical attacks sooner rather than later. The attempts to pass the Colonial attack as mere blackmail of a foreign government by "hackers" may fool some of the usual fools, but no one else.

In that regard, Jonathan Turley has an excellent article at The Hill today, in which he delves into the related legal issues--which happen to be key for getting a firm grasp on this situation:

Why the White House won't define pipeline attack as terrorism

It's important to understand that Turley is not simply an alarmist with regard to terrorism. He has, in fact--consistently with his record as a leading old style civil libertarian liberal--vocally resisted the usual drive to define all criminal acts as "terror" whenever possible or conceivable. But in this case he has no doubts:

... the White House and the media have referred to the Colonial Pipeline ransomware attackers simply as “hackers.” “DarkSide” is not just a collection of hackers — it's a group of terrorists. And the only thing more concerning than the failure to label them correctly is the possible reason for not doing so.

Once you understand and accept the obvious conclusion that Darkside conducted a terrorist attack things get very disturbing. Turley sets out the applicable law, and it's very clear:

While definitions vary, DarkSide meets key elements of terrorism crimes. Key provisions such as 18 U.S.C. 2331 focus less on the motivation of terroristic acts as opposed to the intent: "(i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping." ... Cyber terrorism can have either economic or political motivations or both. Indeed, gangs can be enlisted or enabled by foreign powers such as Russia or Iran to carry out such attacks.

Intimidate or coerce a civilian population? You betcha. 

When you coerce an entire population, you are a terrorist — whether you do so for Allah or for moolah.

This was no ordinary blackmail. The Zhou regime wants us to accept that this was a "private sector decision". Please! Turley and everyone else knows better--this decision to pay the blackmail was not done without regime input:

Colonial just paid a ransom to terrorists. Moreover, gas pipelines are not just “a private company” but a highly regulated industry that closely follows the government’s directions.

Everyone in the world that matters knows this. And they know the reason: The Zhou regime is on such shaky ground after just 100 days of playing pretend--yes, see the NYT dissection of Zhou in that regard--that it can be counted on to panic and cave when the going gets rough. Or moderately so. As Turley says, this ransom was not just a nuisance cost for Colonial--it was blackmail against the US government. We should expect further attacks, now that the regime's mental state and stance is clear:

We have long maintained a policy of not yielding to terrorists, and outsourcing ransom payments does not change the implications of this decision. DarkSide and other cyber terrorists now know they not only can succeed but can do so surprisingly quickly. Indeed, ransomware has been profitably used around the world for years with businesses. This incident, though, was different. It was designed to cause widespread social and political havoc among our population. 

If the Biden administration did not want to pay terrorists, it could have used a wide array of powers to pressure Colonial not to pay. Colonial is tied into our infrastructure and largely exists by the grace of federal and state agencies. If Biden declared publicly that the company should not yield to terrorists, he would have presented no less of an existential threat to the company than DarkSide did.

It may be true that the Biden administration concluded we are defenseless to cyber terrorism despite years of ransomware attacks and hundreds of billions of dollars in cybersecurity programs. If that is the case, the public should be informed. The failure of Congress and our government to defend against such terror attacks is a national security failure of breathtaking proportions. The Colonial Pipeline attack was the cyber equivalent of Pearl Harbor.

Chris Wray, where are you?

After you read Turley--and I urge you to do so--there are two other items that are worth looking at. First comes an article at The Atlantic:

The Colonial Pipeline Attack Is a Dark Omen

Our digital world wasn’t built with security in mind.

Yeah, I know what you're thinking--whose fault is that? Didn't we all think that the first and overriding duty of any government is national security? What's our government been doing for the last umpteen years, besides spying on conservatives and undermining electoral integrity--and rebranding mostly peaceful dissent as "white supremacist terrorism"?

Well, anyway, the author makes some legit points, while skirting some hard truths. For example:

Adding security after the fact to a digital system that wasn’t built for it is very hard. And we are also surrounded by “technical debt,” programs that work but were written quickly, sometimes decades ago, and were never meant to scale to the degree that they have. We don’t mess with these rickety layers, because it would be very expensive and difficult, and could cause everything else to crumble. That means there is a lot of duct tape in our code, holding various programs and their constituent parts together, and many parts of it are doing things they weren’t designed for.

Our global network isn’t built for digital security. As I wrote in 2018, the early internet was intended to connect people who already trusted one another, such as academic researchers and military networks. It never had the robust security that today’s global network needs. As the internet went from a few thousand users to more than 3 billion, attempts to strengthen security were stymied because of cost, shortsightedness, and competing interests.


Many problems like these aren’t fixed, because of what economists call “negative externalities”: Shipping software or devices like these is free, and fixing any issues that come up is expensive. Taking the latter, more expensive route provides no immediate reward. It’s like telling factories that they can pollute as much as they want, dumping their waste into the air or a nearby river, or they can choose to install costly filtering systems, in a setup where the pollution isn’t quickly visible through smell or appearance. You can guess what happens: The companies don’t worry about it, because they don’t have to.

Color me cynical--and, by the way, I'm no tech expert--but I have to question some of this. Is Congress a "negative externality"? How about Deep State regulation? C'mon guys, couldn't Congress have passed some laws about infrastructure digital security? Or did "the companies" pay campaign contributions so those laws wouldn't get passed? I'm sure others more knowledgeable than I could poke a few more holes.

One who does poke some holes is Karl Denninger (a few says ago--I've been siting on this):

What Do Solarwinds And Colonial Have In Common?

Denninger's post is more or less a rant. The theme is simple: Companies take the easy way. Sometimes it's because they have stupid people in their IT department, other times they're lazy and cater to employee convenience. That's stupid, too. The fixes aren't necessarily technically complicated, and sometimes they're not even expensive. A few years ago I had a new furnace and thermostat installed. The installers wanted to help me connect it all to the internet! Uh, no. Just no. Why in the name of all that's holy would I want to connect any appliance in my host (computer excepted) to the internet? Is that so different, conceptually, from what Denninger asks:

Pipeline operator?  Heh, you don't have a right-of-way from one end to the other already, do you? Oh, wait, you do? Then why didn't you run fiber along said right-of-way and have your own transport infrastructure that is impervious to electrical disturbances, other than at the repeaters of course which require power. Why wasn't it true that every computer that could in some way interact with said control system, including billing, and the control system itself wasn't on a sanitary network on private infrastructure with exactly zero outside connectivity of any sort -- and no exceptions? If you needed to work from home why wasn't it done like the DOD does it, where the machine has a nailed VPN that cannot be overridden, the employee has no administrative access, yes, even the CTO and CEO, the USB ports don't work and for the love of God you can't get on Facebook from it because said machine only connects back to a sanitary network with no outside links!
Nobody wants to do it and Warner, along with the rest of the screaming goats in Congress and elsewhere know damn well how to do it because the DOD in fact does it.  

He has lots more to say, so follow the link. If the people running our government weren't so intent on making money from China this all would have been done long ago.


  1. Having been a programmer (since 1975) I've seen the quality of our software systems degrade in correlation with the outsourcing (foreign) of the work. So I'm pretty sure the rest of the world is in worse shape than we are.

    Hey, I have an idea! Let's computerize our elections! What could go wrong?

  2. I had meant to post this KD material here, so congrats on beating me to the punch!
    His replies to readers are also well worth a look, e.g. at :

    < ... The machine in question is nothing more than a secure extension of the protected environment, that is configured so it cannot be altered by the outside party, nor opened to such by the authorized user, it cannot connect, to anything or anywhere that a malicious payload can be injected, and if anyone tries to **** with that, the device is immediately disabled, and the VPN key half or authorization on the server side destroyed, or permanently revoked.
    It thus becomes immediately non-functional, and cannot be re-authorized until it is returned to IT, where it is re-imaged from zero, the BIOS along with any add-on flash-writeable ROMs are all re-flashed as well, and it is restored to being secure, and a new VPN key is generated. This is designed, so that no amount of pleading, screaming or CEO/COO/CTO bitching can change it, because the VPN key is either recorded as irrevocably revoked, or has been destroyed, and thus it is physically impossible for it to be put back.

    That can work, but you have to do it correctly, so there's no way out of the jail, and intentional attempts to get out get you immediately fired, or (in the case of the DOD when classified material may be involved) perhaps even arrested.... >

  3. I've seen enough "life safety" critical infrastructure systems built for reliably and dependability flat out intentionally wrecked by faulty and completely intentional owner implementations.

    It really just takes one idiot I'm the room to play "yes Man" to the simplest of whims to cost tens of millions of dollars to DAILY operating costs and no one ask why.

    That's the reality of private industry colliding with tech stupidity. 5 million was a good deal, even 50 million wouldn't have been an issue for the OG industry.

    The *hackers* way undersold themselves.

  4. The Sony hack was eye opening, before then security was seen as an expensive unneeded luxury.

    And IT is an area that seems like it can be outsourced to save money, and put everything on the cloud to save even more money!

    Iran tried some dirty tricks with a city water system in Israel.

    Israel retaliated by snarling an Iranian port through a software attack,

    Software has been used to destroy uranium enrichment centrifuges in Iran.

    And North Korea has been making money off ransom ware.

    So it’s not surprising that the pipeline happened. The only thing surprising is it did not happen sooner, or perhaps under Trump they were afraid he would order physical retaliation via a drone strike, or view it as a declaration of war.

    And the NSA be demanding back doors, has not helped. Or the cia funding finding zero day exploits, that then get hacked by probably the Russians, and released, to embarrass the US.

  5. On the NSA demanding back doors, would this stop firms from implementing KD's recommendations about secure wiring etc., or could such wiring allow such back doors?