A top U.S government official said Thursday it is increasingly likely the federal government will be faced with a “catastrophic cyber incident” larger in scope than the recent Colonial Pipeline hack.
Brandon Wales, the acting director of the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, also said ransomware attacks like the one against Colonial Pipeline are likely to continue.
“This is a scourge that is not going to be easily eradicated”, Mr. Wales said about ransomware, a type of malicious software popular among cyber-extortionists usually designed to deny access to an infected computer system or its files until a payment is made.
Mr. Wales, the head of CISA since November, made the comments during an online forum that was organized by the George Washington University School of Media & Public Affairs and the Howard Baker Forum.
Colonial Pipeline, a major fuel supplier for the eastern U.S., announced hours later that it had restarted its entire pipeline system after a ransomware attack caused it to shut down six days earlier.
Mr. Wales called the Colonial Pipeline hack “certainly a significant incident,” but he was reluctant to say it qualified to be called what he would consider being a “catastrophic cyber incident.”
“An attack on a single site, even if we were asked to provide incident response assistance to that entity, would not likely overwhelm our ability to provide that kind of support,” said Mr. Wales.
A catastrophic incident, comparatively, “would affect multiple entities simultaneously with a large number of requests for assistance across the country,” straining CISA’s ability to respond, he said.
Pressed about the possibility of a catastrophic cyber incident occurring, Mr. Wales said: “My sense is that the likelihood is increasing almost every day.”
Mr. Wales cited what he called an increase in “broad-based” attacks larger in scale coming from adversaries more aggressive and sophisticated than earlier sorts of cybercriminals.
Specifically, Mr. Wales noted both the Solar Winds hack disclosed in December, which affected several U.S. agencies, and the exploitation of Microsoft Exchange Products revealed more recently.
The U.S. has accused Russian hackers of compromising Solar Winds, a software company with public and private sector customers, and conducting a sophisticated, targeted supply chain attack.
Microsoft reported in March that suspected Chinese state hackers were exploiting vulnerabilities in its Exchange server programs, and CISA reported last week that Russians are exploiting them, too.
Close to 100 entities in the U.S. were affected by the SolarWinds hack, said Mr. Wales, while the Microsoft bugs impacted “thousands and thousands” of servers in the U.S. and abroad, he added.
“So the kind of broad-based attack that we’re concerned about, we’re seeing the prelude to that today,” Mr. Wales said during the forum.
The attack on Colonial Pipeline last Friday involved a particular kind of ransomware called DarkSide. The U.S. government has not attributed the operators of DarkSide to any particular state actor.
Mr. Wales said the operators of the DarkSide ransomware have shown no signs of stopping and that he believes cybercriminals will continue using ransomware as long as its business model remains viable.
Indeed, several news outlets reported that Colonial Pipeline ultimately paid the ransom, valued at nearly $5 million, despite the federal government recommending that victims react otherwise.
“This is a significant challenge,” Mr. Wales said about DarkSide.
Cybersecurity experts recommend installing security updates when available and practicing basic online safety measures, such as avoiding suspicious attachments and websites, to prevent cyber-extortionists from installing ransomware on their systems.