Pipeline and other key infrastructure companies aren't currently required to report ransomware attacks, so "we don't really understand how bad the problem is," says a former cybersecurity official.



For the first time, the Department of Homeland Security has decided it needs to regulate cybersecurity in the pipeline industry. The Washington Post first reported this move, which means a new set of rules to safeguard pipeline companies against cyberattacks like the one that crippled the Colonial Pipeline earlier this month and forced it to shut down. That meant fuel shortages for days across the eastern part of the United States.

We're going to turn now to Chris Krebs. He was the first director of the Cybersecurity and Infrastructure Security Agency at DHS when it was founded in 2018. He left the job in November of 2020. Chris, thanks so much for being back on the show.

CHRIS KREBS: Thanks for having me on, Rachel. Good morning.

MARTIN: Good morning. Why do pipelines need their own set of regulations?

KREBS: Well, the operating conditions of pipeline is one of our critical infrastructures. They have some unique aspects, and given the way that the U.S. government divvies up the oversight and management of the various critical infrastructure sectors, pipelines, oddly enough, fall under the Transportation Security Administration. You might think, sounds like an Energy Department area.

MARTIN: Right - instead of the people who are watching over the metal detectors at airports.

KREBS: Yeah. Well, but ultimately, a pipeline is a mode of transportation, and there are multiple products that move through pipelines, including water and chemicals and gases. And so what you really think about is not the product that flows through the pipes, but it's the modality itself. It's the infrastructure itself. And TSA is uniquely situated to be helpful here. And so what you're seeing is, as you pointed out, the first security regulation from TSA over pipelines, and it's an incremental step, at least for the moment.

MARTIN: So what's it going to change?

KREBS: Well, for one, this specific directive - and the directive is focused. It's threat-oriented and likely be time limited, but it's going to require reporting of security incidents to TSA and to my old agency, CISA. And that's it. But there's additional authority that may take a little bit more time to develop where you may see things like security standards or baseline standards of performance for security measures.

MARTIN: So this is primarily a reporting mechanism. Private companies then are going to have to disclose when they've been hacked to the federal government. Are they interested in revealing that information?

KREBS: Well, that's the interesting thing, right? When you think back to the initial days of the Colonial Pipeline hack a couple weeks ago and my predecessor, the acting director, was in Congress, and he was asked questions about what you know, what don't you know. And ultimately, early on, there wasn't a lot of information available to the federal government because it's not required to report on incidents. And I think that's a key element that has to change across all of our critical infrastructures, not just pipelines. But these companies need to report to the government because if we don't really know how big the problem is, it's hard to make informed policy and operational decisions going forward.

MARTIN: So these regulations are supposed to be mandatory. How do you enforce that?

KREBS: Well, there are a number of different ways they can do that. First is just through the kind of the wag your finger and you engage them all the way up to security fines and shutdown of operations. These are the sorts of directives that TSA issues and implements all the time at airports - just recently, mask mandates on commercial air travel. So there's a regime in place. There are relationships with the pipeline sector, and now it's just a matter of getting it out there and helping these organizations understand who they need to talk to and how to do it.

MARTIN: And you nodded to this earlier, but help us understand what comes from that information. So the federal government finds out about a particular hack, or now they have a bunch of data points about several hacks. What does that do to prevent them?

KREBS: Well, I think one of the things that's important right now is that due to a lack of a mandatory reporting regime on ransomware specifically, we don't really understand how bad the problem is. And one of the things that I would greatly encourage is anyone that has a ransomware event notifies the government so that we - so the government can take action needed, including working with our foreign partners, as well as some of the countries that may be harboring these ransomware actors, so that we can put an end to this now.

MARTIN: Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency at DHS, we appreciate you taking the time. Thank you.

KREBS: Thanks a lot. Transcript provided by NPR, Copyright NPR.