The Risks of Paying Ransoms, Darkside Group Gets $5Mil
On May 7th, a ransomware attack, now confirmed by the Federal Bureau of Investigation (FBI) to have been the acts of the criminal network group Darkside, forced Colonial Pipeline to proactively shut down operations. On Friday, Bloomberg reported that Colonial Pipeline paid the nearly US$5 million ransom in untraceable cryptocurrency within hours after the attack.
Colonial Pipeline provides nearly half the fuel supply for the U.S. East Coast. Stores of gasoline, oil, jet fuel, home heating and military supplies were all so heavily impacted that to help with the shortages, the Federal Motor Carrier Safety Administration's (FMCSA) declared a state of emergency in 18 states. Widespread panic buying began to cause shortages. In metro Atlanta, 30% of gas stations have run out of gasoline. In Raleigh, North Carolina, 31% of gas stations had no fuel on Tuesday. Meanwhile, unleaded gas prices hit an average of $2.99 a gallon, its highest price since November 2014, the American Automobile Association said.
Once the ransom payment was received, the criminal group provided Colonial Pipeline with a decrypting tool to restore its disabled network. On Thursday, the largest fuel pipeline in the U.S., which carries 100 million gallons per day of gasoline, diesel and jet fuel, began moving some of the first millions of gallons of motor fuel. On Friday, Colonial Pipeline ramped up deliveries to fuel-starved markets on the East Coast. Although the attack was the most disruptive cyberattack on record and underscored the vulnerability of vital U.S. infrastructure to cyberattacks, the paying of the ransom set a dangerous precedence. It's generally accepted as bad practice to negotiate with terrorists. It's generally accepted as bad practice to negotiate with terrorists.
The High Risks of Paying Ransomes
Adebayo Adeleke, a U.S. Army Veteran, thought leader and speaker on geopolitics, risk management and security took a moment to share his concerns with Procurement Magazine on the precedence being set. "Historically, we don't negotiate with terrorists. Paying the ransom for a cyberattack and engaging them in monetary negotiation is legitimizing their efforts, goals and means. Ransomware is all about the money, and it's profitable, and because of this, it has been used as a tool for years now. To make ransomware go away, we must make it unprofitable, and the only way to make it unprofitable is NOT to pay them.
"Yes, it's easier said than done. There are only two choices one has when confronted with a cyberattack by ransomware, pay the amount or negotiate with them or do not pay them. I understand both sides. Shareholders pressure, national security issue at stake, severe economic impact, undue hardship, job loss, impact on the local communities and the list goes on. On the other hand, rebuilding what must have been stolen might run the organization out of business and expose lapses in U.S. national security as far as critical infrastructure is concerned, and the list goes on. There is no easy way out, but the moment money is exchanged for stolen data, it sets the precedence of exploitation and legitimizes bad behaviour, and this will continue to make the behaviour profitable. Either way, the outcome is never going to restore Colonial back to norm in the needed time. It's not going to be easy to stop these acts. The inevitable has to be done.
"Terrorism, banditry, kidnapping, ransomware all follow the same tactics. Again these tactics are not new, but it's interesting that they are digitizing tactics in a very worrisome way. There is nothing absolutely new underneath the sun. As it is in old, so it is in the new… you pay them, you glorify them."
The White House Launches Supply Chain Task Force
The Biden Administration has released its 100-day supply chain assessment for semiconductor manufacturing and advanced packaging, large-capacity batteries, critical minerals and materials, and pharmaceuticals. After a year in which supply chains throughout the nation were decimated by the pandemic, the new task force intends to get the country back on track.
These measures come just in time. Semiconductor shortages have crippled the nation’s automotive manufacturers, and the new Innovation and Competition Act will strain ties between the U.S. and China. The United States needs to invest in resilient and secure supply chains, as well as help its manufacturing companies survive the pandemic.
What’s Happened Already?
Since February, the administration’s COVID-19 response team has vaccinated 137 million Americans, worked with semiconductor manufacturers, expanded rare earth element mining outside of China, and addressed supply chain cyber vulnerabilities. “Unfair trade practices by competitor nations, private- and public-sector prioritisation of low-cost labour and a focus on short-term returns over long-term investment have hollowed out the U.S. industrial base”, said the White House.
To address risks and vulnerabilities, the administration will also prioritise the following steps:
- Commit US$60mn to develop novel platform technologies to boost API production
- Develop a domestic lithium battery supply chain to combat the climate crisis
- Support manufacturers of advanced battery cells and packs with US$17bn in loans
- Invest nearly US$75bn in semiconductor manufacturing
- Give US$100mn in grants to state-led supply chain apprenticeship programmes
In addition, the White House recommended that the nation should establish a Supply Chain Resilience Programme backed by US$50bn in domestic supply chain investments.
An International Effort
Although the United States has recently doubled down on hardline stances against foreign trade competition—one need only look at its recent Senate bill—the scale of its supply chain transformation programme requires partnership. “Even as the U.S. makes investments to expand domestic production capacity for some critical products, we must work with allies to secure supplies of critical goods that we will not make in sufficient quantities at home”, the White House stated.
In the coming months, the U.S. will work with international allies such as the Quad and the G7 in order to diversify its networks, ensure human rights compliance, and source critical minerals and materials. And though the nation is aggressively investing in R&D and competitive technology, it wants to maintain its global trade ties. “U.S. investments abroad must incentivise environmentally and socially responsible production”, the administration wrote. “We must engage our partners to promote global resilience”.