Will the ransomware attack on Colonial Pipeline change the international norms currently in place regarding nation-states and their historical hesitancy to engage in crippling infrastructure attacks? In this paper, we will explore some underlying issues and identify indicators of change which could help to evaluate potentially evolving norms.
Introduction:
It remains to be seen whether the Colonial Pipeline attack by DarkSide will unleash the monster that could become normalized state-sponsored infrastructure cyber sabotage and/or ransomware, but let us all acknowledge a few facts:
First: Nations are capable of attacking other countries’ critical infrastructure. Examples include situations of measured retaliation, calibrated threat removal or selected messaging, as well as when powerful hegemons take less restricted actions within their region of influence or control to intimidate others.
Second: Most countries have thus far shied away from attacking critical infrastructure of other countries for fear of facing acts of retaliation against their own infrastructure systems and/or becoming the focus of international scrutiny. While selected acts of state-sponsored cyber sabotage have been considered somewhat justifiable when the attack is carefully gauged to retaliate, remove a threat or send a message in a way that is both deniable and falls short of war, other acts of cyber sabotage by regional hegemons which may be less justifiable have been less challenged due to geopolitical realities. However, state-sponsored ransomware attacks have been generally condemned as indiscriminate and money-grubbing.
Third: The Colonial Pipeline attack was massive in terms of how many people it disrupted, how large of a region was impacted, and how much media/government attention it received.
Last: Russia, China, Iran, the US and many others are in a cycle of cyber escalation. This is evident with the Solar Winds attack and the Microsoft Exchange hack, election manipulation, IP theft and more. Cyber espionage, cyber sabotage and ransomware are different types of actions, yet they exist along a blurry line and can all be applied to critical infrastructure.
Will these factors come together into the perfect storm? Are we entering into an age where China will turn your power off or Russia will shut down bridges and tunnels, either through cyber sabotage or ransomware?
