A decade ago, after hackers were caught infiltrating natural gas pipeline operations and an al-Qaida video emerged calling for an “electronic jihad” on US infrastructure, then-Senator Joseph Lieberman tried to sound the alarm.
The system is "blinking red," Lieberman warned his Senate colleagues during debate on the threat in 2012. "Privately owned and operated cyber infrastructure can well be, and probably some day will be, the target of an enemy attack."
Led by the Connecticut independent and one-time vice presidential candidate, lawmakers sought to require energy companies to strengthen computer security. But the effort withered under fierce lobbying by oil companies and other corporate interests that succeeded in killing the legislation. That left in place a system of voluntary guidelines that failed to stop last month’s ransomware attack on Colonial Pipeline Co., which paralyzed a major artery for fuel along the East Coast.
"It’s really a lost opportunity," said Lieberman, now senior counsel at Kasowitz Benson Torres. "The attack on the Colonial Pipeline might not have happened if we passed the legislation."
Now, in response to the attack, the Department of Homeland Security is preparing to jettison the voluntary approach and impose cybersecurity requirements on pipelines, according to a person familiar with the plans who asked not to be identified before a formal announcement.
That would be a defeat for oil companies and pipeline operators that for more than a decade have successfully fought off federal standards to thwart cyberattacks from legislation or regulatory agencies. Unlike power plants, US pipelines are not required to follow any federal cybersecurity mandates, even though Homeland Security was given the authority to impose them when it was created in the wake of the Sept. 11, 2001 attacks.
The Transportation Security Administration, the DHS agency in charge of protecting the nation’s pipelines, will issue a directive this week requiring pipeline companies to report cyber incidents, according to the person familiar with the plans. Additional requirements for safeguarding facilities and responding to attacks are set to be advanced in coming weeks, the Washington Post reported.
"The Biden administration is taking further action to better secure our nation’s critical infrastructure," DHS said in a statement on Tuesday. "We will release additional details in the days ahead."
Until now, the TSA had resisted using its authority to mandate cyberprotection measures.
"My belief was we could get quicker and better security through working with the industry instead of regulating them because regulations set minimum security standards and industry in many cases was doing more than that," said Jack Fox, who served as the agency’s manager of pipeline security before retiring in 2016.
Lieberman’s bill would have imposed cybersecurity performance requirements on privately owned critical infrastructure — and slap fines on companies that fell short. The rules would have been applied to more than pipelines: sectors where a hostile take-down of computer systems could lead to mass casualties, the collapse of financial markets or the disruption of energy and water supplies, were to be included.
Even a watered-down version of the bill failed to overcome a Republican-led filibuster.
For Lieberman, the failure still stings.
"We would sort of ask ourselves who is driving this aggressive opposition and the answer we were getting was the energy companies and the pipeline companies," he said.
Every major US oil company — including Exxon Mobil, Chevron, and ConocoPhillips — lobbied on the legislation, alongside some refiners and at least one pipeline operator. Colonial didn’t lobby on the measure in 2012, according to disclosure forms it filed with Congress. However, groups it belonged to did, including the American Petroleum Institute, the Association of Oil Pipe Lines, and the Chamber of Commerce — a political titan that reported spending $103.9 million influencing government policies in 2012.
The Chamber opposed the legislation at the time, calling it an overly broad, heavy-handed approach to regulation that threatened to create an "adversarial" relationship between the government and private industry instead of fostering collaboration against cyberattacks. The group backed an alternative approach focused on greater sharing of threat information, a stance it continues to endorse today.
"We support a public-private collaboration that strengthens our cybersecurity in all sectors, including pipelines, to benefit all Americans," said Matthew Eggers, vice president of cybersecurity policy for the Chamber.
Cybersecurity experts and government officials have cautioned for years about the consequences of a pipeline hack, including in 2019 when the Office of the Director of National Intelligence issued a report warning a cyberattack could disrupt a pipeline "for days to weeks."
Nevertheless, there was widespread business opposition to the Lieberman bill, with almost every affected industry, from financial services to communications, getting involved to warn the proposed cybersecurity mandates would insert the heavy hand of government into corporate affairs.