Award Winning Blog

Sunday, May 16, 2021

Infrastructure Ransomware Targets Are Not Victims

            Companies, like Colonial Pipeline, accrue rich margins for the essential service they provide.  Whether by regulator-granted monopoly franchise, being first to market, or operating in what appears to be a dull, low growth business, infrastructure companies have become complacent.  Having sunk substantial funds in the ground, they rarely perceive the need to make significant, additional investments in such areas as network security. 

             Infrastructure companies owe their customers and the nation a duty of care that includes ongoing efforts to protect their networks from harm, including remote access by criminals and government agents intent on mischief, extortion, espionage, or terrorism.   This duty should be baked into the mindset of infrastructure managers, instead of the conventional wisdom that they can generate higher annual Christmas bonuses, stock prices, and share dividends by scrimping on research, network security enhancements and efforts to protect their investments from now predictable hacking. 

             If someone breaks into your locked car, by smashing a window, the court of public opinion and insurance companies, typically consider you a crime victim, worthy of sympathy and support.  On the other hand, if you kept the car unlocked, or inadvertently left your electronic door opener in the vehicle, compassion and reimbursement evaporate. 

             Colonial Pipeline and other mission critical service providers know that they must keep their networks locked and secured.  Scrimping on these tasks does not pass the smell test, nor does an assertion that infrastructure providers are helpless and have no ability to guard against bad actors who can succeed in hacking networks, often by simply duping employees to click on a credible looking link that triggers a download of malware. 

             As for telecommunications infrastructure, Congress, the Executive Branch, and the Federal Communications Commission recognize both the importance and vulnerability of the broadband networks.  However, they have emphasized the need to blacklist companies and order the removal of equipment by telephone companies, rather than concentrate on comer protection. The FCC relies on mostly anecdotal evidence that Chinese equipment can provide “back door” access for surveillance, espionage, service outages and disruption of equipment supply chains. 

            No one in the federal government appears concerned that private and public harms can result not only based on the nationality of equipment manufacturers, but also from failure of network operators to strengthen network security.  A substantial, long standing body of law, case precedent and commercial best practices imposes a high duty of care by telecommunications carriers and even providers of services whose content rides along the carriers’ transmission conduits. 

             Instead of placing the burden squarely on telecommunications carriers, the FCC appears to think it can solve national security problems by targeting foreign governments.  This strategy offers no protection against sabotage executed via equipment manufactured by domestic companies and friendly, foreign ventures. 

             The FCC has a longstanding, policy of relying on market forces to meet consumer wants, needs, and desires.  Consumers have near complete freedom to attach devices, such as Wi-Fi routers and cable modems, to telecommunications networks.  The only qualifier: the attached device cannot harm the network.   

             What about the potential for the network to cause harm to the user?  Despite blacklisting several Chinese carriers and equipment manufacturers, consumers remain vulnerable to network harm.  Worse yet, the network provider incurs no liability for such harm, and even if its lax attitude toward network security facilitated the harm.  No law currently exists that even imposes the duty to notify subscribers quickly about hacks and stolen consumer data. 

             Apparently bad stuff happens to infrastructure and the provider has no responsibility even to make reasonable efforts to anticipate and minimize harm.