The Bulwark

The Bulwark

Home
Shows
Newsletters
Chat
Special Projects
Events
Founders
Store
Archive
About

Share this post

The Bulwark
The Bulwark
Three Cybersecurity Questions from the Colonial Pipeline Hack
Copy link
Facebook
Email
Notes
More

Three Cybersecurity Questions from the Colonial Pipeline Hack

The government needs a better strategy to deal with cyberweapons.

Shay Khatiri
May 18, 2021

Share this post

The Bulwark
The Bulwark
Three Cybersecurity Questions from the Colonial Pipeline Hack
Copy link
Facebook
Email
Notes
More
Share
Out of order notes are left on gasoline pumps to let motorists know the pumps are empty at a Shell gas station in Woodbridge, Virginia on May 12, 2021. - Fears the shutdown of the Colonial Pipeline because of a cyberattack would cause a gasoline shortage led to some panic buying and prompted US regulators on May 11, 2021 to temporarily suspend clean fuel requirements in three eastern states and the nation's capital. (Photo by Andrew CABALLERO-REYNOLDS / AFP) (Photo by ANDREW CABALLERO-REYNOLDS/AFP via Getty Images)

The recent hack of the Colonial Pipeline resulted in dramatic images of people lining up at gas stations and (supposedly) filling shopping bags with gasoline across the South and Mid-Atlantic. It is, however, only the latest in a long line of cyberattacks by both nation-states and independent criminal groups (and in some cases elements of both working together) against the U.S. government and critical infrastructure. The frequency and destructive capacity of these attacks indicates that the public and private sectors aren’t responding to the threat fast enough.

In January, the United States accused Russia of infiltrating networks belonging to the Departments of State, Commerce, Homeland Security, and the Treasury. In April, a cybersecurity firm hired by the U.S. government found that Chinese hackers had compromised dozens of U.S. government agencies. The Russian hack of SolarWinds and the Chinese exploitation of Microsoft were made public that same month. Chinese infiltrations into Equifax and the Office of Personnel Management, in 2017 and 2016 respectively, gave the Ministry of State Security access to the personal and financial information of millions of Americans. Iranian, North Korean, and Venezuelan operatives, as well as transnational criminal organizations, also are targeting Americans.


In the face of such an onslaught, America’s defensive capability is inadequate. Whatever steps the federal government may have taken in recent years to secure its systems—and the SolarWinds hack indicates that those steps have been small—the Colonial Pipeline fiasco illustrates the larger problem: Any number of capable adversaries can inflict harm on the country without attacking the government directly.

The debate over the cyber domain in some ways mimics that of nuclear weapons during the Cold War, when there were two schools of thought about the best way to prevent a Soviet first strike. One theory, which found its clearest explication in the Strategic Defense Initiative, was to have a strong missile defense. The other was to rely on a credible and resilient second-strike capability to deter the Soviets, which was one of the origins of the nuclear triad. For the most part, deterrence beat out missile defense to become America’s strategy. But by failing to invest sufficient resources in missile defense, it’s also likely the United States sacrificed both strategic technological advantage and peace of mind. It is not clear if deterrence was the best option in the nuclear domain in the twentieth century, nor if it will be in the cyber domain in the twenty-first.

But it is clear that the assumptions about nuclear weapons do not apply to cyberweapons. Nuclear weapons can’t be used in secret. Unlike nuclear weapons, cyberweapons have already been used by multiple states and non-state groups quite casually. Nuclear weapons require sophisticated resources and programs, unlike cyberattacks which a small group of people with easily accessible technology can launch from their homes.

The government can’t assume that the comfortable constraints of the Cold War will apply in the cyber realm. Congress and the executive branch need to form a new cyber defense strategy, and they should start by answering three questions:

Can cyberwarfare be separated from other domains? Land and naval campaigns have mixed for as long as there’s been recorded history of warfare. Since World War I and especially World War II, neither has been separable from the air domain. Yet conventional warfare has persisted without the use of nuclear weapons since 1945. To what extent can and should the cyber domain be kept separate from the other domains? Should the United States announce a new deterrence strategy that includes the possibility of kinetic retaliation to cyberattacks?

Is it time to publicize retaliatory attacks? When deterrence breaks down, it requires a public act of reprisal to reestablish it. After Iran-backed proxies attacked the U.S. embassy, the United States killed Iranian general Qasem Soleimani to demonstrate publicly the price of attacking Americans. In other words, the Trump administration did not hide the enforcement of deterrence. The United States, however, does not publicize its retaliatory attacks, but the news of enemies’ strikes frequently makes the headlines. This injures national morale at home, while boosting our adversaries’ propaganda. The concern with publicizing deterrence is that it incentivizes an adversary to retaliate to save face before its constituents, and that could lead to escalation.

What is to be done with non-state hackers? The Colonial Pipeline attack was piracy, not warfare.While it is unlikely that Vladimir Putin had given direct orders for the attack, his intelligence and state security ministries have cooperated with organized crime and allowed it to prosper in Russia. The situation is similar to the case of al Qaeda under the Taliban’s sanctuary in Afghanistan. But also, Russia, with thousands of nuclear warheads, is not the Taliban. Americans need to think seriously about pirates and cyberterrorists who are supported by state actors. Our adversaries benefit from cyber piracy and terrorism against us.

Cyberwarfare is becoming an element of great power competition. The Biden administration has prudently elevated the role of cyber domain in national security by creating a National Cyber Director for civilian defense. This is a welcome development—but the issue is far from solved.


Subscribe to The Bulwark

Tens of thousands of paid subscribers
The Bulwark is home to Sarah Longwell, Tim Miller, Bill Kristol, JVL, Sam Stein, and more. We are the largest pro-democracy bundle on Substack for news and analysis on politics and culture—supported by a community built on good-faith.

Share this post

The Bulwark
The Bulwark
Three Cybersecurity Questions from the Colonial Pipeline Hack
Copy link
Facebook
Email
Notes
More
Share
The American Age Is Over
Emergency Triad: The United States commits imperial suicide.
Apr 3 • 
Jonathan V. Last
5,329

Share this post

The Bulwark
The Bulwark
The American Age Is Over
Copy link
Facebook
Email
Notes
More
1,468
How to Think (and Act) Like a Dissident Movement
AOC, solidarity, and people power.
Mar 24 • 
Jonathan V. Last
4,092

Share this post

The Bulwark
The Bulwark
How to Think (and Act) Like a Dissident Movement
Copy link
Facebook
Email
Notes
More
1,169
“How Can You Look at Yourself in the Mirror?”
George is furious.
Apr 3 • 
Sarah Longwell
2,100

Share this post

The Bulwark
The Bulwark
“How Can You Look at Yourself in the Mirror?”
Copy link
Facebook
Email
Notes
More
348
49:37

Ready for more?

© 2025 Bulwark Media
Privacy ∙ Terms ∙ Collection notice
Start writingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More