Security experts underscore the potential national implications of the attacks, saying they serve as a cautionary tale for how computerized mayhem can disrupt the economy, and even everyday life. Heightening those risks in recent years: industry consolidation that has concentrated market power in a handful of major companies and their computer networks — potential chokepoints that could be used to disable U.S. supplies of key products and services.
“Both the Colonial Pipeline and JBS events are really good reminders that there are significant concentration points in the supply chain for critical goods and services in the U.S. that need special attention,” David White, president of cyber risk management company Axios, told CBS MoneyWatch.
The May attack targeting Colonial Pipeline and this month’s ransomware, the world’s largest meat producer, disrupted operations involving nearly half the gasoline and jet fuel to the East Coast and about a fifth of cattle and hog slaughter in the U.S. Prices of both gas and meat were already increasing amid pent-up demand for travel and restaurant meals, with the cyber hits further ratcheting up costs.
“Now you have in the headlines playing out a clear recipe for how you can severely damage the U.S. economy. It’s very frightening when you start to look at what could happen from a nation-state actor,” White said. There is now “a clear game plan for how a nation-state that has a very different set of motives” might wage a cyber offensive, he added.
Colonial Pipeline CEO Joseph Blount acknowledged as much in prepared remarks Tuesday before Congress. “Criminal gangs and nation-states are always evolving, sharpening their tactics and working to find new ways to infiltrate the systems of American companies and the American government,” he said. “These attacks will continue to happen, and critical infrastructure will continue to be a target.”
4 companies control 80% of U.S. meat
The JBS attack drew national headlines and served to highlight just how exposed the nation’s food supplies are to cyber threats.
“At this scale, it’s kind of a wakeup call,” said Mark Jordan, executive director of Leap Market Analytics, a research firm focused on livestock and poultry markets.
The meatpacking business in particular is highly concentrated, with four companies — JBS, Cargill, National Beef and Tyson Foods — controlling more than 80% of the U.S. beef processing market.
“This all fits hand and hand in the agriculture and food chain more broadly as we move into this more technological world,” said Trey Malone, an agricultural economist and assistant professor at the University of Michigan. “Now one attack impacted tens of thousands of animals.”
Put another way, JBS being forced to stop or curtail production for about three days at one point stopped the U.S. Department of Agriculture from publishing wholesale prices for beef and pork that markets count on a daily basis, Malone noted.
The company’s troubles caused headaches for JBS feedlots trying to deliver cattle as well as for those buying its beef, but did not persist long enough to reach consumers, offered Jordan. “We were a couple or three more days from hitting that kind of problem here.”
Wholesale beef prices surged to near record highs during the pandemic, with the JBS attack proving to be “an important event for about three days, but next to nothing compared to the crazy events we had last year,” Malone added of pandemic-driven plant closures.
The fact that JBS was able to get back online quickly is evidence they had preparations in place for getting back online, something White finds encouraging.
The Colonial Pipeline attack in May fueled gas shortages at stations in several states, and drew national attention even as a series of ransomware attacks had played out without garnering much iof the spotlight.
While Colonial was in the news, for instance, San Diego-based health system Scripps Heath was in the throes of a three-week systems outage caused by a cybersecurity incident that crashed its patient portal. In another recent attack, Molson Coors in March suffered a systems outage that disrupted operations and shipments earlier this year, the beer maker said in a regulatory filing.
Insurance giant CNA Financial also recently paid $40 million to reclaim control of its network, according to Bloomberg News. Yet that attack didn’t spur the same public scrutiny as whento get its systems back up and running.
“Ransomware is a business”
Society’s reliance on technology was in play again Tuesday morning asincluding the New York Times, CNN, Twitch and the U.K. government’s home page were unavailable until Fastly fixed the problem nearly an hour later. The impact of the disruption underlines the relative fragility of online architecture and its reliance on big tech companies, as opposed to a more decentralized model.
Regional disruptions don’t draw the same national attention as messing with companies in a way that seemingly threatens two things Americans hold near and dear — gasoline and hamburgers — and may prove to be a tactical error, at least from folks whose primary goal is to extort as much money as possible, according to White.
“Ransomware is a business, it’s a criminal enterprise, and it’s easy to say the attackers in these two cases have made a strategic mistake” in drawing national attention and probable resources to preventing further attacks, according to White. “They got themselves in the crosshairs of the U.S. government, when from a strategic perspective it’s in their interests to fly under the radar.”
U.S. intelligence and law enforcement have said that ending hacking attacks is now a national security priority, and Congress is also weighing a move to legislate mandates that industry has for years successfully opposed.