Senate Cyber Hawk Calls for ‘Criminal Penalties’ for Negligent CEOs

Sen. Ron Wyden, historically a leading proponent of heightened cybersecurity governance in both public and private spheres, called for congressional action Wednesday around all private firms operating in critical infrastructure sectors, saying the recent network breach at one of the largest U.S. pipelines paints a dismal picture of the nation’s susceptibility to attack.

The cyber intrusion detected at Colonial Pipeline Co. over the weekend forced the shutdown of a vital pipeline stretching from Houston to New Jersey, which typically ferries more than 2.5 million barrels of fuel per day. On Sunday, The FBI confirmed the breach involved a criminal ransomware gang known as DarkSide, which cybersecurity experts have linked to Russia, though not directly to the Kremlin. The group itself issued a statement on Monday claiming the breach was financially and not politically motivated, and that it intends to work toward “avoid[ing] social consequences in the future.”

In a statement to Gizmodo, Wyden, chair of the Senate Finance Committee, said the attack underscores a “massive problem” at companies running the country’s critical infrastructure, saying “dangerously negligent cybersecurity” portends more crippling attacks in the future. Failures at the highest corporate levels pose a significant threat to national security, he said, adding that Congress should immediately force critical infrastructure companies to institute heightened security safeguards.

“For far too long Wall Street has racked up profits by cutting jobs in safety and security, even when it puts lives and the country’s economy at risk,” he said. “There must be serious civil and criminal penalties—with personal accountability for CEOs—for critical infrastructure firms with lax cybersecurity, and federal agencies should be conducting regular cybersecurity audits of these firms.”

Wyden added: “Any company so vital to our economy that a cyberattack can disrupt the lives of millions of Americans, should be regularly audited by the government so that our adversaries are not the first ones to discover cybersecurity weaknesses.”

The Oregon senator’s focus on the culpability of corporate officers is hardly out of left field. Wyden has previously introduced and sponsored several bills concerning data security seeking tough penalties for corporate malpractice, including, in the case of Silicon Valley, prison time for executives who mislead regulatory bodies about their data handling practices.

The biggest impact of the pipeline breach so far appears to be a spike in concern around the country’s ability to provide fuel to residents along the Eastern Seaboard. Panic buying in several Southern states, including Tennessee and Georgia, has provoked gasoline shortages and in some areas driven up prices. The price hikes have been relatively minimal so far, roughly equivalent to annual spikes seen usually during natural disasters.

On Tuesday, the Biden Administration waived shipborne fuel requirements implemented under the Clean Air Act to ease fuel shortages until normal supply in the region is restored.

Bloomberg reported this week that U.S. agencies, including the FBI and Cybersecurity and Infrastructure Security Agency, had joined forces with a group of private-sector firms to help mitigate the impact of the DarkSide attacks, which affected more than two dozen companies. The effort provided Colonial Pipeline a means to recover some of the stolen data, which had been bound for a server in Russia.

While not directly implicating the Kremlin, President Biden told reporters at the White House on Monday the Russian government bears at least “some responsibility” to address cyberattacks emanating from within its borders.