Below is my column on the recent Colonial Pipeline attack. President Joe Biden and his Administration (as well as the media) has referred to the actors as “criminals” and “hacker” but notably not “terrorists.” Many cyberattacks are forms of extortion. They seek money from businesses to release data. This is different. This was an effort to coerce a population; to cause economic chaos.
Notably, DarkSide announced that it would shutdown its operations after receiving the ransom, an announcement heralded by many. It is a dubious claim. First, the declaration serves assure the public and to tamp down calls for a global hunt for the culprits. Second, it is meaningless. Whether DarkSide continues as a moniker or as a functioning organization, we just paid off terrorists. We long maintained a policy not to yield to terrorism because it fuels more attacks. DarkSide and other such attacks have proven how ineffective we are in preventing such attacks or defying such demands. These are despicable people willing to cause deaths and social disarray, but they are also rationale actors. For the moment, cyber terrorism works and the success of this attack is not going to lead to a unilateral ceasefire from cyber gangs.
Here is the column:
We’ve heard calls in recent years for an ever-widening category of “terrorists” to encompass groups from the Jan. 6 rioters to antifa to the the Ku Klux Klan. So it is surprising that the White House and the media have referred to the Colonial Pipeline ransomware attackers simply as “hackers.” “DarkSide” is not just a collection of hackers — it’s a group of terrorists. And the only thing more concerning than the failure to label them correctly is the possible reason for not doing so.
From the White House to The Washington Post, the mantra has been uniform: Gas to the East Coast was cut off by hackers who demanded — and reportedly received — $5 million in ransom to give us back control of a critical pipeline. The White House not only called these individuals hackers but — when pressed about its position on paying the ransom — insisted it was just a decision for a private company. Deputy national security adviser Anne Neuberger said, “Colonial is a private company, and we’ll defer information regarding their decision on paying a ransom to them.” She and others in the Biden administration insisted the ransom payment was a “private sector decision” and said that “the administration has not offered further advice at this time.”
After the ransom was widely reported as having been paid and gas began to flow again, President Biden gave a “no comment” when asked if he was aware of the payment. It was a curious response since the media apparently knew. The company certainly knew, and, most importantly, DarkSide knew. Yet, the White House wanted to portray itself as a pure observer to a private decision on how to handle “hackers.”
The reason is obvious: Colonial just paid a ransom to terrorists. Moreover, gas pipelines are not just “a private company” but a highly regulated industry that closely follows the government’s directions.
The fact is that most of Washington wanted the company to pay off the terrorists because our East Coast was rapidly melting down over shortages. While The New York Times bizarrely issued (and later quietly deleted) a statement that the attack had not led to any gas station lines or higher prices, other news stories were filled with images of long lines, fights at pumps and cascading shortages.
The White House narrative has been to treat this as a type of cost of doing business for Colonial. The problem is that this is not some nuisance cost but a terrorist demand for payment.
While definitions vary, DarkSide meets key elements of terrorism crimes. Key provisions such as 18 U.S.C. 2331 focus less on the motivation of terroristic acts as opposed to the intent: “(i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping.”
Congress has extended domestic terrorism classifications to include drug gangs, but laws such as the Controlled Substances Act still refer to “premeditated, politically motivated violence.” The State Department uses the same definition to designate Foreign Terrorist Organizations. Even under Section 2331 “international terrorism” is defined as “violent acts or acts dangerous to human life.” Those definitions may have to be changed as groups seek to terrorize populations in economically motivated attacks. Cutting off fuel to an entire region threatens lives as well as the economy. While not defined as a “violent act,” cyber attack can cause direct fatalities by shutting off key power or access for vulnerable people and kill far more than some improvised roadside bomb.
Cyber terrorism can have either economic or political motivations or both. Indeed, DarkSide has claimed to use the money for charity and suggested it has policy goals. Moreover, such gangs can be enlisted or enabled by foreign powers such as Russia or Iran to carry out such attacks.
For those of us who have long opposed expansive definitions of terrorism, there remains a danger of converting everything from extortion to identity theft into terrorism. However, DarkSide clearly attempted to “intimidate or coerce” the entire population of the United States, and it succeeded. It used hacking as its means, but that does not change its status as a terrorist group — any more than the use of food poison would make al Qaeda a “food tamperer” rather than a terrorist organization. When you threaten an individual if they don’t pay you, you are an extortionist. When you seek to coerce an entire population, you are a terrorist — whether you claim to do so for Allah or for moolah.
Once you acknowledge that DarkSide is a terrorist organization, however, it is harder for the White House to shrug and dismiss this as merely a “private sector decision.”
We have long maintained a policy of not yielding to terrorists, and outsourcing ransom payments does not change the implications of this decision. DarkSide and other cyber terrorists now know they not only can succeed but can do so surprisingly quickly. Indeed, ransomware has been profitably used around the world for years with businesses. Indeed, my suspicion is that the vast majority of ransoms paid have not been made public by businesses but are known to the FBI. This incident, though, was different. It was designed to cause widespread social and political havoc among our population.
If the Biden administration did not want to pay terrorists, it could have used a wide array of powers to pressure Colonial not to pay. Colonial is tied into our infrastructure and largely exists by the grace of federal and state agencies. If Biden declared publicly that the company should not yield to terrorists, he would have presented no less of an existential threat to the company than DarkSide did.
It may be true that the Biden administration concluded we are defenseless to cyber terrorism despite years of ransomware attacks and hundreds of billions of dollars in cybersecurity programs. If that is the case, the public should be informed. The failure of Congress and our government to defend against such terror attacks is a national security failure of breathtaking proportions. The Colonial Pipeline attack was the cyber equivalent of Pearl Harbor. In both cases, we were caught unprepared and unable to deal with a threat we knew was coming. Yet President Roosevelt did not issue a “no comment” on the critical facts after the Pearl Harbor attack in 1941. Back then, we believed FDR when he stated in his first inauguration that “the only thing we have to fear is fear itself.” If we are going to defeat this new form of terrorism, we must first call it for what it is. Not fear it, face it.
What the Biden administration seems to fear most is public recognition that it is afraid — afraid of the vulnerability of our infrastructure, afraid that the public will learn what cyber terrorists already know.
This should not be treated as just another political dodge, however. During the 2020 election, Biden simply refused to share his views on key issues such as packing the Supreme Court. Yet this is a far more serious matter, and we do not have time for another study commission to give the president cover. We need to call DarkSide what it is — a terrorist organization — and to acknowledge what we did: We paid off terrorists. Then, perhaps, we can get some answers as to whether our country remains only days away from another meltdown due to a failure to defend against ransomware.
Jonathan Turley is the Shapiro Professor of Public Interest Law at George Washington University. You can find his updates online @JonathanTurley.
This column is an expanded version of the printed column.