Tonight's T-Bone Steak Is Critical Infrastructure


In the past month alone, cyberattacks have been revealed on a French shoe manufacturer, a regional library in the U.S., and a Spanish delivery startup. They escaped widespread attention because the disruptions didn’t bring the supply of oil or T-bone steaks to a standstill.

JBS SA’s meatpacking facilities in the U.S. ground to a halt this week after a Russia-linked hacking group infiltrated the company, forcing all beef processing to be shut and impacting other facilities. Now we’re left to ponder whether a quarter of the nation’s meat ranks closer to hippie sports shoes or automotive fuel. That’s the wrong way to look at it. 

After a ransomware attack last month shut down the U.S.’s biggest gasoline pipeline, regulators and legislators rushed to Capitol Hill to implement new requirements. For more than a decade, oil companies and pipeline operators had successfully pushed back at attempts to implement stricter cybersecurity rules. As Ari Natter and Jennifer A. Dlouhy of Bloomberg News wrote, the U.S. Chamber of Commerce was among those opposing 2012 legislation that would force energy companies to tighten cybersecurity, labeling it heavy-handed and overly broad. 

Lobbyists may not have the upper hand this time around, but the fact that any one industry has the power to stymie legislation is evidence of the piecemeal approach being taken. This exposes the entire nation, indeed the entire world, to soft spots in defenses and will likely result in regulatory Whac-a-Mole that could last decades, allowing attackers to keep probing new targets.

Ransomware attacks, which lock computer systems before a ransom is paid, have climbed. Many of the operations we’ve seen in recent years have been undertaken using a similar set of tools developed by software engineers who have sold it on to the final users. They’re largely agnostic to the specific industry or nation in which the victim operates, which means target-specific solutions will do little to prevent future problems.

Instead, regulations should specify standards required across all industries, which would include monitoring and logging network activity, procedures for ensuring software is kept updated, and reporting breaches when they occur. A no-weak-links strategy can then help secure industries overseas by forcing any company that operates in the U.S. to meet American standards. JBS, for example, is a Brazilian company yet this recent outage also impacted operations in Australia and Canada. 

There can be no doubt that a breach of nuclear power stations or military systems are more dangerous than most other incursions. Yet government officials, both regulatory and legislative, should not focus on one sector or another as critical and recognize that attacks on any one business — be it a local library or a health-care provider — are an assault on the entire U.S. economy.

The U.S. can make its cyber borders more secure, but not if leaders start playing favorites and lobbyists are allowed to exploit legislative weakness. 

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

Tim Culpan is a Bloomberg Opinion columnist covering technology. He previously covered technology for Bloomberg News.

©2021 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.