Colonial Pipeline Didn’t Have Multifactor Authentication in Place—And Most Defense Contractors Don’t Either

When Colonial Pipeline CEO Joseph Blount sat before lawmakers to explain the recent ransomware attack, he found them less sympathetic than they once were to companies that have found themselves victims of hackers. 

Rep. John Katko, R-N.Y., the top-ranking GOP member of the House Homeland Security Committee, said he appreciated “Colonial Pipeline’s identification of places where they are now hardening systems in response to the devastating ransomware attack in May, but this begs an obvious question. If your pipeline provides fuel to 45% of the East Coast, why are you only hardening systems after an attack?” 

Rep. Bonnie Watson Coleman, D-N.J., was more direct. She called out Colonial Pipeline’s delay of voluntary Transportation Security Administration cybersecurity reviews, pointing out that “delaying these assessments for so long amounts to declining them.” 

Still, these reactions are more muted than you might expect given the total disregard most companies—even those responsible for critical infrastructure like Colonial Pipeline—have for the most basic cybersecurity standards. 

Certainly, we shouldn’t be blaming the victims of cyberattacks. Even organizations with the best security can fall victim. But Colonial Pipeline didn’t have multifactor authentication in place on the account that was ultimately the weak point that hackers exploited. Of course, multifactor authentication alone won’t necessarily thwart attackers, but the fact that such a basic precaution was missing should raise a lot of alarm bells. 

But it’s not uncommon. Companies of all sizes in the defense industrial base often don’t have multifactor authentication in place, even though they were legally required to so six years ago. A CyberSheath look into the networks of 600 such companies found that 71% lacked the level of multifactor authentication required. 

That wasn’t the only issue. Looking at the Supplier Performance Risk System score for those companies is even more alarming. A company following every protocol and best practice to the letter would score a perfect 110. A company with nothing in place would score a -203. The average score across the 600 companies we looked at? -125. 

Some 66% of companies lacked appropriate access controls to protect controlled unclassified information, 69% failed to establish and enforce security configuration settings, 69% didn’t test their organization’s incident response capability, and 74% didn’t mark media with the proper markings and distribution limitations. 

And those are just the most common oversights. We’ve seen decades-old operating systems that are no longer supported or patched, CFO passwords that are essentially “password123,” and on and on. 

The fact that none of this is surprising or new is the problem. I testified before Congress about the challenges facing defense contractors in meeting security minimums a decade ago, affirming that minimums were the right thing to do. The law requiring them was passed in 2015, mandating NIST cybersecurity best practices. Defense contractors were legally bound to comply by December 2017. And yet, here we are. 

For more than six years, hundreds of thousands of commercial companies in the defense industrial base have been legally required to have these basic protections in place, yet we’re still hearing about how difficult and expensive it will be to implement them. 

One positive is that there has been incremental progress. Cybersecurity minimums were first established but not mandated. Then they were mandated but not verified. We’ve seen the results of unverified compliance: There is none. It’s time to start verifying. 

The way forward is to tie revenue, tax credits or some other business incentive to compliance. That’s the only way you’re going to get businesses to finally take cybersecurity seriously. 

Eric Noonan is the chief executive officer of CyberSheath and served as a Marine and in the CIA.