Digital Rust: Why a Legal Framework for Declining Infrastructure Cybersecurity is More Important Than Ever
By Joseph Squillaro
Joseph M. Squillaro is a member of the Class of 2022 at the University of Pennsylvania studying Philosophy, Politics and Economics (PPE) with a concentration in cyber policy and Internet law, and is both a writer and an editor for the Penn Undergraduate Law Journal.
While most of the United States was preparing to watch the Tampa Bay Buccaneers take on the Kansas City Chiefs at Super Bowl LV in Tampa, Florida, a much more sinister scene was unfolding a few miles away in the small bedroom community town of Oldsmar, FL on February 5th, 2021. At the municipal Bruce T. Haddock Water Treatment Plant, responsible for providing the town with fresh drinking water, a skeleton crew was assigned that Friday night, a shift that is typically as uneventful as the taste of water itself. Little did these employees know, however, that the plant was under attack, not by a physical intruder, but a digital one that was able to gain control of the plant’s controls via the internet. Covertly, malicious hackers were able to gain access to the plant’s Windows 7 computer systems via a tool called TeamViewer, which is typically used to give remote access to employees, especially during the COVID-19 pandemic . Typically, this type of attack would be stopped via modern antivirus software, but the operator was using significantly older operating systems which were never updated for necessary security patches. Furthermore, there was no adequate training to plant personnel about how software programs like TeamViewer could pose a risk. From there, because the computers and the plant control system were not air gapped (a modern protocol where two systems are not digitally connected to prevent unauthorized access), the hackers were able to access the Supervisory Control and Data Acquisition (SCADA) system and raise the lye concentration (the active component in drain cleaner which is used in small quantities to remove metals in wastewater) from 100 parts per million to 11,100 parts per million. If successful, the trusted tap water of Oldsmar would have become incredibly deadly. Luckily, an astute worker noticed the toxic change, took the system offline and reverted the lye concentration. While this situation had a positive outcome for Oldsmar, the situation could have become significantly worse and despite an FBI investigation, no credible leads were found to hold the attempted-murderers accountable . This incident brings to light the scary reality that our infrastructure systems, which are becoming increasingly reliant on internet-connected computing, are vulnerable to cyberattack and there is little to no effective regulatory policy for the operators of infrastructure who are negligent in maintaining their cyber defenses.
By Joseph Squillaro
Joseph M. Squillaro is a member of the Class of 2022 at the University of Pennsylvania studying Philosophy, Politics and Economics (PPE) with a concentration in cyber policy and internet law.
In the past few years when visiting various websites, how many times have you encountered a salient prompt asking for you to accept “cookie” permissions or select which types of data the website is able to retain? I know I personally have seen more than I can count. Yet prior to 2018, you likely would not have seen any such prompt and that was because it simply was not required, at least not in the European Union. That all changed, however, when on May 25th 2018, the European Parliament implemented a sweeping set of cyber reforms collectively known as the European Union General Data Protection Regulation (GDPR). The GDPR revolutionized the ways in which tech companies can collect and store your data. From that day forward, companies were required to ask your permission to save information to their servers in the form of the aforementioned cookies. This included details such as your navigation history for personalizing results or your IP address to provide location specific content, among many other examples . This policy, on balance, is a great boon for the liberty for all users of technology: to have control on who stores your data and what kind of information they collect. But a large number of users of technology, including myself, do not reside in the European Union, nor are a citizen of any EU country, yet the prompt and intention of the GDPR still applies. Why is this?