Written by: Tim Maurer | c.2023 Harvard Business Review
On May 7, 2021, a fateful Friday morning, Colonial Pipeline, the company running a critical fuel supply conduit for the eastern United States, experienced a ransomware attack. Unknown to the government, the company decided to shut down pipeline operations as they tried to determine what had happened and how bad the damage was. This move had severe consequences, transforming a cyber incident into a broader crisis within a few short days. Several thousand gas stations ran out of fuel and gas prices increased to their highest levels in nearly a decade.
The halt of operations disrupted fuel supply chains, leading to panic buying and subsequent shortages at gas stations across multiple states. Reports of long lines and soaring prices at gas pumps illustrated the real-world implications of cyber threats, underscoring the interdependence of our physical and digital infrastructures. It also reinforced the public’s run on gas stations.
In response to the escalating situation, the U.S. government took a series of decisive actions.
To calm the public’s reaction, the Secretary of Homeland Security, Alejandro N. Mayorkas, and the Secretary of Energy, Jennifer Granholm, addressed the American public from the White House podium on May 11, 2021. The press briefing room is a small room in the West Wing brimming with about 50 reporters, television cameras running in the rear. This is where media outlets gather to hold the U.S. government accountable for the American public by asking piercing questions of the most important issues that day — forming a formidable stage where essentially the entire world tunes in. The two secretaries outlined what the government was doing to mitigate the impact of the ransomware attack. They also appealed to the American public that “there should be no cause for hoarding gasoline, especially in light of the fact that the pipeline should be substantially operational by the end of this week and over the weekend.”
Lasting Implications
The geopolitical implications of the Colonial Pipeline ransomware attack were profound. In its aftermath, President Biden engaged directly with Russian President Vladimir Putin, underscoring the severity of the incident. This crisis also underscored the urgent need for more robust cybersecurity measures, particularly for critical infrastructure like Colonial Pipeline. It served as a stark reminder that cyber threats are not confined to the digital world; they can quickly spill over, causing widespread disruption and societal impact. Ultimately, the Colonial Pipeline incident was a watershed moment.
This single incident is still having ripple effects today, redefining the roles that CEOs and industry leaders play, and will shape how we think about cybersecurity for years to come. It also points to some important questions business leaders need to ask themselves and highlights how a cyber incident can escalate quickly to a national security crisis requiring the attention of the U.S. president. Just imagine what could have happened if another, similarly impactful ransomware attack would have occurred in the U.S. in late February or early March 2022, only days after Russian troops further invaded Ukraine.
One ripple effect is how CEOs are thinking about their roles and responsibilities. The CEO of Colonial Pipeline, Joseph Blount, told members of Congress that paying the roughly $4.3 million in Bitcoin as ransom was “the hardest decision made in my 39 years in the energy industry.” Whether to pay the hackers and further fuel the criminal cycle of ransom demands or risk significant disruption or even bankruptcy is an impossible choice.
CEOs have clearly taken notice. Few would enjoy the Road to Canossa to Washington and being in the Congressional and media spotlight. What have we learned from this and other key incidents over the past two years? Here are six recommendations for CEOs:
1. Be Careful How You Communicate With The Public
A run on banks is a classic example of how the public’s reaction and group psychology can make a crisis worse. The run on toilet paper during the COVID-19 pandemic and the run on gas stations following the ransomware attack highlight that this problem is not limited to financial institutions.
Being careful how and what you communicate to the public does not mean avoiding communication with the public; on the contrary, it is a necessity. However, companies need to take a thoughtful approach. As the Colonial Pipeline incident illustrates, this includes companies that rarely have to engage with the public as part of their day-to-day operations but may need to unexpectedly from one day to the next.
2. Coordinate With The Government
Colonial Pipeline’s decision to shut off its pipeline system needed to happen fast, but there was arguably enough time to consult with U.S. government experts. Taking the pipeline system offline meant that, regardless of whether it was infected, it would take days to restart, disrupting the actual fuel supply with all of its consequences that required government action. Coordination with the government is key to avoid a crisis becoming worse unintentionally.
3. Know Whom To Contact
To make informed decisions quickly and coordinate with the right people, CEOs need to know who in the government is the right contact. Contacting NATO or the military, as some anecdotes over the years suggest, is not the right answer.
With that said, sometimes the government doesn’t make it easy for external parties to identify the appropriate person or agency, so the government has a responsibility to provide clarity.
4. Have A Plan In Place And Exercise It
This is perhaps the most crucial point as it provides a vehicle for accomplishing the others. In addition to developing and having a plan — ideally overseen by the CEO — the plan should be practiced at least once a year. Regular tabletop exercises will help company leadership and staff to build the “muscle memory” needed to respond effectively in a real crisis.
5. Know Your Networks
A CEO should ideally have a high-level understanding of how a company’s business IT networks and operational technology (OT) networks interact. If systems are air-gapped, there is no need to shut down the OT network if the compromise is limited to the IT network.
With that said, the ransomware attack against Colonial Pipeline has demonstrated that even the paralysis of business IT networks can have significant impacts. If a company can no longer issue invoices, and does not know who its customers are, or how to contact them, the actual impact can be as disruptive as actually bringing production to a halt. For any reader who has been stranded at an airport because an airline’s IT system was suffering an outage, you have experienced the disruptive impact first-hand.
6. Be Humble And Seek Expert Assistance
Cybersecurity is a broad term covering a highly complex problem set. While there are commonalities and some software is used across sectors, the cybersecurity of pipelines is vastly different from cybersecurity in the context of the financial sector, hospitals, schools, or railways. One key insight after years of cyber incidents spanning sectors is to acknowledge the limits of everyone’s knowledge, including cybersecurity experts’ knowledge. CEOs should therefore not hesitate to seek help from outside a company to help develop, test, or refine a plan or review existing processes and policies.
Beyond these high-level recommendations, there are plenty of other resources, including guides and checklists for CEOs, board members, and CISOs that are more detailed. The U.S. government, namely its Cybersecurity and Infrastructure Security Agency (CISA), also provides Stopransomware.gov and Shields Up as resources designed for companies to use depending on their level of cybersecurity maturity.
Business Leaders As Guardians Of Trust
Beyond strengthening a company’s cybersecurity out of self-interest and to avoid a national security crisis, business leaders also play a bigger role and can be considered guardians of trust in technology overall. Fundamentally, cybersecurity revolves around trust. Ransomware and numerous other cyberattacks exploit this trust. They leverage instances where someone clicks on an untrustworthy link, downloads an attachment from an unknown email address, or receives a malicious software update.
This principle extends to a company’s trust in the technology underlying its systems, drawing geopolitics back into the discussion. The role of Chinese companies with respect to the 5G network has been a central topic for several years now. It marked the beginning of a broader debate about how to consider risk when investing in, purchasing, and using technologies. The U.S. government’s concerns over some technologies emanating from the People’s Republic of China are well known. Simultaneously, in Brussels and other European capitals, an active debate is underway about “de-risking,” influenced by the lessons learned from Russia’s invasion of Ukraine and Europe’s dependence.
Business leaders are at the center of this debate because they are the most important guardians of trust in technology. What technology companies decide to invest in and how they weigh cost against other benefits such as greater security and trust will determine a society’s overall resilience at large.
A Self-Check For CEOs
Many have warned over the years of the growing cyber threats and some have offered thoughtful advice for how to strengthen an organization’s protection and resilience. Three questions can help determine whether enough has been done to complement the aforementioned recommendations:
— Have you participated in a cyber tabletop exercise recently?
— Do you have the contact information of your chief information security officer saved somewhere other than your work phone or computer? (Remember, if your company’s networks suffer a ransomware attack, your work devices may be inaccessible.)
— Do you know your point of contact in government in case of a cybersecurity incident?
If the answer is “no” to any of these, then reading this article will hopefully inspire some follow-up action — it will help better protect your organization and may prevent a future national security crisis.
———
Tim Maurer served as the cybersecurity advisor (official title: “Senior Counselor for Cybersecurity and Emerging Technology”) to the U.S. Secretary of Homeland Security, Alejandro N. Mayorkas, from February 2021 till April 2022, and subsequently at the White House National Security Council until May 2023. He was a member of the Biden-Harris Transition Team. He has left the U.S. government and is no longer a member of the Biden-Harris Administration. He is a Senior Fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace. The views expressed in this article do not represent the views of the Biden-Harris Administration, the National Security Council, or the Department of Homeland Security.
For more great articles, go to HBR.org.
c.2023 Harvard Business Review. Distributed by The New York Times Licensing Group.
