Let me tell you a scary story. In this story, a shadowy hacking group with Russian-sounding accents insert malware into the computers of one of America’s most important pieces of infrastructure, a pipeline responsible for carrying as much as forty five percent of America’s refined gasoline products. The group demands a ransom in exchange for fixing the pipeline. In the meantime, gasoline transit up the Eastern seaboard of the United States grinds to a halt. The government refuses to say whether they’ve advised the owners of the pipeline to pay the ransom. Lines of cars wait outside gas stations for scarce supplies, and drivers resort to filling any container on hand to stockpile gasoline.
You’d be forgiven for thinking it’s the plot of a new Die Hard movie. Quick, send in Bruce Willis to crawl through the pipeline and defeat the hackers!
But while the broad particulars of this story are correct — the Colonial Pipeline was indeed the victim of a ransomware attack which halted transit and caused gasoline shortages up and down the East Coast of the United States — the sensationalism with which the story has been presented in the media is problematic. Sure, it’s tempting to blame shadowy hackers for the shortages. But the real culprits are far less sexy: poor cybersecurity, outdated government regulations, and you.
Let me explain.
THE REAL CULPRITS
First up, hackers targeted the computers that run the complicated equipment necessary to keep the Colonial pipeline flowing. The group, Darkside, is known for its ransomware attacks, a kind of cyberattack which locks up your computer until you pay a ransom to have the attackers unlock it. Despite some speculation about Russian military intelligence, the attackers seem to be primarily a criminal group. They also appeared to be largely ignorant of the chaos they were about to cause, releasing a statement suggesting that they were apolitical. It’s rather too late for that, of course, as they’re about to enjoy the full attention of the US government.
But much of the blame also goes to the people managing the colonial pipeline’s computer systems, which a computer forensics company described later as having “an overall lack of cybersecurity sophistication,” and containing “numerous potential risks.” In addition to other vulnerabilities, Colonial was still running an outdated version of Microsoft Exchange that was revealed several months ago to have been used by Chinese hackers to target US businesses.
It’s a reminder that one of the biggest problems with cybersecurity isn’t malevolent foreign government actors, but simply getting companies to take the threat seriously and commit the necessary resources. Patch your computers, kids.
Second, the ransomware attack caused Colonial to halt the flow of gas products through the pipeline in an attempt to minimize any damage. The result has been shortfalls in gasoline products in cities up and down the East Coast. But you might be wondering why the shutdown of one pipeline — even an important one — can cause such significant problems. After all, gas can also be transported by ship and by train; why not simply work around the problem?
[O]ne of the biggest problems with cybersecurity isn’t malevolent foreign government actors, but simply getting companies to take the threat seriously and commit the necessary resources. Patch your computers, kids.
Because, unfortunately, we can’t. Not because it’s technologically impossible, but because the Jones Act — an outdated 1920 law designed to maintain America’s maritime capabilities — means that you can only transport oil between American ports using ships that are built in America, registered in America, and manned by predominantly American sailors. This leads to strange distortions where it’s cheaper to ship oil from overseas than from Texas. And it makes it surprisingly hard for the market to respond in situations like this.
Third, for all the panic about gas shortages, the actual scope of the problem wasn’t initially particularly bad. Colonial is already in the process of restarting pipeline operations, albeit after paying a $5 million ransom to the hackers. But the pipeline was only shut down for a few days, not long enough to cause any serious problems. Unfortunately, that’s where human nature comes in.
Anticipating shortfalls — and egged on in many cases by hyperventilating local media — Americans started panic buying, filling their cars, and even hoarding gasoline in other containers. It was this panic buying that caused the consumer shortages, resulting in long lines at many gas stations. On Tuesday, one-in-five gas stations in metro Atlanta had run out of product. In short, if you filled up your car out of concern this week, then you contributed to the problem. Without that panic-buying, the shortages likely wouldn’t have happened at all.
Ultimately, the pipeline shutdown is a cautionary tale of the damage that can be done by unscrupulous actors to critical infrastructure. But before you start framing it as a national security failure, remember that it really isn’t that simple. The sexy version of the story — the one where Bruce Willis swoops in to save the day from terrorists or criminals — doesn’t do a lot to help us figure out how to prevent this kind of incident in the future. Instead, it’s the boring story about regulations, maintenance, cybersecurity, and crisis messaging that’s more useful.
Emma Ashford is a columnist at Inkstick and a senior fellow at the Atlantic Council’s New American Engagement Initiative.