After the hoarding of toilet paper – here comes gas in plastic bags

Leave a comment
SvD Näringsliv

This column was first published in SvD Näringsliv, in Swedish, on May 17th, 2021.

Residents who bunkered gas in plastic bags. Oil prices rose. The hacker attack in the US not only acts as an eye opener on how vulnerable society is to cyber attacks – but above all on how unprepared many people seem to be.

“Software is eating the world”. That’s how the venture capitalist Marc Andreessen began a now legendary essay in the Wall Street Journal in 2011. Not a day goes by in Silicon Valley without the expression being repeated in some context. His point was that basically all areas of the world would be affected – and in some cases revolutionized – with the help of software. The last ten years has in many ways proved him right. Last week it happened again.

In the city of Alexandria, Virginia, gasoline suddenly ran out after residents began stockpiling fuel, much like many people did with toilet paper at the beginning of the pandemic. It is easy to laugh at the fact that American authorities officially stated that “plastic bags should not be filled with petrol”, but in fact this was just another proof of Andreessen’s thesis. The indirect reason why the situation arose was, in fact, software.

The company that operates the Colonial Pipeline, the largest oil pipeline in the United States, had been subjected to a cyber attack, which stopped the supply of gas for six days and made the price of oil rally. A wake up call for how vulnerable the United States is, according to the US Minister of Transportation, Pete Buttigieg.

The Colonial Pipeline is not alone in being hit. The number of ransomware attacks – the type of attack that locks a computer or IT system and requires an unlocking fee – has doubled in just one year.

Like the security policy expression “we do not negotiate with terrorists”, it is sometimes said that one should not negotiate with hackers either. But the numbers speak a different language. By 2020, hackers are estimated to have earned at least $350 million through extortion – an increase of 311 percent in just one year. The real figure is also probably much larger, not everyone wants to publicly acknowledge that it has happened to them.

The reason why the attacks increase so much is simply because they are profitable. Colonial Pipeline paid $5 million to reopen.

One can wonder why authorities and companies have not gone further in preventing these attacks from hackers. There are many factors to consider, but here are three possible explanations:

Firstly, it may be that large parts of the business community are increasingly using software, but lack any real experience of managing IT security. Inadequate routines, albeit temporary, can be all that is needed to make oneself vulnerable.

It may also be because many companies have old and outdated systems that are expensive to administer – that they have a so-called technical debt. These systems can be vulnerable only by the way they are designed, and would preferably need to be replaced completely.

In addition, hackers, like cybersecurity, have become much more sophisticated than before. An example of this is the emergence of EKANS, a ransomware virus from 2019 that was created specifically to attack industrial systems.

However, the intentions between different hackers differ. Darkside, the group behind the software used in the attack on Colonial, apologized, saying “our goal is to make money, not create problems for society” and that they are apolitical. This naive view of one’s own actions paints a picture that is more of an opportunist than a terrorist.

However, a lot of hacking is very much political. Both performed by individual states, but also protected by them.

Perhaps the big question that authorities, companies and individuals should ask themselves is not when it happens again – but when it happens to them? There is no indication that the attacks will decrease or disappear in the future.

In ten years, the number of IT attacks increased from 12 million to over 800 million, and Sweden is of course no exception. In November 2020, there was an extensive attack on several large Swedish companies, in addition, for example, Swedbank has had countless problems that have caused their services to be down. This doubles the exposure – you can be affected both by a careless push of a button in an email, or by the services you use.

What is needed going forward is an approach that assumes that companies and institutions will be attacked, rather than being surprised when it happens. Many companies are already there today. But when socially critical infrastructure can be knocked out – as in Alexandria, Virginia – it clearly illustrates that there is a long way to go before these risks are properly managed.

This column was first published in SvD Näringsliv, in Swedish, on May 17th, 2021.

Processing…
Success! You're on the list.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.