What The Ransomware Attack On Colonial Pipeline Means For The Industry
STEVE INSKEEP, HOST:
And let's turn now to Amy Myers Jaffe, managing director of the Climate Policy Lab at Tufts University's Fletcher School and the author of the book "Energy's Digital Future." Good morning.
AMY MYERS JAFFE: Good morning.
INSKEEP: And welcome back. Can you just describe for me what this pipeline is? We've been talking about it for a couple of days. We've said it runs to the East Coast. I have this vision of one gigantic pipe, but I have a feeling it's more complicated than that. What's it look like?
MYERS JAFFE: Well, no, I mean, it is a very, very large sort of artery pipeline. It has spurs off it. You know, if you think about - the word jugular is a good adjective for this in terms of the U.S. gasoline system. So if you're driving somewhere on the Eastern Seaboard in the United States or you're getting - still have your heat on, you're probably engaged with the Colonial Pipeline. It's a major thoroughfare for oil distribution.
INSKEEP: Yeah. I like that comparison, jugular. You're talking about the circulatory system. So it's got branches going all over the place. And then what do the computers do? What are they supposed to do, anyway, when they're not hacked?
MYERS JAFFE: Well, there's two sides of a business, like, in the oil industry, the same as any other business. You know, you have your billing software and your, you know, email and so forth, and then you have a system that is your safety and control system, which is supposed to be completely set aside so that it cannot be hacked from going from your business system to your operational system. But we have seen ransomware criminals jump the fence, so to speak. So that makes this a very serious attack, and it really has to be taken almost like an act of war. I think it's comparable - you know, without the horror of the deaths, it's, I mean, a little bit comparable to September 11. It's a wake-up moment. This is not a minor attack. This is not a nuisance hack. This is not a breach to security that has to be plugged. This is a major event.
INSKEEP: Should the United States be in a position where one piece of critical infrastructure provides 45% of the fuel to the East Coast of the United States?
MYERS JAFFE: Well, you know, we've seen the Colonial Pipeline, you know, knocked out by a flood, and so we had to do special events. We had to move gasoline around by ship. You know, you have to mobilize trucks. So it's not the first time we've had a problem with the Colonial Pipeline. I think really it's a much bigger issue today, Steve, because we have to consider, how do we get to the point of carelessness that such an important piece of infrastructure could be attacked? And, you know, whether it was attacked by a criminal gang or whether there was a state behind that criminal gang, you know, it's almost immaterial. It raises the question, are we prepared? And some of the numbers that I hear when we talk about the budget for cybersecurity in the United States, given the number of attacks we've seen in the world we're moving into - and I talk about this in my book, "Energy's Digital Future" - I mean, we are not prepared. It's a Sputnik moment. This is like a challenge to the United States, both on a security basis and just on our daily lives.
INSKEEP: Well, let's talk through that problem specific to the energy industry because here we're talking about private companies doing private business. But as you're pointing out, there are obvious national security implications. So how can the Biden administration or any U.S. administration work with private companies to improve security?
MYERS JAFFE: You know, there's been this very delicate balance. If you're a private entity and you hear that the U.S. government got hacked, you're, you know, pretty reluctant to have the U.S. government come in and look at your system or intervene in your system. So there has to be both a sort of educational part where you're collaborating on, you know, best practices. But it might be that we can't just leave it to chance the companies to provide the right kind of cyber services into their systems. It might be that we're not regulating companies well enough as to what the level of requirements are for cyber prevention on major equipment and on infrastructure that's of critical importance.
INSKEEP: Amy Myers Jaffe, research professor and author of the book "Energy's Digital Future," thanks so much.
MYERS JAFFE: Thank you. Transcript provided by NPR, Copyright NPR.