The seemingly robust criticism of the decision by Colonial Pipeline to pay the $5 million ransom to the hacker group thought to be behind the cyber-attack on Colonial fail to consider the implications that likely would have attended a decision to not pay.
Yes, it seems logical and simple to conclude that paying ransom in this fashion serves only to embolden and encourage future attacks from similar groups — some of which are state-supported by countries that seek to do us harm.
It seems to be that the cyber-attack focused on Colonial’s business systems, locking them out of their customer information as well as the IT system by which Colonial invoiced customers as product was removed from the pipeline. Those products were worth hundreds of millions of dollars — and they were not owned by Colonial.
Colonial’s business is transportation — it simply moves products from point “A” to point “B” through its pipeline system for an agreed-upon fee. If the information encrypted by the cyber-attack meant that Colonial could not identify what was in the pipeline, who it belonged to, what was removed at various locations, and how much Colonial’s was to be paid for its services, the loss of that data potentially threatened Colonial’s ability to stay in business.
It was likely that Colonial was insured against that kind of loss and it would have been Colonial’s insurance provider that was actually focused on potential claims from Colonial and its customers over any losses caused by the cyber-attack. But payment of the ransom was an opportunity given to Colonial to mitigate its potential losses. A decision to not pay the ransom, and to incur the losses instead, could have set up a conflict under the terms of the policy between Colonial and its insurer. I suspect this was the process that the Biden Administration referred to as involving a “private sector decision.”
It is possible that Colonial got its insurer involved immediately upon realizing it was under attack. If I was in a position where that question was put to me, I would have recommended that they do so. The key consideration in the decision to pay or not pay — in a private sector environment — is “Who is going to be responsible ultimately for any loss that results?” Paying the $5 million, or risk a loss of data that might create claims on an insurance policy a hundred times larger than that, is a decision the insurer might want to be heard on.
If I am an insurance company executive faced with such a choice, I would have said “Pay the money.” That’s a fiduciary call on behalf of the shareholders of the insurance company.
What is the role of the federal government with regard to this decision-making process on that particular choice? I’m not sure there is one.
There is certainly a role for law enforcement since Colonial was the victim of a crime. But the question of paying or not paying the $5 million was a matter of loss-mitigation — a selection of what is hoped to be the least worse bad option.
I don’t really have a quarrel with the Biden Administration saying as much when it referred to it as having been a “private sector” decision. The implications of paying Darkside went beyond the rationalization that “paying hackers is a bad idea.”
Paying cyber extortionists, as a general proposition, is a bad idea. But if you are the business whose existence is threatened or the insurer with an opportunity to greatly reduce exposure to a claim, the cost of the cyber-attack is going to fall on your balance sheet or your shareholders. If you can avoid the loss by paying the hackers, your decision goes beyond the simple question of whether it’s a good or bad idea to do so as a general proposition.
So, you pay them.
Then you discontinue the insurance coverage for Colonial until they better secure their computer systems from cyber-attack. Or raise their insurance rates to cover the added risk, now that the vulnerability is exposed.
This is how the free market works best — Colonial will take the most cost-effective approach to prevent a recurrence in the future, so they can again obtain insurance against a mitigated risk.
The government can impose regulatory requirements when it comes to engineering a better operating system that is not vulnerable to outside penetration.
This needs to happen across all critical domestic industries.
“INFRASTRUCTURE” — not a misplaced concept, in this instance.