In June 2017, one of the most destructive and widespread cybersecurity attacks yet — codenamed NotPetya — immobilized companies and government agencies across the globe. The story of one company’s response to the attack demonstrates the value of leaving space for companies to adapt to emerging cyber threats. U.S. policymakers now considering etching one-size-fits-all cybersecurity policies into stone should heed the lessons from the shipping giant Maersk’s recovery.
A Wired report detailed how the attack rampaged through systems worldwide costing billions of dollars in damages. The story also details the entrepreneurial response of one of the hardest hit companies, Maersk. Its recovery demonstrates how human ingenuity, entrepreneurship, and organizational learning could hold the key to resilience from cyberattacks.
{mosads}The attack, part of the ongoing struggle between Russia and the Ukraine, was committed by a group of Russian military hackers. They released a piece of malware which spread beyond Ukraine within hours. It corrupted machines as far afield as Pennsylvania and Tasmania, crippled multinational companies such as Maersk and FedEx, and even spread back to Russia.
For Maersk, the world’s largest shipping container company, the damage was monumental. Data from its terminals across the world was wiped, meaning ships could not unload and new orders could not be taken. As a result, hundreds of trucks backed up at shipyards and ships stalled dead in the water with nowhere to go.
In the complex, evolving landscape of cybersecurity there is no silver bullet policy solution to prevent all cyberattacks. As such, building technological resilience into government and private operations is critical to the survival of organizations, allowing them to survive attacks and ensure that the same one will not cripple them twice.
In the wake of NotPetya, Maersk’s leaders set up a recovery center at its IT headquarters in Maidenhead, England, flew in regional experts, housed them in every available hotel, and hired Deloitte to rebuild its global network. The company leveraged outside expertise and local knowledge from its own staff, working tirelessly to fix the situation and get the company up and running again. Workers were given free rein to use their specific knowledge to do what needed to be done to get their own sectors operational.
This recovery effort managed to locate backups of all servers apart from one essential layer of the company network: its domain controllers, servers that map the network and determine access.
However, the team located a singular copy of the domain controller which, thanks to a power outage several days before the attack, had been unable to connect to the network and remained untouched by the malware. Unfortunately, it was located in Ghana, where the bandwidth was so thin that a digital transfer would have taken days. Furthermore, none of the Ghanaian team had the required visas to travel with the hard drive to the UK.
Instead, British and Ghanaian employees flew into Nigeria for a hand over of the backup before it could be taken back to the crisis HQ. After a few days and the combined efforts of hundreds, Maersk got its port operations up and running again, unloaded ships, and eventually took on new orders.
Although the existence of the offline backup was not intentional in this case, it demonstrates the importance of one particular aspect of resilience against cyberattack: redundancy. Building redundancy into network security adds an extra layer of protection should anything go wrong. The incidental existence of an otherwise-unnecessary copy of the domain controllers saved millions.
Organizational learning is also an important feature of resilience. In his address to the Davos World Economic Forum, Jim Hagemann Snabe, chairman of A.P. Møller-Maersk, reflected on what the company learned: “We were basically average when it comes to cyber-security … this was a wake-up call to become not just good — we actually have a plan to come in a situation where our ability to manage cybersecurity becomes a competitive advantage.”
The company’s near-paralysis demonstrates the importance of giving companies the space to adapt to emerging threats. Empowering entrepreneurs on the ground, introducing redundancy in the form of back-ups, and instituting processes for learning from cyberattacks are critical features of building resilience to future cyberattacks.
What can U.S. policymakers do to promote adaptability? Chiefly, they have the opportunity to specify resilience as an overt policy goal. By using their convening power to bring together key players at federal and local levels, policymakers can facilitate a conversation about the role of redundancy, learning and entrepreneurship in the face of such threats.
Anne Hobson is a program manager at the Mercatus Center at George Mason University. Alice Calder is a Mercatus fellow.