The June 27 “NotPetya” cyber attack that disrupted business at Maersk Group for well over a week has been dubbed “the industry’s Y2K moment,” but that’s not accurate. Y2K was the threat to computer systems at the moment the year 1999 turned into 2000, and the fears never materialized. Closer analogies would be Brexit or, in an early age, Sputnik, when fears suddenly came true and perceptions were altered overnight in a fundamental way.
The industry now knows the cyber threat is real, but it’s a frustrating thing to know since it eludes easy solutions. For shippers, it is another form of supply chain disruption but unfortunately one — such as a container ship fire or a typhoon — over which they have virtually no control. At least with a potential dockworker strike or evidence of a carrier’s weakening financials, precautionary measures can be taken by diverting cargo.
Here, given the widely reported possibility that a determined and sophisticated state actor was beyond the NotPetya attack, what is a customer to do to protect its supply chain? There is little that can be done other than to hold carriers and other vendors accountable for ensuring adequate cyber defenses. But even that may prove ineffective as even the best defenses may prove no match for world class, possibly state-sponsored hackers who are light years ahead of your average commercial enterprise, and often well ahead of world-class cyber security defenses protecting critical infrastructure.
The NotPetya attack was originally believed to be ransomware, but security experts now believe it was only masquerading as that to create havoc. It started by targeting Ukraine and spread globally from there using creative new ways of penetrating systems defenses, specifically embedded within an otherwise legitimate software update. “I don’t know if any organization outside government or fintech is equipped to deal with something like that,” said Mike Simon, principal consultant with DefinedLogic.
But the reality that commercial companies such as ocean carriers are no match for state-sponsored hackers does not absolve them of responsibility to prepare for the next attack. It’s like the nuclear power plant or any other critical physical infrastructure that must keep out unauthorized individuals, but at the same time must rely on state defenses to prevent a determined terrorist attack.
In the case of Maersk and all other participants in the ocean container chain, they will have no choice but to take the cyber threat much more seriously, which means everything from employing specialized hired guns to top-to-bottom training of staff to minimize preventable intrusions. Like airport security, these are necessary costs that can never be 100 percent effective, but that in the end are just that — costs, not investments.
"It’s a shame that so much energy and recourse will have to be dedicated to something that doesn’t add any intrinsic business value,” said Simon, who sold his logistics technology firm ASI to Maersk in 2002 and subsequently worked in senior technology roles at Maersk, IBM, and Yusen Logistics before his current role at DefinedLogic.
That confronting cyber risk will now demand greater levels of attention, and particularly cost, from the industry, significantly raises the stakes on the many current digitization efforts needing to pay off. If the view is that potentially promising technologies such as blockchain represent the next frontier in cost savings for the industry, now there is even greater urgency around actually making such technologies work in the real world. Not only has that not happened yet, but the industry has a sketchy track record in turning technology investments into growth whether of revenue or profit.
The NotPetya attack, of which Maersk and its customers were only some of many victims across some 60 countries, simultaneously reveals the dark underside of digitization that now must be part of every digital discussion. Until now, the digitization discussion was positive if largely unfulfilled: how can digital technology reduce costs within the supply chain?
Left undiscussed, whether by Maersk or others, was how any advance in digitization by definition enhances exposure to cyber attack. “They go hand in glove,” Simon said. “For every new process that you are automating or innovating, it will be necessary to put the other hat on and look at how someone can compromise this.”