Delicate Giants
This is the 18th installment of 774: Weekly lessons from history about science, technology, and innovation.
Next Week:
谁在这里可以制造半导体?
This Week:
Delicate Giants
As Western European nations go, Denmark has had a less notable effect on recent history than some of its neighbors. Its imperial colonies were smaller, did not last nearly long, or were taken over by countries such as Britain, Spain, and Germany. Much of its international commerce isn’t well known, save the immortal love children everywhere have for LEGO. The other exception to Denmark’s tradition of relatively understated international influence is A.P. Møller-Maersk.
If you’ve driven past tractor trailers on the highway or a large container ship on a river, you’ve certainly seen the name “MAERSK” emblazoned on the side of a shipping container. Maersk is the largest shipping company in the world. In 2020, Maersk shipped 4.1 million TEU. TEU is a shipping measurement that roughly equates to the storage capacity of a single on of those ISOs (also called a conex or cargo shipping container, depending on what you do for a living) on board a cargo ship. To put some gravity to this number consider two things: the first is that 90% of the the world’s goods are still transported by sea at some juncture. One might believe that planes are heavily utilized, and to a degree they are, but international logistics still primarily relies on ships like the ones Maersk operates. The second fact that you need in order to put this number into perspective is that the top ten largest shipping companies in the world shipped roughly 20 million TEU in 2020. In other words, Maersk was responsible for nearly 18% of the goods shipped in the world.1 You’re likely in the room with something that was in one of those large Maersk boxes right now. Maersk has extensive reach to the entire world in a way that few organizations do. Companies, individuals, and governments depend on timely service from the shipping giant. What happens when the giant can’t do its job?
The world got a startling answer to that question in 2017 thanks to some hackers in Kiev. Andy Greenberg recounted the havoc that ensued in the Maersk IT department in his book Sandworm: A New Era of Cyberwar and the Hunt for the Kremlins Most Dangerous Hackers2:
…on the afternoon of June 27, 2017, confused Maersk staffers began to gather at that help desk in twos and threes, almost all of them carrying laptops. On the machines’ screens were messages in red and black lettering. Some read “repairing file system on C:” with a stark warning not to turn off the computer. Others, more surreally, read “oops, your important files are encrypted” and demanded a payment of $300 worth of bitcoin to decrypt them.
Across the street, an IT administrator named Henrik Jensen was working in another part of the Maersk compound, an ornate white-stone building that in previous centuries had served as the royal archive of maritime maps and charts. (Henrik Jensen is not his real name. Like almost every Maersk employee, customer, or partner I interviewed, Jensen feared the consequences of speaking publicly for this story.) Jensen was busy preparing a software update for Maersk’s nearly 80,000 employees when his computer spontaneously restarted…
…Jensen looked up to ask if anyone else in his open-plan office of IT staffers had been so rudely interrupted. And as he craned his head, he watched every other computer screen around the room blink out in rapid succession.
“I saw a wave of screens turning black. Black, black, black. Black black black black black,” he says. The PCs, Jensen and his neighbors quickly discovered, were irreversibly locked. Restarting only returned them to the same black screen.
All across Maersk headquarters, the full scale of the crisis was starting to become clear. Within half an hour, Maersk employees were running down hallways, yelling to their colleagues to turn off computers or disconnect them from Maersk’s network before the malicious software could infect them, as it dawned on them that every minute could mean dozens or hundreds more corrupted PCs. Tech workers ran into conference rooms and unplugged machines in the middle of meetings. Soon staffers were hurdling over locked key-card gates, which had been paralyzed by the still-mysterious malware, to spread the warning to other sections of the building.
The malware that brought Maersk’s operations to a grinding halt is called NotPetya. NotPetya spreads automatically; indiscriminately attacking Microsoft Windows based systems.3 The Russian hackers who attacked Maersk did not have explicit ill will towards Dutch maritime workers, but instead released the malware in a Joker-esque desire to watch the world burn. NotPetya was purely an agent of chaos. Even the extortioner’s prompt to regain use of the device in exchange for $300 of bitcoin did nothing. NotPetya, and other malware like it, are worrying, but not the point of this article. The point is how deeply vulnerable the shipping industry is to attacks such as the one on Maersk in 2017 and the snowball effect this has on the entire world.
The threat from malware isn’t particular to the shipping industry. The ways that pieces of malware such as NotPetya remain a threat mostly stems from outdated technology patches and human error. The Maersk attack could have been avoided had those two factors been more tightly controlled. Firstly, NotPetya was enabled by a weakness in Microsoft software called Eternalblue. Prior to the attack, Microsoft released a patch that would prevent the Eternalblue weakness. The patch was there, but just as you might kick an iphone update down the road, the same can be done for an update on company technology. In this case the delay on one computer left a gap in Maersk’s scales. In addition to technological weakness, human error is foundational to the success of malware. It hasn’t been publicized how the virus entered Maersk’s computers, but it was most likely some form of phishing, possibly through a click of a seemingly innocent link in an email. These risks apply to any company, but are particular worrying when considering a shipping giant such as Maersk.
A manufacturer, for example, has operations that almost certainly rely on the working ability of software, but whose effects of a delay to their business is, globally speaking, small. The example company may produce a mechanical part which it ships to Ryobi who uses it in its power drills, who in turn ships the completed drills to to Home Depot for sale. Yes, the effects of a crippling malware attack on the small manufacturer will have cascading effects from one company to the next, but where shipping companies differ is the way such cascading effects could shut world commerce down. At any given time, Maersk’s 700 ships are hauling goods from one country to another, one supplier to a wholesaler. When Maersk shuts down, the list of companies who also have their business immobilized would be difficult to quantify. The runoff from malware attacks on shipping companies is particularly dangerous and a shipping company’s susceptibility to malware attacks is also particularly high.
Ships, especially the massive tankers that companies like Maersk operate, exist at a strange nexus of old infrastructure and modern technology. For example, computers on board ships have ports that can accept flash drives. If malware spreads to one of these flash drives and it is plugged into a USB port aboard a ship, it can infect the main terminal. Such a scenario took an oil rig in the Gulf of Mexico out of commission for 17 days. Human mistakes such as these can cause random chaos for shipping companies and their customers in strokes of chance. Imagine if these weaknesses were intentionally exploited. The Port of Antwerp was the subject of such an attempt when a group of cocaine smugglers wanted to leverage the weakness to get its supply into the country. The smugglers compromised the port’s computers and scrambled the scheduling of ships being offloaded and manifests being checked in order to bypass customs. The most frightening possibility that results from the insecurity of a ships computer is the potential for an individual to access the computers on board a ship which controls its navigation, relinquishing control of the ship from its crew, which would mean technologically savvy pirates could steal entire vessels without ever forcibly boarding.
Amazon and other companies are spending unprecedented amounts of time and money on revolutionizing logistics4. The speed and cost of shipping things from one place to another have been decreasing steadily, but unless some of these risks are properly addressed, the Achilles’ heel that is shipping infrastructure remains a problem.
An aside about shipping in 2020 and 1582 from the Financial Times
In 2020, global trade could go on functioning more or less smoothly because it involved very few humans. A largely automated present-day container ship can carry more tons than the merchant fleet of an entire early modern kingdom. In 1582, the English merchant fleet had a total carrying capacity of 68,000 tons and required about 16,000 sailors. The container ship OOCL Hong Kong, christened in 2017, can carry some 200,000 tons while requiring a crew of only 22.
5
(4.1/20) * .90 = .1845