{"id":878,"date":"2021-05-28T23:30:48","date_gmt":"2021-05-29T03:30:48","guid":{"rendered":"http:\/\/commoncents.blogwyrm.com\/?p=878"},"modified":"2021-05-28T05:33:22","modified_gmt":"2021-05-28T09:33:22","slug":"the-economics-of-the-colonial-pipeline-incident","status":"publish","type":"post","link":"https:\/\/commoncents.blogwyrm.com\/?p=878","title":{"rendered":"The Economics of the Colonial Pipeline Incident"},"content":{"rendered":"

The recent cybersecurity incident involving the Colonial Pipeline<\/a> offers an incredibly rich vista for exploring a variety of economics concepts. Questions about what went wrong and how to prevent this in the future naturally dovetail with the fundamental questions of economics centering on scarcity, who produces, who consumes, and how much.\u00a0 This post will touch on the public\u2019s non-intuitive (and to many infuriating) behavior in response to the gasoline shortage, questions about market forces and corporate responsibility, and the role of regulation.<\/p>\n

But before getting to the analysis a brief recap is in order.\u00a0 The colonial pipeline provides a large percentage (approximately 45%<\/a>) of gasoline to the eastern United States ranging from the Gulf Coast (eastern Texas and Louisiana), through the south, up along the Carolinas, into the mid-Atlantic states, and into New Jersey and Pennsylvania.<\/p>\n

\"\"<\/a><\/p>\n

On May 7, 2021, the pipeline was the victim of a ransomware attack<\/a>, and the company halted all flow to mitigate the attack, which, reportedly, did not disable pipeline operations but infrastructure support<\/a> (e.g. billing).\u00a0 Even though the company almost immediately paid the requested ransom of 75 bitcoin, equivalent to approximately 5 million dollars, it took about 5 days to totally restore operations and at least a week beyond that for the entire system to return to normal. \u00a0\u00a0During the 12 to 14 days of the disruption, the entire customer base suffered, to varying degrees, long gasoline lines and a general shortage of gasoline.\u00a0 Stories about some individuals hoarding the supply surfaced along with widespread speculation about Colonial\u2019s vulnerability to cyberattacks, and as always, the role that government and regulation should play in these situations became a common topic of conversation.\u00a0 This post will content itself with only some of the highlights.<\/p>\n

Foremost of these was the public response to the scarcity of gasoline. \u00a0Once the pipeline shut down, it was only a matter of time before the amount supplied dropped and the price increased.\u00a0 Common wisdom argued that these price increases would trigger a drop in quantity demanded resulting in motorists in the effected area minimizing their trips in a car.\u00a0 This interplay between supply, price, and demand is the traditional prediction of classical economics thinking.\u00a0 What happened was a bit more intriguing.\u00a0 If reports are to be believed (as should likely be the case), as the amount of gasoline supplied went down and the price rose, the demand actually increased to a greater level than had been the case prior to May 7th<\/sup>.<\/p>\n

The most probable mechanic behind this paradoxical behavior (at lease according to classical theory) seems to be related to the prisoner’s dilemma<\/a>. \u00a0Each member of the gasoline-consuming public could have looked at the situation and said \u201cThis disruption won’t last long.\u00a0 One way or another gas supplies will increase soon and so I’ll cooperate with my neighbor; I will limit my gasoline purchases alleviate the crisis.\u201d\u00a0 However, as in the traditional prisoner\u2019s dilemma, there is a rational fear of being betrayed by other actors in the drama which pressures each participant to betray as well.\u00a0 Each person imagined the possibility of limiting their gas purchase and then came face to face with the fear that the supply of gasoline he really needed would be unavailable if his neighbor, thinking about the situation in the same way, reacted by rushing out to buy more gas than he absolutely required.\u00a0 This self-enforcing negative feedback, which looks to have actually happened, was labeled by the media as \u2018panic-buying\u2019 but it seems to be based on something far more rational than blind fear.<\/p>\n

The second interesting point to consider is if market forces could have been marshalled that would have led to a better outcome.\u00a0 Obviously, Colonial Pipeline had been vulnerable to this cyberattack but the reason for that vulnerability isn\u2019t forthcoming and, given the sensitive nature, is likely to never be fully known.\u00a0 Nonetheless, this lack of information shouldn\u2019t stop a vigorous analysis of what might have been done differently (although it should stop people jumping to conclusions \u2013 but it won\u2019t).\u00a0 The starting point will be the very practical question: did Colonial Pipeline take cybersecurity seriously?<\/p>\n

There are practical reasons why any business entity (individual, family, corporation, education institution, etc.) might actually choose to ignore steps to beef up its cybersecurity.\u00a0 As argued by Cormac Herley in his article entitled So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users<\/a><\/em>, security measures that cost more than the incident they intend to prevent are a non-starter.\u00a0 It is possible that Colonial Pipeline recognized the need for cybersecurity but could only afford so much and they knowingly and calculatedly set aside money for a ransomware attack.\u00a0 After all, ransomware attacks are meant to be annoying not debilitating and paying 5 million dollars occasionally may be more cost-effective than spending 30 million each year on IT.\u00a0 The group allegedly behind this has even stated that they had no intention of causing this much trouble precisely because trouble triggers investigations and they simply want money.<\/p>\n

\"\"<\/a><\/p>\n

There are always those amongst us who would argue that a company should \u2018do the right thing\u2019 regardless of cost but what, exactly, is the right thing.\u00a0 Would customers be willing to pay 4 cents more per gallon to ensure that this kind of thing would be far less likely in the future?\u00a0 Ask the motorist who was waiting in a 2-hour gas line the answer is likely to be yes but ask that same motorist now that the situation has returned to normal his answer will likely be no.<\/p>\n

Perhaps there is a way for Colonial to market their socially responsible position but that notion is farfetched.\u00a0 Most of us know our local gas stations not the company(ies) that they deal with to get gas in the ground for us to pump.\u00a0 Colonial would have to spend millions raising social awareness before they could even begin to recoup that investment and apply it to their efforts in beefing up their cybersecurity.<\/p>\n

Finally, there is the overall question of regulation given the optics of this event.\u00a0 The public seems to have acted irrationally and, at lease in some eyes, Colonial Pipeline was also irresponsible for lapses in security and being craven in paying the demanded ransom.\u00a0 No doubt some politicians are considering if this situation clearly invites government stepping in and declaring Colonial Pipeline as a public utility. \u00a0Arguments will surely surface that government needs to do more to ensure that companies keep current in their cybersecurity posture and, given the high-profile nature of this incident and the current ongoing federal involvement, future mandatory compliance seems certain.\u00a0 The regulatory burden that will result will likely be far more expensive than a thorough internal approach.\u00a0 This is the real bottom line incentive for \u2018doing the right thing\u2019; that the cure will be worse than the disease. \u00a0So, it seems that the Colonial Pipeline incident is literally the gift that keeps giving to professional economist.<\/p>\n

Scholars and theorists will be busy for decades analyzing every nook and cranny, from new variants on the prisoner\u2019s dilemma, to better market forces designed to incentivize corporate responsibility and the role that government regulation should play in cyberspace.\u00a0 Sadly, for the rest of us, it is a reminder of how the digital world of ones and zeros can have a big impact on the real world of dollars and cents.<\/p>\n","protected":false},"excerpt":{"rendered":"

The recent cybersecurity incident involving the Colonial Pipeline offers an incredibly rich vista for exploring a variety of economics concepts. Questions about what went wrong and how to prevent this… Read more ><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-878","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/commoncents.blogwyrm.com\/index.php?rest_route=\/wp\/v2\/posts\/878","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/commoncents.blogwyrm.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/commoncents.blogwyrm.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/commoncents.blogwyrm.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/commoncents.blogwyrm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=878"}],"version-history":[{"count":6,"href":"https:\/\/commoncents.blogwyrm.com\/index.php?rest_route=\/wp\/v2\/posts\/878\/revisions"}],"predecessor-version":[{"id":886,"href":"https:\/\/commoncents.blogwyrm.com\/index.php?rest_route=\/wp\/v2\/posts\/878\/revisions\/886"}],"wp:attachment":[{"href":"https:\/\/commoncents.blogwyrm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=878"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/commoncents.blogwyrm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=878"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/commoncents.blogwyrm.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=878"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}