Case Study: A.P. Møller-Maersk and NotPetya
A.P. Møller-Maersk's Chariman Jim Hagemann Snabe said on a panel at the World Economic Forum in January 2018 that "we were basically average when it comes to cybersecurity, like many companies, and this was a wake up call" he also said "we chose a very open dialogue around this from day one." These two quotes illustrate a novel approach to framing and responding to a cybersecurity incident. This approach was successful for Maersk in that it has made it through the incident with its reputation intact, if not bolstered.
This will be a qualitative case study of Maersk's communication after many of its global systems/services were taken offline due to the notpetya ransom/wiper ware incident. I chose this case to study because it stands out from more run-of-the-mill incidents (like Chili's for a recent example) for positive, rather than negative, reasons. Certain incidents have become so common that they barely go beyond local media attention and those that stand out usually do so because they are particularly egregious in some way.
This is one of the few cases where commentators almost unanimously laud Maersk’s response. Maersk became a sort of standard-bearer for the notpetya incident. When notpetya is referenced, its impact on Maersk is mentioned as a contextual reminder. It’s important to examine positive cases as much as negative ones (or as much as possible). We’ve been limited on positive cases to study. Partially because they’re in short supply and partially because they don’t receive the same volume of coverage as the negative cases. Methods I took my standard approach of looking at the communication coming directly from the impacted organization and that coming from the media. For some context, I also looked at communication from second-order victims - the companies whose operations were disrupted by Maersk’s incident response. However, that isn’t included here for the sake of brevity.
First, I went through quarterly and annual reports published by Maersk in the time since the incident. Using the Wayback Machine, I looked at Maersk’s website from June 27 through August 11. I also watched Jim Hagemann Snabe’s, Chairman of A.P. Møller-Maersk remarks at the 2018 World Economic Forum on the incident. Themes
As I was reading theses sources, I collected mentions of the incident into a single document. I sorted the mentions thematically. I'm going to focus on two of the larger-order themes: nothing mattered more than getting service back up for customers and letting others make bold statements.
Nothing else matters
Maersk's public communication focused almost exclusively on getting operations back up and running for customers. It wasn't trying to defend or bolster its reputation. Maersk's communication during and after the incident was factual, bland even.
Keep it bland
Most of the examples for this finding come from Maersk's quarterly and annual reports following the incident and the press releases that accompanied them. These reports focused on earnings, costs, and operations for the time frame.
What struck me most in these sources was how Maersk downplayed the incident. The annual report for 2016 states:
"The past year was unusual for A.P. Moller - Maersk, characterized by a cyber-attack and operational challenges in a few hubs. We succeeded in growing the revenue by 13%, improving cash flow and increasing underlying profits from a low 2016 base. However, the financial result shows that significant improvements are still needed. On the other hand, when we look at the strategic business transformation progress throughout the year has indeed been satisfactory.”
The cyber attack was lumped in with other "operational challenges" and characterized as "unusual." Probably not the words most people would use. This makes more sense when you think about the audience and context. These reports are meant for stakeholders and investors. The company wants to reassure those audiences. However, the intended audience is rarely the final audience. News articles cited these reports in their coverage so a larger audience was exposed to this version of the narrative.
Maersk's corporate messaging was focused on overall improvement. While some operations were "negatively impacted by the cyber-attack," (a phrase that appears four times in the annual report, and five in the Q3 2017 report) Maersk made a profit in 2017.
The underlying profit was positively impacted by the increased freight rates in Maersk Line compared to Q3 2016, however with a 2.5% decrease in volumes and increasing unit cost due to the cyber-attack and 26% higher bunker price.
As a matter of fact, the impact of the cyberattack was relatively concentrated according to these reports.
The effect on profitability from the June cyber-attack was USD 250-300m, with the vast majority of the impact related to Maersk Line in Q3. No further impact is expected in Q4.
These quotes are from after-the-fact reports which have the benefit of hindsight. However, this measured, bland communication style was also present in the incident response communication.
There are certain priorities a company is expected to have when responding to an incident: protect employees and customers, get services up and running again, improve to prevent a similar incident in the future, etc. Maersk addressed another concern relatively unique to this type of incident. They used their communication to illustrate a priority for containment - not only within their own systems but across partners.
"The malware was contained to only impact the container related businesses of A.P. Moller - Maersk, and therefore six out of nine businesses, including all Energy businesses, could uphold normal operations.”
Maersk had to reassure stakeholders that the incident was contained to certain parts of the organization but also had to reassure their larger operating environment that it would not spread outside of Maersk's systems.
“shut down for a period for precautionary measures, as they have global interfaces across businesses and partners.”
Let others make bold statements
The most extreme language I found used by Maersk in public communication was in the Q2 2017 report: “This cyber-attack was a previously unseen type of malware.” That's still pretty bland, especially when compared to the usual "sophisticated" and "unprecedented" language we see from companies during and after an incident. Instead of taking that approach, Maersk left the extrapolation and bold statements to others.
When a piece of unprecedented malicious software rampages through thousands of critical networks around the world, it tends to get our full attention. And this week's digital plague, known as Petya (or NotPetya or Nyetya) proved especially vicious. It paralyzed thousands of computers
And some researchers are starting to believe it may have been just another offensive in Ukraine's long-running cyberwar with Russia, though this time with collateral damage felt around the world.
It is now increasingly clear that the global outbreak of a file-scrambling software nasty targeting Microsoft Windows PCs was designed not to line the pockets of criminals, but spread merry mayhem.
Arguably one of the most sophisticated, IT savvy shipping companies in the world has had to work as if it had gone back in time to the mid-1990s for the past 48 hours.
Even when speaking about recovery efforts, Maersk mostly kept it factual and didn't play up the truly herculean effort it must have taken to replace hundreds of thousands of computers across the globe.
“A.P. Moller Maersk gradually progressed to more normalised operations [...] during the week of 3 July to 9 July. To reinstate services safely and without further disruption, A.P. Moller Maersk began to systematically bring back users and applications in 500 locations.”
By all accounts, this is a monumental effort from Maersk's IT staff, equivalent to installing a new infrastructure from the ground up. The effort is even more jaw-dropping when we take into consideration that Maersk is the world's largest shipping companies, hauling over a fifth of the world's ship containers.
One instance when Maersk did use more extreme language was at the World Economic Forum in Davos in January 2018. Chairman Jim Hagemann Snabe spoke about the incident and said that Maersk was "collateral damage of probably a state attack." However, this happened after the CIA attributed notpetya to the Russian military. The company didn't connect that dot on their own. Hagemann Snabe's remarks at Davos were the most extreme characterization of the incident by Maersk and give us the most insight into its incident response strategy.
Next post, I will wrap this all up and discuss larger conclusions and implications.