56 Business The EconomistAugust 10th 2019
I
n1989 the thin-hulled Exxon Valdezsupertanker ran aground in
Prince William Sound, Alaska, pouring a quarter of a million bar-
rels of oil into the surrounding waters. At the time, it was America’s
worst offshore spill, and a huge blow to the reputation of the ship’s
owner, Exxon. The firm paid $3bn to clean up the area and settle le-
gal claims, and to improve safety the American government or-
dered the phasing out of single-hull ships such as Exxon Valdez. All
vessels used worldwide by Exxon’s corporate descendant, Exxon-
Mobil, are now double-hulled. But that is not all. The disaster gave
rise to a cultlike culture of discipline within ExxonMobil that
helped turn it into the profitmaking beast it is today.
Three decades later, as a result of a relentless surge in cyber-
crime, digital firms are floundering towards their own Exxon Val-
dezmoment. The latest is Capital One, a big American bank with a
market capitalisation of $42bn, which on July 29th revealed that a
hacker had stolen personal and financial details of 106m credit-
card customers and applicants. Prosecutors allege that over four
months Paige Thompson, a 33-year-old software developer, infil-
trated a Capital One server hosted on Amazon’s cloud-computing
platform through a misconfigured firewall. Bizarrely, the bank did
not notice even after the hacker pseudonymously boasted about
the heist on social media—until it was tipped off. For a company
hitherto seen as one of the most technologically adept in finance,
this is a blow.
The incident has two parallels with the oil industry. Robert
Knake, a former White House cyber-security adviser and co-
author of “The Fifth Domain”, a new book on the subject, describes
the way the hacker penetrated a layer of security called a web-
application firewall as a “perfect analogy” to the era of single-
hulled oil tankers. Like Exxon Valdez, Capital One should have had
more protection. Like the oil companies of old, the bank may have
also lacked a culture of safety sufficiently strong to ensure that it
relentlessly probed for new vulnerabilities. Both are a reminder
that, if data are now more valuable than oil, data breaches bear an
unhealthy resemblance to oil spills. Internet firms can learn a les-
son or two from hoary old carbon-belchers like ExxonMobil on
how to avoid them.
Exxon Valdezwas a watershed moment for Exxon. In 1989 it hadalready been around for a century. But the disaster led to a full-
blown overhaul of the firm’s safety and risk-management culture.
In “Private Empire”, a book about ExxonMobil by Steve Coll, the au-
thor can barely disguise his astonishment at how far this went. In
its offices, desk drawers had to be kept shut lest employees bump
into them. Every meeting began with a “safety minute”, akin to a
blessing before a meal. Cuts by office paper clips were monitored.
Even today its 11-point Operations Integrity Management Sys-
tem—as detailed in its pursuit of safety nirvana as the Buddhist
path to enlightenment—is drilled into new recruits, incorporated
into performance assessments and shared with contractors and
suppliers. For 27 years it has worked remarkably well.
Corporations can argue that data are trickier to manage than
oil. Preventing data breaches is a fiendish game of cat-and-mouse.
Companies do not know who their attackers are—criminals? state
actors? lone wolves?—or what they want. The hacker only has to be
right once to penetrate a system. Defenders have to parry every jab,
all the time; one misstep and they lose. Many companies bridle at
being held responsible for being the victims of crime or acts of war.
Still, the oil industry’s experience is instructive. First, the em-
phasis on ingraining safety in every employee can strengthen the
weakest link in cyber-security: the individual. In “The Fifth Do-
main” Mr Knake and Richard Clarke argue that companies deploy-
ing ever more sophisticated anti-hacking technology cannot elim-
inate “Poor Dave”, the guy in every organisation who can’t resist a
phishing email. Studies show that employees are often, by acci-
dent or intentionally, the main cause of successful cyber-attacks.
Wise firms fake phishing emails to flush out the Daves.
Oil firms’ insistence on their supply chains speaking the same
language, and loudly, on safety is also worth emulating. Hackers
increasingly infiltrate large corporations by first penetrating the
defences of smaller suppliers and piggybacking on the communi-
cations systems which link the two. This is made easier by the fact
that many firms treat hacks like gonorrhoea, an embarrassing af-
fliction no one wants to admit even if speaking about it would stop
its spread. Some call it a tragedy of the cyber-commons.
Third, the near-death experience suffered bybpafter the Deep-
water Horizon oil disaster in 2010 shows how data can turn from
an asset into a crushing liability. It ended up costing the British
firm more than $50bn. Its reputation has yet to recover fully.
For now, the costs of a data breach look absurdly light by com-
parison. Capital One says its recent hack will cost it up to $150m
this year, mainly in extra customer support. Ignoring potential
fines, that is less than $1.50 per victim—and a tenth of the bank’s
latest quarterly profits. Equifax, a credit-scoring firm, recently
agreed to pay up to $700m to resolve lawsuits and other claims
after data of nearly 150m clients were hacked. ibmSecurity, a con-
sultancy, puts the average cost of a data breach worldwide at $150
per victim. Messrs Knake and Clarke think it should be more like
$1,000 to spur the investment needed to prevent losses.Tar and feathers
Governments are indeed getting tougher. Last month Britain’s pro-
posed fining British Airways £183m ($222m) after data about
500,000 passengers were stolen. That marks the first big penalty
linked to the eu’s newish data-protection rules. The airline said it
would appeal. It may yet convince regulators it is not to blame. But
as with Exxon or bp, that argument may wear thin with regulators
and consumers. Companies which trade in data—ie, most big ones
these days—had better get ahead of the problem. 7Schumpeter The Exxon Valdez of cyberspace
If data are the new oil, data breaches should be treated like oil spills