What do you think? Leave a respectful comment.

Here’s the latest on gas shortages in the US and the plans to prevent future hacks

Although Colonial Pipeline has resumed operations after a cyberattack, things are yet to return to normal. William Brangham has a look at the new claims about the hack and the resulting gas crunch with Patrick De Haan, the head of petroleum analysis for GasBuddy, and Dmitri Alperovitch, co-founder of Silverado Policy Accelerator.

Read the Full Transcript

  • Judy Woodruff:

    The nation's largest fuel pipeline has slowly resumed service. That is the start of some good news, but no one is celebrating just yet.

    A new report from Bloomberg said Colonial Pipeline paid $5 million dollars in ransom last week. The company itself has denied paying ransom and says that it will take time before things return to normal.

    William Brangham has a look at all of this, beginning with the gas crunch some states are facing.

  • William Brangham:

    Judy, it seems panic has set in across the Southeast, even though that major pipeline is restarting operations after being shut down for six days.

    Long lines formed outside of stations across parts of the U.S., as fears and frustration about gas shortages grew. At least 17,000 stations reported being completely empty in the Southeastern U.S., which then helped push gas prices to the highest levels in six years.

    As of this morning, 55 percent of stations in Virginia were without gasoline, 49 percent of stations in Georgia had none, and more than two-thirds in North Carolina reported outages.

    While the gas supply has begun moving, its slowly. Fuel flows through the pipeline at just five miles per hour. So, it's expected to take several days before the supply returns to normal. Public officials have urged Americans not to panic, and to avoid rushing out to buy and hoard gas.

    So, for a closer look at the impacts, I'm joined by Patrick De Haan. He's the head of petroleum analysis for GasBuddy, which is an app that tracks fuel prices and shortages.

    Patrick De Haan, great to have you on the "NewsHour."

    Can you help us understand something? When we're looking at these shortages, are those driven by all of this panic purchasing, or is it driven by the pipeline that was shut down for six days? '

  • Patrick De Haan:

    Well, I think, if you were to slice this into a pie, I think 10 percent of it would probably be because the pipeline was shut down and the slow replenishment of fuel.

    But I think 90 percent, really, or more is the result of panic buying and hoarding. We saw gasoline demand shoot up instantly. And it wasn't just limited to the states in the Southeast where this was primarily happening. It was across the entire country to a lesser agree, certainly very impressive.

    In fact, areas of South Florida that generally receive gasoline not from the pipeline, but from barge, were starting to see outages go up. In fact, Miami had no outages yesterday morning. Now they're up to 40 percent. It seems like fear and hoarding is starting to grip Miami.

  • William Brangham:

    So it's sort of amazing to me that 90 percent of this is driven by that.

    Your app and your company really keeps its finger on the pulse of Americans' seeming obsession with gas prices. Does this make sense to you, that word of this attack goes out, the pipeline goes down, and does it make sense that that hoarding took place?

  • Patrick De Haan:

    Well, at least to me, it kind of deifies logic.

    I mean, I'm certainly not one that would be running out to fill up 50-gallon drums. But we're seeing some pretty incredible images across social media, people filling up six jerricans or putting gasolines in a plastic bag, to the tune that the Consumer Products Commission then warns Americans not to do that.

    It's truly incredible the obsession we have can with gasoline and how worried we get when we start talking about a pipeline not operating.

  • William Brangham:

    So, I understand the Biden administration has also relaxed some rules about truck drivers, apparently to address a truck driver shortage.

    Can you explain how that plays a role in these shortages?

  • Patrick De Haan:

    Well, in the recent years, we have continued to see a deficit of truck drivers. As more retire, there's fewer left, and fewer being hired into the system.

    And so, over the last five years, we have seen that shortage grow and grow, certainly not helped by the COVID-19 pandemic, which early on caused a lot of trucks to sit parked for several weeks, certainly for tanker trucks that deliver to stations, saw a 60 percent drop in demand. So, many of them may have opted to take an early retirement or gotten laid off.

    But now those tanker truck drivers are the ones who bring the fuel from the rack at the local level to the station. And what we're finding out now is that there's simply no way that they can stay caught up. Number one, it may be a problem of two few truck drivers. Number two, there may not be enough capacity at the rack where those tanker trucks are pulling.

    Even within — or even with this pipeline being operational, I think we still would have seen outages based on this behavior.

  • William Brangham:

    So, as I said, the pipe is now flowing again. How long, from your estimation, until things get back to some level of normal?

  • Patrick De Haan:

    I think it really depends.

    The hardest-hit states, like you mentioned, North Carolina, Georgia, the Carolinas, they could take seven to 14 days for gasoline purchases to not involve a higher level of thinking. That is, you don't have to check the GasBuddy app in 14 days to figure it out.

    Other areas that aren't as hard-hit, that might be five to 10 days. But still, even though the pipeline is flowing, this is still going to be a headache thing to go out and find gasolines for the next couple of weeks.

  • William Brangham:

    So, if someone, especially people in the Southeast, are hearing this and seeing these news reports about shortages, and worrying whether or not they're going to get gas in their car or their truck, what would you counsel them to do?

  • Patrick De Haan:

    Certainly, just be patient.

    If you don't need to drive, I certainly would not. You know, it makes everything much harder when you're spending half of your day looking for an open gas pump. I would just simply sit home, wait it out, and then wait for the situation topaz. It will start improving now.

    Of course, some people are front-line workers, essential workers. I think it's more crucial that they have access to the gasoline they need, rather than me simply going out to a pump and filling up all the containers I can find.

  • William Brangham:

    All right, Patrick De Haan of GasBuddy, thank you very much for being here.

  • Patrick De Haan:

    My pleasure.

  • William Brangham:

    So, in response to the Colonial Pipeline hack and the recognition that there are major cybersecurity weaknesses here in the U.S., the Biden administration released an executive order last night, one that had been in the works for weeks, to strengthen those defenses.

    It will establish baseline security standards for any software purchased by the federal government and require companies to quickly disclose breaches when they occur.

    For more on all of this we turn again to Dmitri Alperovitch. He's co-founder of Silverado Policy Accelerator. It's a Washington-based think tank that focuses on cybersecurity.

    Dmitri, always great to see you on the "NewsHour."

    So, the president puts out this executive order. What do you make of it? Will this actually help address the problem?

  • Dmitri Alperovitch:

    Thanks for having me.

    Well, first of all, this is an extraordinary executive order. It is 34 pages' long, one of the longest executive orders we have ever seen, certainly the longest one on cyber. And there is a lot of detail here. In fact, if you take all the bills, cyber bills and executive orders of the last two decades, this one exceeds them all combined.

    And the reality is that a lot of it is just good hygiene type of stuff, sort of eat your oatmeal type of approach that the administration has taken. A lot of it is focused on federal government security, which is where they have the authorities to actually make a difference.

    But one of the things they have tried to do is find leverage. So, a lot of what you see in this executive order is how to use the power of the federal government procurement, dealing with lots of companies that sell software and other services to the federal government, and say, if you're going to do business with us, your cybersecurity level needs to rise to a substantial amount.

    And, as a result, because these companies sell not just to the federal government, but they sell all of us the same services, all of us will benefit from this action.

  • William Brangham:

    So, who is it that determines within the government whether or not a company is meeting those requirements? I mean, does the government then have to go in and look and say, company X's software, that's good, company Y's software, not good?

  • Dmitri Alperovitch:

    So, at some point, you're going to have audits that the federal government is going to conduct. And we have cybersecurity and Infrastructure Security Agency, CISA, within the Department of Homeland Security that is going to have most of the authorities within this executive order to verify that.

    But at the same time, you're going to see changes in contracts. So, as new contracts are put in place between vendors and the federal government, they're going to have to attest to certain security requirements as part of their ability to even win these contracts.

  • William Brangham:

    So, we're all focused on this most recent pipeline attack and the ransomware attack that went after this company.

    Would these provisions, if they were all instituted, have prevented this attack from happening?

  • Dmitri Alperovitch:

    Unfortunately, no.

    And this has to do with the fact that the administration only has so much power, without being able to, of course, change the law that will require congressional action. So, most of the focus of the executive order is indeed on making sure that the federal government itself is secure. And we have seen lots of hacks of major federal agencies over the last few months, including the SolarWinds hack.

    So it's designed to address those issues. It will have a benefit on the overall ecosystem by making sure that the vendors we all use, including companies like Colonial, are much more secure, to the extent that those vendors have business with the federal government.

    But there's going to be more effort that the Congress will have to do specifically looking at critical infrastructure. Who should regulate those entities? Most of your viewers probably don't appreciate the fact that Colonial is regulated by the TSA, the same people that check your shoes when you go through the airport for security purposes.

    TSA may have expertise in physical security, but they're probably not the best people to regulate Colonial on cyber-issues. So we're going to have to grapple with this as a country of who should be regulating these companies on cybersecurity issues, particularly companies that have such a high degree of ownership over our critical infrastructure.

  • William Brangham:

    This executive order also requires that companies are much more diligent about reporting breaches when they occur.

    Has that been a problem in the past, that a breach occurs on a network somewhere that might implicate other companies and that that breach is not disclosed?

  • Dmitri Alperovitch:

    The vast majority of breaches are actually never disclosed.

    In fact, today, the only companies that are disclosing breaches are those that show that personally identifiable information, information on consumers, like your name, your address, your Social Security number, that that information has been compromised. That's the level of standard that most companies are looking at.

    Defense contractors also have breach reporting requirements to the Department of Defense. But if you don't fall into those areas, you don't have to report to anyone. And, in fact, what we have seen is the vast majority of companies that have been hit in the SolarWinds hack, in the Exchange hack that your viewers may remember from a few months ago have not had to report anything.

    And that's a real problem, because the government does not have the visibility into the level of activity that foreign nation states are perpetrating against this country. They don't appreciate the impact to the national security of it as a result. And they can't protect the rest of the world that is facing the exact same attacks.

  • William Brangham:

    All right, Dmitri Alperovitch, Silverado Policy Accelerator, always good to see you.

    Thank you.

  • Dmitri Alperovitch:

    Thank you.

Listen to this Segment