MARY LOUISE KELLY, HOST:
A gas pipeline, a meatpacking company, the ferry to Nantucket - three very different businesses, three of the many, many recent targets of ransomware attacks. So many, it's getting hard to keep up. Which made us wonder if U.S. businesses are putting some kind of playbook together, sharing best practices on how to keep hackers out of their networks and how to respond if they do get hit. Well, let's bring in the perspective of the U.S. Chamber of Commerce on this. Christopher Roberti is senior vice president of cyber, intelligence and supply chain security policy at the Chamber - in other words, the point guy for cyberattacks.
Mr. Roberti, good to have you with us.
CHRISTOPHER ROBERTI: Mary Louise, thank you for having me.
KELLY: Start with how worried are corporate executives, business leaders that you're in contact with. Do they feel like sitting ducks?
ROBERTI: Well, companies have taken it seriously, but the incoming is withering. And there's a lot that companies are looking to do to improve their defenses but also to work collaboratively with the government and also see the government take up its role...
ROBERTI: ...In this process.
KELLY: Well, let's stay with that for a second because the White House has thoughts on this. They just put out a memo to business leaders urging them to protect themselves against ransomware attacks, talking about how the private sector and the government need to work together. Just - what was your top-line reaction to this memo? Is there useful stuff in there?
ROBERTI: Mary Louise, yeah. We welcome the letter from Deputy National Security Adviser for Cyber and Tech Anne Neuberger. There are two main themes in that letter, and I think there's - they're important both to unpack a little bit. So the one side that everybody's talking about, which is what should businesses do to protect themselves? And there's a lot of really good information and guidance in there, and that's guidance that we at the Chamber have been pushing out for some time. The second component of it is an acknowledgement that the government needs to do things as well.
KELLY: I wonder if you can be specific. Is there something specific Washington could do - should do - to protect American corporations that it's not currently doing?
ROBERTI: Yeah. I think the U.S. government has a very unique role, and they have very unique capabilities and authorities. And it can promote deterrence and impose consequences. For instance, that could be, at a broad level, working with like-minded governments to put together programs on countering ransomware at a bilateral and multilateral level. It could mean working with international law enforcement.
KELLY: Let me turn you to the question of what happens if a company does get attacked by ransomware. The guidance from the FBI is don't pay because it will just invite the next attack. Where is the Chamber of Commerce on this? What are you telling business leaders?
ROBERTI: If you look at the FBI's statements, it's actually pretty nuanced, where they say they do not encourage the payment of ransomware. They understand if a company has to make that decision because in some cases, whether or not they are paying the ransomware could be an existential decision for the company.
ROBERTI: And so where we are is we really aren't getting in the decision of whether a company should or should not pay. And look - if this was an easy solution, we would've solved it decades ago.
KELLY: Well, let me just give a specific example. I interviewed the CEO of Colonial Pipeline last week, Joe Blount, the company that provides nearly half the East Coast's fuel supply and which did pay more than $4 million ransom when it was attacked. I asked him about it. He told me it's the hardest decision he has ever made in his career.
(SOUNDBITE OF ARCHIVED NPR BROADCAST)
JOE BLOUNT: You don't want to pay these contemptible criminals, but our job and our duty is to the American public. So when you know that you have a hundred million gallons of gasolines and diesel fuels and jet fuels that are going to go across the southeastern and eastern seaboard of the United States, it's a very critical decision to make.
KELLY: And Joe Blount defended it as the right one, that he's glad he made this decision. What goes through your mind as you listen to him?
ROBERTI: I have sympathy for him. And look - when you think about it, no company has a chance when they're fighting against a nation state or a very sophisticated threat actor who's coming at them day by day by day, hundreds of thousands of different times and ways.
KELLY: But are you also sympathetic to the point of view that this will just encourage the next attack?
ROBERTI: Of course. Look - this is - like I said, this is not an easy solution. This is something that requires us - in the words of Chris Inglis, the nominee for the national cyber director, would say, if you're an adversary coming after one of us, you've got to beat all of us. We have to work together.
KELLY: Christopher Roberti is senior vice president for cyber, intelligence and supply chain security policy at the U.S. Chamber of Commerce.
ROBERTI: Thank you for having me.
KELLY: And this coda - shortly after we spoke with Mr. Roberti, the Justice Department announced that the FBI has recovered most of the ransom that Colonial Pipeline paid to hackers. More on that twist elsewhere on the program.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.