Business Leaders Say U.S. is Unprepared for a (gulp) ‘Cyber-Katrina’
By Rick Moss
“Significant gaps exist in the response plans of the U.S. government and the private sector for reconstituting the Internet in the event of an unprecedented massive Internet disruption.”
Sounds like a rant from the Unabomber, right? Were that the case, the danger would certainly be easier to dismiss. But, unfortunately, the source is about as respectable as they come. The Business Roundtable is a think tank comprised of CEOs from 160 leading U.S. companies that represent upwards of $4.5 trillion in annual sales (almost one-third of the total value of the stock market) and 10 million employees. Members include IBM, GM, H-P, Coca-Cola, Home Depot and Sun Microsystems.
In 2005, the organization examined the issue of preparedness for a “major attack, software incident or natural disaster that would lead to a disruption of large parts of the Internet.” They reviewed the government’s plans, commitment and funding availability.
Bottom line? “The Roundtable’s review found that there are no well-coordinated processes that would integrate the disparate plans of industry and government to restore Internet functioning.”
An analysis of the shortcomings in government planning and coordination within business sectors is summarized in a white paper just published by the Roundtable, “Essential Steps to Strengthen America’s Cyber Terrorism Preparedness” (PDF download).
The title alone is reason for some optimism, at least relative to the analogy of a Katrina-like disaster. The report says that, although the last 10 years has seen progress on security and many technical fronts, many other aspects are simply not being addressed. These include the need for a host of contingencies, from shoring up market confidence after a total internet failure to making sure government and business leaders know how to respond.
Most pressing, perhaps, is the need for business and government to work in concert. “Well-intentioned government officials and industry leaders are not currently in a position to synchronize efforts and deploy coordinated and tested capabilities to restore Internet services,” the report says.
A primary message of the report is that, unlike coordinated responses to natural disasters like hurricanes, which are government-based, business and industry must take the lead on cyber affairs. The Roundtable’s recommendations for the private sector include:
- Establishing a single point of contact within the company to coordinate internet restoration and efforts with government officials
- Developing a strategic company plan to account for the movement of goods and services during and after the disaster
- Consolidating early warning and response to avoid confusion from overlapping and multiple organizations
- Agreeing on an information-sharing mechanism (presumably one that does not rely on the internet)
Moderator’s Comment: What chance do we have that all the disparate entities that need to be involved will act together and produce a viable preparedness
plan for an “internet tsunami”?
For what it’s worth…
“If the system breaks down the consequences will still be very painful. But the bigger the system grows the more disastrous the results of its breakdown
will be, so if it is to break down it had best break down sooner rather than later.” – Point #3 from the Introduction of the Unabomber’s Manifesto –
Rick Moss – Moderator
A close friend previously worked for one of the largest Internet security firms in the world and, being privy to some of the “near misses” he witnessed, there’s nothing alarmist about this discussion topic. It was very scary to see how many unknown worms are created specifically for some of our large corporations or industries. Public utility, healthcare and banking were by far the most popular. Thankfully, the issues were avoided–primarily by underground battalions of tech geeks that create short term–then long term–patches to avoid mass disruption. The government was indeed involved but the entire process is very reactive. I’m glad there’s a focused effort to bring this issue to light.
Best thing about the internet: it’s largely not government operated. Biggest Katrina lesson: be self-reliant because government-dependency isn’t a good idea. Every organization (business, government, family, charity, etc.) needs disaster planning, which should include provisions for extreme weather, technical outages, accidental disablement (or death) of key people, transportation disruption, etc. Sometimes insurance can be purchased. Sometimes procedures need to be rehearsed in advance. One thing’s for sure: when your house is on fire, it’s too late to buy insurance, install sprinklers, or rehearse the evacuation plan.
The reason we don’t have a national plan involving the government and the private sector is there is no immediate payback. The payback is only a reduction in the catastrophe if something were to happen. Big business is focused on financial results and the government is focused on the next election.
I’m not optimistic about industry and government getting their acts together. It would seem to me that a coalition of companies that would have the most to lose – like Amazon, Microsoft, Google, Yahoo!, major banks, etc. – might have the best chance to build an effective plan and sell it to business and government.
Two main items come to mind. One is that we don’t need government getting involved and creating another ineffective bureaucracy. The second is the seeming lack of planning and preventive preparations by most. Whether this is alarmist or not, individual businesses, and cooperatives should have some contingency ready in case of the unexpected.
Shades of Y2K! Like George is telling his buddy Ralph, “Did you know that ignorance and apathy are the two main problems that are plaguing the country?” Ralph says, “No, I didn’t know that, and I really don’t care.”
One of the great advantages of the internet is that it is, mostly, not under monolithic control. Which means that no concerted efforts are needed. If something breaks, the affected parties will respond post haste. What if the rest of us all went on vacation for a week, on the very same days?
OK, maybe I am ignorant and apathetic, but somebody needs to “pay” for the Y2K outrage foisted upon us, and all the other global scaremongering going on. Some of us are just going to keep working on what is constructive and near at hand, and not spend one second worrying about an asteroid hitting the earth. (Yes, there are millions of dollars, and many careers, publicly funded, devoted to this “what if.”)
What exactly does “Katrina like” mean? Does it mean a fumbling government response, or does it mean an event that is locally disastrous, but nationally largely unimportant?
I think the Y2K non-event has jaundiced many people’s views; and many others will think along the lines of “we’ve only had the internet for a few years, an ‘outage’ shouldn’t be a big issue.”
Although this viewpoint is not correct – nor is it totally wrong – it’s a big hurdle to overcome.
I’m torn by this subject. The conspiracy theorist portion of my brain is saying that even the mere suggestion of non-readiness by government is tantamount to treason. After all, surely they wouldn’t want to tempt fate by letting any potential terrorists hanging around know that they are super-confident that there is, of course, an effective plan in place. Someone might leak the details.
The cynical portion of my brain is saying, so what else is new? Of course there isn’t a plan. Nor should there be – as with Y2K, trying to anticipate every conceivable thing that might go wrong simply creates inestimable cost and bureaucracy and time wasting. Far better to react if and when the time comes. Although admittedly this is unlikely to be acceptable or successful, at least the waste doesn’t start any sooner than necessary.
Orrrr, are we experiencing a bit of bluff and double bluff?