Posted by: David Scott
business security plan, cyber attack, cyber security, cyber security and government, cyber threat, cyber war, disaster awareness, disaster plan, disaster planning, IT security, Security Plan, security policy
In his excellent Wall Street Journal article, Cyber Combat: Act of War, Siobhan Gorman writes of our nation’s challenges in responding to state-sponsored acts of damage – acts of war, really – due to cyber attack.
When you think about it, the business of securing a nation is similar to any other business (save for the scale of balance and effects). We have streaming, ongoing, objectives in answer to goals and challenges: Resultant plans; attendant projects; priorities; resources; adjustments – and – there’s always the unexpected, isn’t there?
It got me to thinking about two paired concepts that are unique to my consulting practice and my subsequent counsel to business: IDRU and DAPR. (id-roo and dapper respectively).
IDRU is: Inadequacy, Disaster, Runaway and Unrecoverability.
DAPR is: Disaster Awareness, Preparedness and Recovery.
I’ll explain those and their relevancy to the enterprise in my next article, so I solicit your patience. First, some lessons and observations by employing “example by extreme” -
Part of what our Pentagon is presently wrestling with is how to respond to a cyber attack. An idea gaining favor is a measure of “equivalence.” That is, if a cyber attack was to cause a similar measure of death, damage and disruption that a bombs-and-bullets military attack would, then a like-attack would be warranted, employing a similarly-scaled return effect through conventional military attack.
However, the ultimate of cyber attacks wasn’t mentioned: That of Electro-magnetic Pulse (EMP). In 2006 I wrote of this threat. My book, I.T. Wars: Managing the Business-Technology Weave in the New Millennium, (BookSurge 2006), has a concluding chapter, What’s At Stake, dealing with the ultimate threat and challenge for any enterprise, to include entire countries. Here, there are lessons for the “local” organization – that is, yours.
An EMP attack could be something as simple as a scud missile carrying a single nuclear warhead. This missile need not be accurate for any specific target. It need only be detonated at a suitable altitude: the weapon would produce an EMP that would knock out power in a region – all power.
Not only would some measure of a nation’s power grid be out, but also generators and batteries would not work. There would be no evacuation of affected areas: Cars would not work, and all public transportation would be inoperable. Even if trains, planes, and other mass transit were operable, the computers that enable their safe use would not be. This would be due to the loss of all electronic data, rendering all computers useless. There would be no banking, no stock market, no fiscal activity of any kind, and there would be no economy.
Hospitals would fail without power. There would be no electronic communications: no mobile phones, no land phones, no e-mail, no television transmission, nor even radio. There would be no refrigeration of food, which would quickly rot to become inconsumable. Potable drinking water would quickly be expended, and the means to create more would not exist. Fires would rage, since the ability to deliver and pump water would be virtually nonexistent.
Now imagine a simultaneous application of a couple large-scale nukes detonated over the country.
No Federal Government would be able to govern – nor would any state or local government command any control over events. No police department could be able to know where events were happening requiring response. Priorities would be non-existent: The only actionable situations would be those in a direct line of sight. The Military would not be able to communicate. Hence, there would be no chain-of-command; no control. Scattered commands and units would soon begin operating autonomously in the vacuum.
The affected society, on all levels, would be sliced and diced into small groups and factions hell-bent on survival – the situation would be an almost immediate chaos. As we’ve seen during post-Katrina New Orleans and other disasters, breakdown of the social order is rapid and deadly. In this circumstance, it would also be prolonged, and possibly permanent – until the arrival of an enemy control. Imagine, if you will, a peak, sustained, Katrina/New Orleans disaster, coast-to-coast.
As the Pentagon considers “equivalency” and proportionality in regards to cyber attack, remember EMP. Of course, you can bet our government and military is well-aware of the threat of EMP. However, there’s a new wrinkle here. For years, people have taken some measure of comfort in the old “Mutually Assured Destruction” (MAD) theory: If Russia or another country sent a nuclear volley into the U.S., we’d still have some means for a response – and send a volley back. Thus, a deterrent effect was in place.
Today, it’s not clear if one country could “get the jump” and disable another through EMP, thus rendering the threat of retaliation moot.
In discussing cyber threats, one really does have to go to the ultimate in assessing threats, and make consideration of EMP. In fact, it was that very consideration that led me to IDRU and DAPR, and their applicability to Business – in fact, their very necessity. So, what do these mean to the local organization – yours?
Stay tuned. In the meantime, we may wish to consider:
The dogmas of the quiet past are inadequate to the stormy present. The occasion is piled high with difficulty, and we must rise with the occasion. As our case is new, so we must think anew and act anew.
The best way to predict the future is to create it.
I like that last one especially. For Business and IT I say: You must thwart cyber attacks and crimes on a proactive basis. You must stay ahead of potential hacks, disablements and thefts by virtue of a responsible forward edge (RFE). Invent your future; sustain your safe entry to it.
Remember: Your number one asset is your reputation.
On this day (May 31st): In 1868 Dr. James Moore of the UK wins the first recorded bicycle race – a 2k velocipede race at Parc fde St Cloud, Paris.