A few months ago, we wrote about how the Stuxnet incident reinforced the warnings about Cyberwarfare we highlighted in the Crisis Points of our ZapThink 2020 vision. However, we had no idea that just a few weeks later an even larger and more significant happening would bring Cyberwar front and center. If you’ve been even peripherally paying attention to the news lately, then you know about Wikileaks and the battle going on between supporters and opponents of the group. While you might think that these incidents have nothing to do with you, enterprise architect, IT manager, developer, vendor, or consultant at a private company or government institution, they most certainly do. You are about to become a part of the frontline in the Cyberwar battle.
We hadn’t anticipated Cyberwarfare being a day-to-day concern of IT managers until a few years from now, but it seems that the world has moved a lot more quickly than we anticipated. Just as firms plan for server outages and deployment problems, now every firm must have a contingency plan to deal with the potential outage of their most important online suppliers. If Cyberwar seemed to be a benign or irrelevant threat, you might soon experience firsthand why you can no longer afford to ignore the potential crisis that Cyberwarfare can have on your organization.
How Can Someone Else’s Battles Affect Me?
Even if you’re not directly targeted in a Cyberwar, you can still be dramatically impacted by the skirmishes. In fact, it’s the collateral damage of high-likelihood attacks on critical infrastructure that pose much more threat to your business than the relatively less likely direct attacks on your business. Imagine that you are a small manufacturing business in Costa Rica. Costa Rica is so peaceful that it doesn’t even maintain a standing army, and the business is so small and inconsequential to the rest of the world that you barely get any traffic to your site at all, let alone a large enough quantity that downtime would even be noticeable.
So, you think you’re immune to Cyberwarfare, right? Wrong. Your company uses Google for mail, a specialty Software-as-a-Service (SaaS) supplier for its B2B network that just happens to use Amazon’s cloud computing infrastructure, and processes its online payments with an Internet-based credit card gateway. The first thing that the company notices is that it can’t process payments because the credit card processor is under siege. Then, its B2B network goes down because Amazon is under attack. Finally, you can’t even send requests for support to either the card processor or the B2B network because Gmail is down due to a distributed denial of service attack (DDOS). At this point, the company is effectively knocked off the net from a business standpoint, even if its own website is up and operational.
Think this is all theory? You’re wrong. A crowdsourced group of pro-Wikileaks “hacktivists” have directly taken on all the infrastructure providers above, with the exception of Google… for now. Even though most of the targeted firms have emerged from these attacks relatively unscathed (check out this website tracking Wikileaks-related outages, and this online chronicle of website downtimes), the fact that some online providers, most notably Paypal and Mastercard, were down for even a short amount of time should leave most IT organizations shaking in their boots. PostFinance, a Swiss bank that shut off Wikileaks funding, was down for over 33 hours, leaving even hapless individuals begging for mercy. What if next time these attacks are more successful? For just how many hours can you afford to be disconnected as collateral damage in a Cyberwar? You say you have no contingency plans to deal with direct or consequential damage from malicious attacks? Then you are due for a Cyberwar Crisis Point. It’s just a matter of time. Deal with it now or deal with it later, but you will have to deal with it.
Dealing with Cyberwar Threats
The more interconnected you are and dependent on third-parties for your IT capabilities, the more threatened you will be by these attacks. Disconnecting yourself from your suppliers and the Internet is not an option these days. This means, then, that you must find additional suppliers that themselves depend on different infrastructure to be able to continue your business operations if your current supplier gets knocked off the ‘net.
You need to not only source back-up SaaS and Cloud suppliers, but also alternate modes of communication and payment if you want to be fully secure. Depend on Google for Mail? That’s fine, just set up a backup email provider. Depend on a single DNS provider? Then set up a secondary DNS source. Require Amazon’s Cloud for your primary operations? Then set up a secondary Cloud supplier. You see where this is going.
Having back up plans does introduce additional complexity that needs to be tested, but not necessarily a whole lot of extra costs. Most Cloud providers charge on an as-you-go basis, so having “just in case” capability should not involve double the cost of your existing supplier. The additional cost of “just in case” is your insurance premium against the potential future losses your business might face if your sole infrastructure suppliers become unavailable.
An alternative is to bring all your computing infrastructure in house (the so-called Private Cloud house of cards we have written about earlier). However, for most companies, bringing in-house their most critical infrastructure is not really an option.While the liability and economics might demand that the most critical suppliers not depend on third-parties for most of their critical infrastructure, the argument of taking on the full burden of outsourced infrastructure will most likely bankrupt you in the short term to deal with an unforeseeable problem in the long term.
Cyberwarfare, or even privacy, governance, and security concerns, are no reason to throw out the Cloud Computing baby with the high-risk bath water. You simply need to actively plan for disruption and have mitigation plans in place that you regularly test. If you can’t handle the downtime, then you at least need to degrade gracefully. Find ways to deal with the potential outages of your most critical suppliers with failover plans that involve using people or non-IT processes. This can be your worst-case failover that should provide some degree of confidence to deal with unknown threats.
The ZapThink Take
If you think the Cyberwar threat and Wikileaks is an isolated incident that will soon come to an end, I have bad news for you – we’re just at the beginning. What’s to stop foreign crime syndicates from leveraging this new approach to bring large networks and companies to their knees? What about anarchist online mobs that seek disruption for fun? Indeed, the decentralized nature of these sorts of attacks leaves every company and network a potential threat. The fact that any disgruntled group could crowdsource an attack for any reason should be a major concern. It could be something as innocuous as dislike of a new product. There’s just no telling. As such, you should find ways to prepare for the unpredictable.
It’s up to you and your organization to plan to actively mitigate those threats, especially those in architecture roles that are supposed to be the strategic planners of IT’s resources and capabilities.