The Hurricane is past, but we’re still picking up the pieces in New York. New York is arguably the most powerful City in the world, yet even New York can be laid low by nature. New York is vulnerable due to its low elevation in the Wall Street area. The City took a lot of damage, but it could have been much worse. Not only could the storm have been more powerful, but the storm hit during a brief period when “Wall Street” was somewhere else. Most of the major financial firms had moved their headquarters to Mid-town, which is on higher land. Many others moved a decade ago, after 9/11. In a few years many will move back, when the rebuilding of the World Trade Center provides high quality space for new corporate headquarters. When Wall Street firms move back to Wall Street, the potential damage from a new Hurricane Sandy could be even greater.
Hurricane Sandy opened up everyone’s eyes to the new threats that we face in a world of global climate change. But the 21st century has more disaster risks in store for us than just storms and flooding. Towards the end of the 20th century, corporate America began to suffer attacks by computer viruses. At first this was merely an annoyance, but viruses attacks became more robust and more frequent.
We added anti-virus software to our computers, and they we discovered malware and spyware, which required more computer software to foil. Then, the virus creators began to have powerful financial and political motivations, and we learned about denial of service attacks that could take down a whole segment of the Internet… and all of the targeted firms who “live” on that section of the Internet. Now, Iraq, China and Russia and the US have all launched attacks across the Internet, much like the way a drone or military invasion is launched. Each new attack results in a significant improvement in cyber-warfare, and a new generation of virtual weapons. Soon, according to homeland security, we can expect a major attack on the US. However, the target will not be the US military or even the government in Washington. The target is likely to be your business!
THE THREAT: Today, a lot of the world is run by computers. Stop the computers and you can stop the world. In 2007 the small country of Estonia, with a little more than one million residents, decided to remove a WWII era statue of a Russian soldier (a time when Germany was the oppressor, and Russia the liberator). The government received cryptic messages, originating from Russia, that it would be disloyal and ill advised to remove the statue. Estonia started to remove it, and suddenly their country was under a denial of service attack… a flood of traffic aimed at a specific location on the Internet that overloads users and shuts down services. These attacks were on and off for three weeks; during each attack data could not get in or out of Estonia, isolating the country from the rest of the world.
In 2009 the United States government created the Stutext virus, and inserted it (without the manufacturer’s knowledge) onto computer controlled equipment built by Siemens that were sold to Iran. The virus made equipment perform at levels that would make it self-destruct. For example, it is estimated that the virus destroyed 10,000 centrifuges by running the motors faster than their rated speed. In August of 2012, Suadi Aramco, one of the largest corporations in the world, had 30,000 computers infected by a virus that appears to have been launched by Iran. While the virus disabled almost all Microsoft/Intel computers and servers, it did not impact the oil production and transportation equipment, which uses different computer systems. If it had affected this equipment, the impact on the oil market and the world economy could have been catastrophic.
Whether you are developing a disaster plan for your in-house-operations or your outsourced operations, cyber-attacks are becoming more common and need to be in your plan. You can avoid a flood by simply locating your deliver site far from a river, lake or ocean. Cyber-attacks are not easily limited by geography. However, location does impact which types of attack could affect you.
BIG CORPORATIONS: The “location” of a big corporation on the internet is relatively easy to find. The corporate web site announces its location through its URL (i..e www.bigcorp.com) , and the firm’s Internet activities leave easy to read trails back to their servers and data centers. Over the decade, internationally recognizable corporations have been a prime target for cyber-attacks.
IT departments regularly see signs that they are being probed, often from China, Russia and offshore locations. Someone is looking for a hole in security where they can shut down your protection or insert a virus. Defense against these targeted attacks lies in the hands of corporate IT. However, you can change your level of exposure by simply not having all of your operations under the same “address”. Most outsourced operations will have different addresses that will fall outside of the range of the attack.
PHISHING: In many attacks, there is no single target. The intention is to strike anyone possible. This may be to cause general harm, or for profit. A Phishing attack is usually delivered by email, and looks like a legitimate request for information from a bank or other corporation. If you provide details about your account, then the Phisher takes over, and either tries to take your money or tries to send out emails, Tweets, and communications in your name.
A variant is “Spear Phishing”, where there is a specific corporate attack. A successful Phishing attack can derail a small business by interrupting you use of banking funds, making purchase for supplies and even paying your employees. Here too, by having an independently operating outsourced operation, you will more easily be able to continue operations.
DENIAL OF SERVICE: If you think of the Internet as a road system, this is equivalent to blockading the road. By cutting off access at strategic locations, you can isolate a company or a segment of the Internet, preventing data from coming or going from the affected area. If your business depends on access to a website or order come through email, this can be devastating. Even if you are not the subject of an attack, there may be others in your Internet “neighborhood” who are the target of an attack and you are merely caught in the crossfire. Once again, if your services are outsourced they are unlikely to be hit at the same time.
UTILITY ATTACKS: Rather than just deleting your data, Homeland security believes that new attacks could directly target utility firms, cutting off power and other services. As more and more of the world becomes automated, these attacks become more likely. Mass transit, the control of street lights and other increasingly computerized services could all be hacked and used to disrupt business. The best defense, of course, is to make sure that not all of your work is performed where the attack occurs.
PHYSICAL ATTACKS: Cyber-attacks can now cause physical damage. Many demanding physical tasks have been computerized, and run remotely. For example, electric companies used to hire a large number of “line-men.” They drove out to the countryside, climbed high-power towers and manually flipped levers and switches to shunt power down different power lines. Today this is done by internet devices. Devices that only a few years ago didn't have minimal security. Someone could change setting to deprive a region of power.
Worse still, you could redirect more power across a line than it could handle. This would burn out a power tower, possibly melting the power lines, showering the area with molten copper. During the dry season in California and in the Midwest, this process could be used to start forest fires, and destroy critical infrastructure. Likewise, computer controlled systems in dams and other water control systems could be manipulated or damaged. In the past, these were not the “risk” elements that you examined when you selected an outsourcing location. Today, you need to be more aware of the environment.
In 2011, Hurricane Irene was the “Storm of the Century,” yet it did little to change how America prepared for disasters. In 2012, Hurricane Sandy was the new “Storm of the Century,” that finally made America look at the gap in our preparation for disasters in our major cities with 21st century weather patterns. We haven’t yet had the “Cyber-Storm of the Century,” to raise our awareness of disasters on the internet and on our corporate networks. However, as the sophistication of cyber-attacks increases, it is inevitable that there will be a