But what would happen if there were to be a catastrophic cyber disruption?
That was the very question recently posed and explored by the Business Roundtable (of which IBM is a participating member).
In a report entitled "Essential Steps Toward Strengthening America's Cyber Terrorism," the Roundtable concluded that the U.S. is ill-prepared for a cyber catastrophe.
The deficiencies, however, seemed to be more political and organizational than infrastructural (that is to say, the lines of accountability are not yet clear were something to go greatly amiss in cyberland. Sound familiar? Hurricane Katrina, anyone?)
Edward B. Rust, Jr., Chairman and CEO of State Farm Insurance and head of the Business Roundtable, said in a press release accompanying the report that "If there's a cyber disaster, there is no emergency number to call and no one in place to respond because our nation simply doesn't have the kind of coordinated plan in place that we need to restart and restore the Internet....Government and industry must work together to beef up our cyber-security and recovery efforts."
Specifically, the report identified three major shortfall areas:
- Inadequate Early Warning System -- The U.S. lacks an early warning system to identify potential Internet attacks or determine if the disruptions are spreading rapidly.
- Unclear and Overlapping Responsibilities -- Public and private organizations that would oversee recovery of the Internet have unclear or overlapping responsibilities, resulting in too many institutions with too little interaction and coordination.
- Insufficient Resources Existing -- Organizations and institutions charged with Internet recovery should have sufficient resources and support. For example, little of the National Cyber Security Division (NCSD)s funding is targeted for support of cyber recovery.
As Rust continued, "Our nation's Internet and cyber infrastructure serve as a critical backbone for the exchange of information vital to our security and our economy, but our analysis has exposed a significant weakness that could paralyze the economy following a disaster."
Although the underlying beauty of the architecture of the Net has been its decentralized and distributed nature, an Internet Katrina could, like the overflowing levees in New Orleans, demonstrate both our personal and economic interdependence on the Internet in one fell swoop. Hopefully it won't come to that.
If you have trouble imagining what such an Internet disruption would be like, imagine this: You need to book a quick business trip to NY, hold an electronic meeting in advance of your physical meeting with colleagues distributed around the globe, get an email out to your staff, get a map to/fro the meeting site...and check the latest World Cup scores (not necessarily in that order) -- all without Internet access.
Yeah, good luck with that.
The first step always seems to be admitting you have a problem...only then can you do anything about it.
The report offers numerous recommendations for both government and business in the case of such a cyber disaster. Industry will need to undertake principal responsibility for "reconstituting the communications infrastructure," while the government must fund longer-term programs and establish national response plans that treat major Internet disruptions as a serious national problem.
Specifically, private sector enterprises should consider designating a point person for their cyber recovery, and update their strategic plans to prepare for such a widespread outage and its impact on everything from the movement of goods and services to restoring Internet service and corporate communications. Meanwhile, government needs to cooperate more closely with industry to conduct large-scale cyber emergency exercises, with key lessons learned integrated into programs and procedures.
Look no further than recent worm attacks -- 2003's SoBig virus caused an estimated $30B in damages -- to get a clue that Internet risk management could be the best strategic planning investment you've made in years.