There was a time not too long ago when, if you were going to present at a meeting or a conference, you would bring your presentation to the event in two forms: one digital, and one physical. You would bring your computer or portable drive that held your presentation file, and that was your preferred means of presenting your work. But you’d also bring along a folder of transparencies, just in case the room in which you were presenting lacked working presentation equipment. Perhaps you had been failed by presentation technology before, or you had heard the horror stories from others who had been, and so you decided you’d bring along an old-school backup just in case. After all, you were a prudent presenter who planned ahead.
That same exercise in caution – that same advance planning for when our tools fail us and we need alternative ways to carry out our responsibilities – could serve us well now. Cyber attacks are an inevitable scourge of modern life. Whether it befalls a critical infrastructure and endangers millions, or it acts in a much more targeted way on your or your business’s operations, a cyber attack will damage and destroy. The concern is not hypothetical. In fact, in 2018, the specter of cyber attack joined the list of the top five risks to global stability. As the number of devices connected to the Internet continues to soar, now reaching nearly 27 billion, each one of which provides a possible pathway for a hacker’s treachery to wreak havoc, the question of cyber attack increasingly becomes not one of if, but of when.
At a national level, much discussion – and, arguably, too little action – have transpired to protect critical infrastructures such as the power grid, refineries, the manufacturing supply chain, and the financial system. A report issued recently by the think tank Foundation for Defense of Democracies concluded, “The United States will find itself flat-footed during a major cyber event.”
The Foundation, working with The Chertoff Group, recommended a number of steps for improving the nation’s readiness to respond. There must be clearer, more comprehensive, and quicker communication regarding cyber incidents both within and among industry sectors, so that greater swaths of the nation’s institutions and systems can receive advance warning of ongoing attacks. The roles and responsibilities public and private entities play during an attack must be articulated much more clearly so that they may cooperate more constructively. There has to be less interest in pointing fingers at the culprit and more focus on responding to the needs of the moment, postponing investigation and culpability assessment until after the storm has passed. The group also recommended maintaining a sizable technology reserve so that critical systems could be spun up quickly in the wake of a crippling attack. Building on this idea, a set of shadow supply chains that would normally be shuttered but would spring to life to replace compromised ones could help the nation continue to supply goods and services as it recovers. Think of these reserves and alternative paths as the backup transparencies you used to bring to your presentations.
We don’t have to focus exclusively on critical infrastructures, of course. If you or your small business were attacked, would you be able to recover quickly and with minimal loss? An important component of an information security strategy is disaster recovery: how will the organization continue to function and rebound from calamity? It’s not an easy problem, but it is certainly something that a successful cyber strategy must consider, plan, and validate continuously.
It seems to me that the need for effective, comprehensive continuity and disaster recovery planning for individuals and small businesses affords a new opportunity. Keeping with the spirit of the transparencies example, individuals and small businesses should identify ways to conduct and restore their operations from completely offline sources. The Chertoff report mentioned technology reserves and hinted at shadow supply chains, systems that lie in wait, continuously updated and ready to be activated when needed. Individuals and organizations should have their own such shadow systems.
A new breed of startups could specialize in making this an easy proposition. Such companies could provide mobile system restoration services, where “mobile” would assume its literal meaning. These new companies would dispatch armored “Tech Trucks” to their customers on a regular schedule, siphoning their designated backup image, a subset of the customer’s data that it deemed essential to restoring operations, through a central encrypted connection – the “Data Valve” – they would install for the customer when they registered with the service. Think of a septic truck sucking sewage from a cleanup area, and you’ll have a memorable – though unappetizing – analogy for what the Tech Trucks would do, except, of course, with data. The customer’s backup image would be stored on the Tech Truck’s internal storage, completely offline, entirely offsite, physically protected in an armored shell, and strongly encrypted, able to be decrypted only when connected to the customer’s Data Valve. When a customer needs to restore operations in the wake of an attack, the Tech Truck would come to the rescue, connect to the customer’s Data Valve, and restore the company’s operations from the backup image.
To plan for the inevitable day when computers go dark, it may be helpful to consider low-tech remedies. What was true for the turn-of-the century Powerpoint presenter applies equally well today.