The Internet today is in the same position as New Orleans was before the hurricane, a heavily fortified resource of incalculable economic and cultural value whose protections will one day inevitably fail.The article recommends distributed backups and diversified communication methods. It even recommends what it calls plenipotentiaries, i.e., someone in each office of a company who can act without checking with the home office. Those are good ideas. And I’m not sure why that last shouldn’t be more widely used; distributed agility should lead to more productivity in any case. And it’s been 200 years now since Admiral Horaio Nelson had his sailors trained so well that his orders before the battle of Trafalgar consisted of “England expects that every man will do his duty.”
— What will you do when the cyber-levee breaks? Opinion by Bruce Levinson, ComputerWorld, SEPTEMBER 21, 2005
Yet there’s something missing in the article’s recommendations.
Several things are missing from the article, actually.
One of the most obvious is diversification. If even ten percent of a company’s computers run a different operating system from the majority, significant resilience is achieved. Monoculture is one of the biggest security risks the Internet and every company using it faces. Fortunately, it is also one of the easiest risks to decrease.
Then there is the whole range of risk transfer options, ranging from insurance policies to catastrophe bonds and performance bonds. Many companies may think they have already dealt with this with Directors and Officers (D&O) or Errors and Omissions (E&O) insurance, but such policies don’t cover many new risks related to computers and the Internet, and many such policies deliberately exclude such risks.
Then there are reputation systems. The article talks about information sharing forums on its last page, which is good, but it doesn’t go into what types of information and whether some information should be collected from public sources and made public so that customers can know what their vendors are doing with regards to security.
Forums are a start in the direction of collective action, but that road goes a lot farther.
-jsq