The Department of Homeland Security can barely protect its own computer systems from outside attack. Yet a group of business leaders wants to turn over their responsibility for coordinating with each other after a catastrophic disaster affecting the Internet to the department.
A new Business Roundtable report (PDF) says that “the United States is not sufficiently prepared for a major attack, software incident or natural disaster that would lead to disruption of large parts of the Internet.”
“If our nation is hit by a cyber Katrina that wipes out large parts of the Internet, there is no coordinated plan in place to restart and restore the Internet,” said John J. Castellani, president of Business Roundtable and one of the Gang of Six most influential Washington lobbyists. “A cyber disaster could have immediate and nationwide consequences to our nation’s security and economy, and we need to be better prepared.”
The report says that the Internet lacks early warning systems, or “trip wires,” which could identify signs of a catastrophic event such as an Internet-based attack before it happens, and track the progress of such a disruption.
“Those who maintain the IT infrastructure need global trip wires to ensure the well-being of the Internet should a massive disruption or cyber attack come from overseas,” the report says. “Without adequate trip wires, the government, businesses and citizens lack the ability to anticipate when coordinated mitigation strategies are needed or understand if or how government might intervene.”
The report rightly says that the private sector must shoulder most of the responsibility for recovery after an attack or disaster, and rightly identifies poorly coordinated government programs as an obstacle.
It said that various government agencies have responsibilities which are conflicting and unclear and these responsibilities should be clarified and reassigned where appropriate. The report said that the government had no clear policy on Internet disaster recovery and that it should develop such a policy.
The report calls for companies to implement new mutual aid agreements and standard communication protocols in the event of a disaster, and for the Department of Homeland Security to take a more prominent role in coordinating Internet disaster response between the companies responsible. Because, of course, they can’t do it themselves, so they’d rather have taxpayer dollars pay for components of disaster response they should be handling themselves.
I don’t think they realize what they’re asking for. The government certainly has a role in Internet disaster response, as it has computers on the Internet. But giving it such a central role might not be such a good idea, when it can’t even keep its own little corner of the Internet secure. And especially not when its inability to respond to a truly catastrophic event and to hinder disaster response at every turn has been so thoroughly demonstrated.
“Cyber Storm exemplified the importance of public and private sector and international entities working together and in concert and in coordination to prepare and to protect our citizens, our businesses, and frankly, our national interests,” said DHS undersecretary for preparedness George Foresman.
DHS will issue an after-action report on Cyber Storm later this summer. Maybe.
In the meantime, I have my own disaster recovery plan in place. And maybe if things are truly catastrophic I might have to relocate this site to Johannesburg or Taipei or Alice Springs, but you can be sure I can do it within 24 hours, even in the worst circumstances I can imagine.
Plan for your own disaster recovery and let everyone else do the same. Then what homeland security expert W. David Stephenson calls emergent behavior will take over. He said the best example was the Flight 93 passengers’ spontaneous, self-organizing effort to thwart the September 11 hijackers, and that there were also many similar examples during Hurricane Katrina.
One can plan for disasters all day long, but when the excrement hits the ventilation device, all the plans go out the window, as anyone who’s ever been in the military will tell you, and the situation goes ad-hoc very fast. A proper disaster response must plan for this and leverage emergent, ad-hoc responses, Stephenson argued.
“Government can either capitalize on the technology and science of networks and treat the public as full partners in prevention and response, creating the conditions that would let emergent behavior flourish, or we will take matters into our own hands and circumvent government,” said Stephenson.