Home > Standards Blog

Advanced Search 

Welcome to ConsortiumInfo.org
Friday, April 25 2014 @ 03:14 AM CDT

Email Article To a Friend View Printable Version

The Devilís in the Cloud, Part IV: The Ghost of Christmas (Cyber) Future

Cybersecurity

You can find the first part of this series here

John Leech, The Last Spirit/Dickens' Christmas Carol - Public Domain, courtesy of Wikimedia CommonsIt would be convenient and consoling to pretend that what I’ve described over the last several days is simple science fiction. But sad to say, the only thing that is doubtful about the scenario I have described is that it might be difficult for the perpetrator to build a thousand drones without Western espionage becoming aware of the plan.

But would that really be so hard? Many countries are building drones now; the technology is not complex. Indeed, Germany launched V-1 drones against Britain more than seventy years ago. With GPS today, building and guiding sufficiently reliable drones of the primitive type needed to stage the attack I have described is within the technical ability of every nation that could be imagined to be an enemy. And there are plenty of old ships to go around.

The moral of the story is that we are turning a willfully blind eye to a vulnerability that we are rapidly creating.

And I use the word 'rapidly' advisedly.  There is already an OMB program in place called the  Federal Data Center Consolidation Initiative (FDCCI), under which the Federal agencies will close 1,200 out of about 2,900 data centers.  But that may only be a first step.  The Department of Homeland Security has already consolidated its information much farther.  Where once its enormous data resources were spread across 46 data centers, everything now lives in just five. As noted in a recent FCW.com article, "although having fewer data centers gives would-be attackers a smaller zone to target, the threat is offset by a smaller perimeter that has more controlled resources within it."

That may be fine if you are only worried about terrorist attacks by a few individuals.  But it also dramatically increases the damage that a successful cyber attack could do if some or all of those centers are breached.  And it's abundantly clear that unless those five centers are buried deep underground, the type of scenario I've described could already have devastating effect today.

So why are we doing this?

In part, this is because it is easier and cheaper to place servers in industrial buildings, and in part because we live under the illusion that because we have not had a major war on Western soil since the 1940s that it cannot ever happen again.  Which is, of course, patently absurd. Indeed, war has been intermittent in the Middle East for decades, threatening to spill beyond those borders, and was actively pursued in the Balkans only two decades ago. How much more likely would an attack become if a drone-filled ship could replace an army, navy and air force all rolled into one, and without incurring a single casualty on the attacker’s part? 

Have YOU Discovered the Alexandria Project?

A Tale of Treachery and Technolog

But one need not look to the indefinite future to find a reason for concern. Should we be willing to roll the dice that North Korea or Iran would never try such a gambit, and especially if it were possible that we would be unable to trace the attack to its source in time to retaliate? But even if we assume that currently known adversaries need not be of concern, what about ten or twenty years from now, as the global population expands, and as water and other natural resources become every more scarce?

If the picture I have painted is dreadful to comprehend, it should be. Indeed, if we continue on our current course of centralizing Cloud services without housing them in appropriate protected environments, we should expect that a scenario such as the one described will certainly occur to one or more nations in the foreseeable future. With 5,000 years of history to look to for precedent, we would be reckless to assume otherwise.

Happily, and unlike the challenges presented by cyber attacks, addressing the threat described is not even difficult.  Only expensive.


The most obvious solution is simply to mandate that Cloud services and related infrastructure be placed underground. Indeed, the medieval solution (fortification) remains beautifully suited to the current task. There is nothing technically challenging about digging a hole in the ground, filling it with a data farm, and covering it again with 30 feet of dirt and concrete.  It’s only a matter of deciding to incur the extra cost (if you’re wondering what a structure would be like, you can find one described here).

While it's true that the U.S. today has a "bunker busting" bomb that could reach deeply buried resources, the U.S. is the only nation that has a stealth bomber capable of carrying the 30,000 pound behemoth. It is far harder to imagine how any nation could mount a concerted attack against U.S. data centers using ordinance of this nature for the foreseeable future.


Available Now for $2.99 or less

at Amazon, iTunes and Barnes & Noble (and in ePub and PDF formats at GooglePlay)

What is needed is for a thoughtful set of requirements to be set out that identifies critical infrastructure, and then specifies what level of protection against kinetic attack will be required. Of course the same effort should be dedicated to ensuring that the facilities are protected against cyber attack as well. I have described such a set of requirements in detail in the past. You can find those requirements, as well as another equally credible attack scenario, here. As you will see, this is a task based not on rocket science, but on common sense.

It’s hardly surprising that we should find ourselves at such a pass.  Realizing the promise of the Cloud has been just over the horizon for twenty years, and now, suddenly, it has come within our grasp. Moreover, technical opportunity has always beguiled us. We always want to have the candy first, and worry about the cavities later. Stated another way, profit motives will always bring innovation to the marketplace faster than prudent rules to protect us from any undesired but nonetheless real dangers that might come along for the ride. When real danger does become evident, lobbyists will weigh in to avoid new restrictions and costs, and legislators will temporize and delay. And the greater the investment is made in unprotected infrastructure, the greater will be the resistance to replacing it with more expensive facilities.

What we need to ask ourselves, like Scrooge, is which future do we want to live in? History tells us clearly that we have not seen the last of war. Europe especially should resonate to the possibility of the scenario that I have laid out in this series.

But those in the United States should pay even greater heed, because after centuries of living safe behind our moat of oceans, we now live in an age where a handful of aging ships can, any morning now, truly bomb us back into the Stone Age.
 

Sign up for a free subscription to Standards Today

a trusted source of standards news, ideas and analysis

since 2002

The Devilís in the Cloud, Part IV: The Ghost of Christmas (Cyber) Future | 2 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Oh dear!
Authored by: minrich on Friday, April 26 2013 @ 05:40 PM CDT

Oh dear! Whatever will happen to software patents, FRAND and RAND, the patent trolls and the Standard Setting Organizations and Consortia??? How will I charge my Smartphone and Tablet? Sorry, but I gotta go guard my chickens and vegetable garden, and load up my yacht for a rather long trip to the Antipodes. Happy thoughts. Best minrich

[ # ]
The Devilís in the Cloud, Part IV: The Ghost of Christmas (Cyber) Future
Authored by: Andy Updegrove on Saturday, April 27 2013 @ 09:16 AM CDT

Minrich,

 

I'm detecting a note of scepticism in your comment (remarkable perception on my part). But you didn't mention anything in specific about the scenario that struck you as unlikely.

 

For example, there is strong consensus now that with the implementation of the Smart Grid in the U.S. and in Europe that taking down the Internet would also take down the grid. But the dialogue to date about how to guard against this has focused only on  cyber security, with no discussion about protecting the physical security of the connections, or the supporting Internet ifrastructure from physical attack.  Which is a bit interesting, given that insistance on the physical protection of nuclear reactors against physical attack is over a decade old.

 

It's also long been recognized that we always tend to protect ourselves against the last war, and not the next.  And yet we read in the news every day about U.S. drones selectively taking out targets in Afghanistan and Pakistan, completely immune from any defensive action.

 

The same would be true in the EU and in the U.S.  There's simply nothing in place to shoot anything down if were to be launched. And there's no screening of cargos until the cargo is unloaded.

 

I could go on with additional details on all sides, but I think that the fact that something sounds outlandish has never been much of an assurance against it happening.

 

Kind of like someone hijacking passenger jets and crashing them into buildings filled with thousands of people, something that Tom Clancey had already included in a plot in one of his books before 9/11 happened.

 

How outlandish!

 

  -  Andy

 

[ # ]