While much of the Monday-morning quarterbacking of the response to Hurricane Katrina revolves around poor communication, bureaucratic missteps, sluggishness, and red tape on both the state and federal levels, the disaster got me thinking about something entirely different: the readiness of our national infrastructure--roughly 80% of which lies in private hands--to withstand or bounce back from a disaster or cyberattack of similar proportions.One look at New Orleans and the Mississippi cities of Gulfport and Biloxi makes it very clear what happens when we have wholesale, widespread shutdowns of key utilities--water, electricity, fuel, and communications: chaos, panic, and death. It also points to the perils of inadequately secured ports, oil rigs, and levees. It's not good.
Now, we don't have oil rigs and levees everywhere. And a Category 5 hurricane is not a common occurrence. That is not the point. The issue isn't even whether anything could have withstood the howling winds, storm surge, and flooding wrought by Katrina. Clearly not.
The issue is that we do have chemical plants all over the place, key ports of entry ringing the country, a network of interstate highways and skyways, and a national grid of utility, water, communications, and network services we all take for granted. These pieces of our critical infrastructure have long been considered prime targets for physical and cyberattack, and, indeed, it may not be possible to protect them from a determined attacker.
But it is possible to put into place physical and cyber safeguards, and it is possible to have a detailed, thought-out plan for recovery in the event of, say, a major shutdown of the electricity grid or air-traffic control. We just assume these things are so.
Which is why, I think, as stunning as the images of destruction are--and you don't expect to see that kind of devastation in the United States--the country seems more shocked by the aftermath. We perhaps naively expected to see an almost instantaneous response--the kind we are accustomed to seeing our nation lend to other planetary citizens. And for whatever reasons, when it did not happen, the shock was felt around the world. Closer to home, people died.
And yet, it could be worse. The question that is going to have to be addressed at some point in the angst-ridden postmortem is this: What if this level of disaster happens again? On a broader, more nationwide scale? We can no longer say terrorist attacks and the unbridled wrath of Mother Nature don't hit here. The last four years make it clear they do. And we can no longer assume that when these disasters strike, wrecking the level of havoc they do, that we'll be bouncing back to normal in no time. We won't.
Give our focus on technology, I cannot help but wonder about a wider scale shut down of key services driven by cyberattacks and whether we've made any progress in the area of cybersecurity beyond the many committees, subcommittees, and proclamations that have been created over the last four years to address the subject. So it seemed a good time to check in with the security experts at the SANS Institute, specifically its longtime director of research, Alan Paller. As it turns out, my timing was perfect--in recent weeks there has been progress on this very issue, including "three or four" conversations about it at the White House level. Among the changes under way:
The reason there is so much excitement over "Baked-in Security" is fourfold, Paller explains:
A little closer to my original question, at best, Paller says we can expect to see mobile recovery technology, starting with mobile communications, improved "radically" following the lessons learned from Katrina. But in terms of large-scale impact on the national infrastructure, he is doubtful. More likely, he predicts, will be the changes wrought over time by the initiatives he described above. Let's hope those CIOs find some willing listeners.