Security and Change (pt. 2): Black Swans

Remember Y2K? It was the meltdown that never happened. Well, I have news for you. It could well have been a catastrophe. We really did avert it. I speak as someone who spent the Y2K weekend holed up at the Government’s command center in a nondescript building in downtown Washington, DC. From a security perspective, the bad guys were out in force the night of December 31, 1999, scanning and testing, ready to launch a major denial of service attack. But most folks had closed down their Internet-facing servers. Some of those who didn’t, got hit. But everyone was on site and, besides, it was a weekend and not much real business was being done anyway. Five weeks later, when companies had let down their guard, the anticipated denial of service hit eBay,, Amazon, Yahoo! and others in force.

Y2K was an exception. We knew in advance what could happen and when it might happen. We didn’t have that knowledge (or didn’t “connect the dots”) for 9-11, nor did we anticipate the Indonesian tsunami, the Kobe earthquake and the flooding of New Orleans caused by Hurricane Katrina. Conversely, we think that we know that a pandemic is in the offing and that global warming will melt the icecaps and drown our coastal cities.

How does one plan for such low probability, high impact catastrophic events. You certainly can’t predict them as to time, place and severity. One of the best guides to approaching such events is Nassim Nicholas Taleb’s book The Black Swan: The Impact of the Highly Improbable (Random House, 2007). Taleb writes that, since you cannot predict such events, but you do know that catastrophes are inevitable, one should establish a level of preparedness based on the knowledge that catastrophes occur and have to be dealt with. Another quite radical approach is that of John Seo. Seo is described in an article by Michael Lewis with the title “The Natural-Catastrophe Casino,” which appeared in The New York Times Magazine of August 26, 2007, as the owner of an unusual hedge fund. Seo invests in catastrophe or “cat” bonds, which effectively provide insurance against major disasters to the sellers of the bonds.

But why should security professionals be concerned about this stuff anyway? Well, even if you take the narrow definition of security (rather than the broader one that includes business continuity and disaster recovery planning, to which I subscribe), there are many security considerations to address. Think about the records that were destroyed in New Orleans following Hurricane Katrina and the ensuing flood from breaches of the levies. A person’s medical records might have been stored at home, in his or her doctor’s office, and in a neighborhood hospital. All three repositories might well have been destroyed in the flood. Similarly, financial and other records, in paper and electronic form, were destroyed. In the turmoil following Katrina, identity theft and fraud was rampant. Building guards and police were gone and security systems were out of action, and looting ensued.

I’m not saying that all or any of these security issues could have been avoided, even if there were some fairly high expectation of such an event. The cost of such duplication of records could be enormous, although the prospect of storing them “in the cloud” might help make such storage practical. But it does suggest that we could come up with some level of preparedness, per Taleb. For Y2K, many financial firms and others printed out critical reports and stored them offsite. Even if the computer systems were down and some buildings were not usable, it would still have been possible to either conduct business at a (much) lower volume, or have the data available to bring back the operation when the systems and facilities came back online.

Such out of the box thinking is needed to prepare even in some minimal way for huge disasters. For example, the financial regulators look for “core” institutions to provide “out of region” backup for all aspects of their business, not just the data centers, but also the front office and business support operations. The preparation is to mitigate the impact of a horrendous disaster in a major metropolitan area.

Of course, any such plan requires that information be distributed across primary and backup facilities, that employees are cross-trained to take over others’ functions, and that physical and logical security is maintained even in the face of a major catastrophe.

The recent concern about the mutating of the avian influenza virus to humans and a concern about it spreading throughout the world human population with disastrous consequences led to a fair amount of preparation and several exercises. But there is still much to do, such as is described in a report by the General Accountability Office March 2007 report “Financial Market Preparedness“. Other security professionals and I were involved in the initial stages of the financial services effort and we determined that there were a number of security and privacy issues to be addressed. One challenge is to provide a robust list of contacts at various institutions, while at the same time ensuring that individuals’ personal information does not fall into the wrong hands.

While the planning for a bird flu pandemic is a worthy and necessary effort, I believe, as does Taleb, that an actual catastrophe will unlikely follow an anticipated path, so that it is necessary to generalize the planning effort. Just as Y2K planning helped Wall Street recover from 9-11, so some general catastrophe plan will assist in whatever is visited upon us.

No one likes to contemplate the range of potential catastrophes. However, to achieve at least some level of preparedness, we need to think out of the box and come up with some fallback plans that will at least help survivors recover and rebuild.

Post a Comment

Your email is never published nor shared. Required fields are marked *