BP has had another agonizing failure as it tries to stop the massive oil deep under the Gulf of Mexico.
The President, meanwhile, is taking heat for the disaster and his apparent paralysis in the face of crisis. The consequences of the spill are devastating, and compensation is well beyond the resources of BP, even if the whole company is seized. The crisis deserves to be the proper focus for every resource the President can bring to bear.
The problem is that, while he's got resources, none of them really know enough about BP's business to do anything useful. So all the President can really offer BP is cheerleading, coffee, and veiled threats of indictment.
If that sounds like schadenfreude, that's not my intent. Rather, the BP crisis is giving me a sense of what cyberwar will be like. If it happens, and I think that's likely, it will be pretty ugly. As I say in Skating on Stilts,
Hostile nations are probably already seeding our privately owned infrastructure with logic bombs and malware designed to shut down critical services -- power, telecom, Internet, banks, water and sewage. Each private company has a private, and unique, network design. Each private company has a private, and unique, set of defenses and recovery plans.
"It’s not just that you could lose your life savings. Your country could lose its next war. And not just the way we’re used to losing – where we get tired of being unpopular in some third-world country and go home. I mean losing losing: Attacked at home and forced to give up cherished principles or loyal allies to save ourselves."
So when an attack occurs, if it's successful, some of those defenses will fail. Some citizens will spend days, weeks, maybe months, without power or phones or water or access to their bank. We'll be at war, under attack, hurting.
We'll look to the Commander in Chief. And he'll look pretty much the way President Obama does today.
He won't be able to send troops to protect, say, Verizon's network. His troops mostly don't have the skills, and if they do have the skills, they don't know the network. Even if a company has screwed up badly, failing to adopt basic backup and malware protections, he'll have to defer to the idiots who got us into the mess until they find a way to get us out.
Of course, by the time they do, the war may be more or less over.
So, if we expect a replay of the BP experience in the event of cyberwar, can we learn something from the current experience? Maybe.
Here are a few ideas that occur to me. First, it's often the case that private companies can quite confidently get us into trouble that they then can't fix; when that's true, we ought to be very dubious about their confident assertions that regulation is excessive or unneeded.
Second, the government needs to be much more involved in understanding the problems that companies may face in the event of a surprising crisis -- as well as the solutions. Maybe that means insisting on seeing their crisis response plans -- and evaluating and testing them. Or having a corps of private, public, or half-of-each (think Marine Corps Reserve) experts who actually can supplement company resources capably in a crisis.
Finally, perhaps we should be developing well-protected, cyberstupid government networks that can be used for critical private functions in a crisis. As the BP tragedy plays out, I hope we'll learn more.
Americans will forgive the President for being surprised and helpless this time, I think. But not the next time.
Or we could say what the hell, trust the industry reps, and keep going pretty much the way we're going now.
Then, all we'll need when the war comes is a warehouse full of pom-poms and coffee beans.
The lawyers, at least, we don't need to stockpile.
But, having said that, what's the difference between a geniune attack and some script kiddies fooling around? Is it just scale?
I mean, if you want to say "there's a national security issue involved with putting everything on the internet", then yes, that's certainly true, but that's not _solely_ a matter of national security. Google could shut down tomorrow and it would not affect the nation to a significant degree (indeed, if these stories about people running across highways because Google Maps said so, we'd probably be safer!) And Google has day-to-day business-operation reasons to keep its networks secure.
You cite the example of BP's oil spill, but it's not as though BP is having all that stuff be cleaned up for free! It's not as though they aren't going to lose billions of dollars over this!
To some extent this whole thing sounds like those weapons-wonk scenarios about EMP attacks making all our power lines explode. Scary stuff, but it turns out doing it requires enough nuclear weapons that it would be easier to just blast us all into oblivion.
Posted by: DensityDuck | Jun 01, 2010 at 12:16 PM