Should an Internet "kill switch" worry you if you've moved your company to the "cloud"?
Category Computer security cloud computing
There's been an attempt by Congress to introduce a new cyber security bill that would give the US government a wide degree of latitude in controlling the Internet in the event of a cyber-attack (or some other threat that I'm sure would be open to interpretation). One of the common descriptions of this power is an Internet "kill switch," allowing the President to shut down sites and networks based on threat assessments from government security agencies. It's also been reported that 61% of Americans would approve of giving the President such power. While it might be easy for those who are technically adept to understand what a bad idea this can be, the general public doesn't quite see it that way.
But there's an angle to this that I haven't seen talked about much, and that's the potential collateral damage to a company or organization should a kill switch ever be used. The bright and shiny IT concept these days is cloud computing. Rather than maintain your own hardware and infrastructure to run your systems, you just move your computing and data to "the cloud" and let someone else manage it for you. Your email, applications, and data reside on servers in locations that are unknown and irrelevant to you... All you have to do is key in a URL in your browser, and you can get to your data from anywhere and save oodles of money by letting someone else take care of it for you.
But think about it... Vendor X happens to be storing your data at a data center in the country of Attackistan, because resources are cheap in that mythical country. But a criminal element also located in Attackistan launches a massive denial-of-service attack against government web sites, and the President throws the kill switch and stops all traffic from that country. Your email? Sorry... Sales data? Not available... Critical company documents used to run your business? I hope someone had copies on their desktop PC... For all intents and purposes, you might as well have been hit by a magnitude 9.0 earthquake, because you've suffered a disaster that has effectively destroyed your IT capabilities. But you can't even take your backups and move to a disaster recovery site, because you don't have backups any more. The government controls whether your business lives or dies, and you are collateral damage.
I wonder how many businesses that moved or are moving to the cloud have considered this type of risk, and whether it's something that they're willing to accept? You could try and make sure that your agreement specifies where your data is stored, but even that's not an assurance that a kill switch scenario wouldn't affect a US-based network for some reason.
I don't expect that cloud computing is going to go away, because the dollar cost of that technology is very compelling to businesses looking to reduce cost. But the cloud is certainly not all white and fluffy, and there are considerable risks, some of which have likely not even been considered. I'm not sure that I'd sleep well at night knowing that a decision that could be made and implemented in seconds by our government could put me out of business without a second thought.
There's been an attempt by Congress to introduce a new cyber security bill that would give the US government a wide degree of latitude in controlling the Internet in the event of a cyber-attack (or some other threat that I'm sure would be open to interpretation). One of the common descriptions of this power is an Internet "kill switch," allowing the President to shut down sites and networks based on threat assessments from government security agencies. It's also been reported that 61% of Americans would approve of giving the President such power. While it might be easy for those who are technically adept to understand what a bad idea this can be, the general public doesn't quite see it that way.
But there's an angle to this that I haven't seen talked about much, and that's the potential collateral damage to a company or organization should a kill switch ever be used. The bright and shiny IT concept these days is cloud computing. Rather than maintain your own hardware and infrastructure to run your systems, you just move your computing and data to "the cloud" and let someone else manage it for you. Your email, applications, and data reside on servers in locations that are unknown and irrelevant to you... All you have to do is key in a URL in your browser, and you can get to your data from anywhere and save oodles of money by letting someone else take care of it for you.
But think about it... Vendor X happens to be storing your data at a data center in the country of Attackistan, because resources are cheap in that mythical country. But a criminal element also located in Attackistan launches a massive denial-of-service attack against government web sites, and the President throws the kill switch and stops all traffic from that country. Your email? Sorry... Sales data? Not available... Critical company documents used to run your business? I hope someone had copies on their desktop PC... For all intents and purposes, you might as well have been hit by a magnitude 9.0 earthquake, because you've suffered a disaster that has effectively destroyed your IT capabilities. But you can't even take your backups and move to a disaster recovery site, because you don't have backups any more. The government controls whether your business lives or dies, and you are collateral damage.
I wonder how many businesses that moved or are moving to the cloud have considered this type of risk, and whether it's something that they're willing to accept? You could try and make sure that your agreement specifies where your data is stored, but even that's not an assurance that a kill switch scenario wouldn't affect a US-based network for some reason.
I don't expect that cloud computing is going to go away, because the dollar cost of that technology is very compelling to businesses looking to reduce cost. But the cloud is certainly not all white and fluffy, and there are considerable risks, some of which have likely not even been considered. I'm not sure that I'd sleep well at night knowing that a decision that could be made and implemented in seconds by our government could put me out of business without a second thought.
| Permalink |
Comments
I don't think this concern is specific to cloud.
Posted by Mitch Cohen At 05:30:00 On 29/10/2010 | - Website - |
Posted by Duffbert At 05:37:25 On 29/10/2010 | - Website - |
My other favorite reason to go with a hybrid approach is the risk that the cloud vendor will either go out of business or decide that some key service they provide is no longer profitable and turn it off. We've already seen this in the consumer arena, with Yahoo terminating it's "bill pay" service several years ago (and some other service more recently), and Bloglines going dark next month.
After all, if you let a cloud get too big it will start shooting lightning at you instead of bits.
Posted by Kevin Pettitt At 06:59:12 On 29/10/2010 | - Website - |
Posted by John McDonough At 13:39:44 On 09/01/2011 | - Website - |