In the wake of the SARS CoViD-19 pandemic, news organizations have been interviewing so-called “preppers” – survivalists who have been preparing for some natural or man-made disaster by hoarding shelf-stabilized food, guns, underground bunkers, water, and backup electricity. The preppers are taking a victory lap essentially saying, “we told you so.”
You see, even without prepping for the zombie apocalypse, the rest of us are doing just fine. If we want food, we don’t have to crack open an MRE, but we can go to the local Safeway or Gristedes, or drive up to a restaurant, or get a bacon double cheeseburger at Mickey Dee’s. Water? Hmm.. you COULD just turn on the tap. Electricity? It’s holding up fine for now. Now if the economy tanks and people are rummaging through the streets Mad Max style, maybe this will change, but for now, we don’t need to be preppers. The only thing we have to fear, is fear itself. And Netflix going down.
One of the things that cybersecurity professionals have advised for years is not just simple security, but resilience. That means having data systems that are up and running, that are reliable, that have adequate backup systems, and that you understand the nature of your dependencies and interdependencies. Cyber-resilience includes things like having a disaster recovery and business continuation (DR/BCP) plan. These plans typically sit on a shelf gathering dust until they become woefully outdated. Moreover, like the preppers plans for the zombie apocalypse, the DR/BCP plans typically envision the wrong kind of disaster. If you ask a cybersecurity professional to develop a DR/BCP plan, they will anticipate disasters like distributed Denial of Service attacks, ransomware, malware, disruption in service caused by server downtime, cloud provider failures, etc. You know, stuff they are used to. Computer viruses — not corona viruses.
Ask the same question of a risk person, and the disaster they might predict would be earthquake, flood, fire, labor stoppage, political unrest, etc. Same question. Different disasters. It’s the difference between Dawn of the Dead and Day After Tomorrow. War Games vs. Mr. Robot. Pick your disaster.
However, when you focus not on the methodology of the disaster but on resilience, certain themes are common. In general, for an enterprise to be resilient (not just “secure”) you have to have a basic understanding of the critical needs of the enterprise. What do we do for a living? What do we need to keep doing that? What resources? What skills? What people? What must function for us to continue? What is the core mission? The preppers may have boxes of freeze dried Salisbury steak and cases of turkey jerky that they won’t need to survive corona virus, but their ability to sustain a loss of contact with others for an extended period of time may prove valuable. This is why things like data security, integrity, availability and confidentiality are not wasted efforts, but return real value in times of disruption. They are not costs which we must bear, but are critical to the lifeline of an enterprise. Right now, it’s about surviving. Keeping critical operations running. Then rebuilding. Then growth. Resilience and continuity. It’s not just about preventing a data breach — when networks are down, literally that’s the last thing you are thinking about. Let me tell you something you already know. The world ain’t all sunshine and rainbows. It’s a very mean and nasty place, and I don’t care how tough you are, it will beat you to your knees and keep you there permanently if you let it. You, me, or nobody is going to hit as hard as life. But it ain’t about how hard you hit. It’s about how hard you can get hit and keep moving forward; how much you can take and keep moving forward. That’s how winning is done!
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.