http://www.wired.com/politics/security/commentary/securitymatters/2007/07/securitymatters_0726 Commentary by Bruce Schneier 07.26.07 If an avian flu pandemic broke out tomorrow, would your company be ready for it? Computerworld published a series of articles on that question last year, prompted by a presentation analyst firm Gartner gave at a conference last November. Among Gartner's recommendations: "Store 42 gallons of water per data center employee -- enough for a six-week quarantine -- and don't forget about food, medical care, cooking facilities, sanitation and electricity." And Gartner's conclusion, over half a year later: Pretty much no organizations are ready. This doesn't surprise me at all. It's not that organizations don't spend enough effort on disaster planning, although that's true; it's that this really isn't the sort of disaster worth planning for. Disaster planning is critically important for individuals, families, organizations large and small, and governments. For the individual, it can be as simple as spending a few minutes thinking about how he or she would respond to a disaster. For example, I've spent a lot of time thinking about what I would do if I lost the use of my computer, whether by equipment failure, theft or government seizure. As I a result, I have a pretty complex backup and encryption system, ensuring that 1) I'd still have access to my data, and 2) no one else would. On the other hand, I haven't given any serious thought to family disaster planning, although others have. For an organization, disaster planning can be much more complex. What would it do in the case of fire, flood, earthquake and so on? How would its business survive? The resultant disaster plan might include backup data centers, temporary staffing contracts, planned degradation of services and a host of other products and service -- and consultants to tell you how to use it all. And anyone who does this kind of thing knows that planning isn't enough: Testing your disaster plan is critical. Far too often the backup software fails when it has to do an actual restore, or the diesel-powered emergency generator fails to kick in. That's also the flaw with the emergency kit suggestions I linked to above; if you don't know how to use a compass or first-aid kit, having one in your car won't do you much good. But testing isn't just valuable because it reveals practical problems with a plan. It also has enormous ancillary benefits for your organization in terms of communication and team building. There's nothing like a good crisis to get people to rely on each other. Sometimes I think companies should forget about those team building exercises that involve climbing trees and building fires, and instead pretend that a flood has taken out the primary data center. It really doesn't matter what disaster scenario you're testing. The real disaster won't be like the test, regardless of what you do, so just pick one and go. Whether you're an individual trying to recover from a simulated virus attack, or an organization testing its response to a hypothetical shooter in the building, you'll learn a lot about yourselves and your organization, as well as your plan. There is a sweet spot, though, in disaster preparedness. Some disasters are too small or too common to worry about. ("We're out of paper clips!? Call the Crisis Response Team together. I'll get the Paper Clip Shortage Readiness Program Directive Manual Plan.") And others are too large or too rare. It makes no sense to plan for total annihilation of the continent, whether by nuclear or meteor strike: That's obvious. But depending on the size of the planner, many other disasters are also too large to plan for. People can stockpile food and water to prepare for a hurricane that knocks out services for a few days, but not for a Katrina-like flood that knocks out services for months. Organizations can prepare for losing a data center due to a flood, fire or hurricane, but not for a Black-Death-scale epidemic that would wipe out a third of the population. No one can fault bond trading firm Cantor Fitzgerald, which lost two thirds of its employees in the 9/11 attack on the World Trade Center, for not having a plan in place to deal with that possibility. Another consideration is scope. If your corporate headquarters burns down, it's actually a bigger problem for you than a citywide disaster that does much more damage. If the whole San Francisco Bay Area were taken out by an earthquake, customers of affected companies would be far more likely to forgive lapses in service, or would go the extra mile to help out. Think of the nationwide response to 9/11; the human "just deal with it" social structures kicked in, and we all muddled through. In general, you can only reasonably prepare for disasters that leave your world largely intact. If a third of the country's population dies, it's a different world. The economy is different, the laws are different -- the world is different. You simply can't plan for it; there's no way you can know enough about what the new world will look like. Disaster planning only makes sense within the context of existing society. What all of this means is that any bird flu pandemic will very likely fall outside the corporate disaster-planning sweet spot. We're just guessing on its infectiousness, of course, but (despite the alarmism from two and three years ago), likely scenarios are either moderate to severe absenteeism because people are staying home for a few weeks -- any organization ought to be able to deal with that -- or a major disaster of proportions that dwarf the concerns of any organization. There's not much in between. Honestly, if you think you're heading toward a world where you need to stash six weeks' worth of food and water in your company's closets, do you really believe that it will be enough to see you through to the other side? A blogger commented on what I said in one article: Schneier is using what I would call the nuclear war argument for doing nothing. If there's a nuclear war nothing will be left anyway, so why waste your time stockpiling food or building fallout shelters? It's entirely out of your control. It's someone else's responsibility. Don't worry about it. Almost. Bird flu, pandemics and disasters in general -- whether man-made like 9/11, natural like bird flu or a combination like Katrina -- are definitely things we should worry about. The proper place for bird flu planning is at the government level. (These are also the people who should worry about nuclear and meteor strikes.) But real disasters don't exactly match our plans, and we are best served by a bunch of generic disaster plans and a smart, flexible organization that can deal with anything. The key is preparedness. Much more important than planning, preparedness is about setting up social structures so that people fall into doing something sensible when things go wrong. Think of all the wasted effort -- and even more wasted desire -- to do something after Katrina because there was no way for most people to help. Preparedness is about getting people to react when there's a crisis. It's something the military trains its soldiers for. This advice holds true for organizations, families and individuals as well. And remember, despite what you read about nuclear accidents, suicide terrorism, genetically engineered viruses and mutant man-eating badgers, you live in the safest society in the history of mankind. -=- Bruce Schneier is the CTO of BT Counterpane and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu Jul 26 2007 - 00:22:01 PDT