The Internet is down -- now what?
- 22 January, 2008 10:30
It's likely that the Internet will soon experience a catastrophic failure, a multiday outage that will cost the U.S. economy billions of dollars."
Or maybe it isn't likely.
In any case, companies are not prepared for such a possibility.
But then again, some are.
These mixed messages come from credible sources. The confusion stems in part from the fact that the Internet has never seen anything much worse than local outages and brief slowdowns. But could it? And if it did, how ready would your company be?
Indeed, the threat is "urgent and real," says The Business Roundtable, an association of CEOs of large U.S. companies. The Washington-based public policy advocacy group says there is a 10% to 20% chance of a "breakdown of the critical information infrastructure" in the next 10 years, brought on by "malicious code, coding error, natural disasters, [or] attacks by terrorists and other adversaries."
An Internet meltdown would result in reduced productivity and profits, falling stock prices, erosion of consumer spending and potentially a liquidity crisis, according to a recent Business Roundtable report, "Growing Business Dependence on the Internet -- New Risks Require CEO Action." The organization based its conclusions on earlier risk analyses done by the World Economic Forum in Geneva.
Tom Lehner, director of public policy at The Business Roundtable, says business executives often fail to realize how dependent they have become on the public network -- for e-mail, collaboration, e-commerce, public- facing and internal Web sites, and information retrieval by employees. He also notes that disaster recovery and business-continuity plans often fail to take into account the threat an Internet disruption poses to a company and its suppliers. Moreover, business executives often mistakenly believe that government will take the lead in restoring network services in the face of an Internet failure, according to Lehner.
"What we wanted to do in this report is say to CEOs, 'You may not realize that whole segments of your business are almost completely dependent on the Internet, and it's not enough to have a few IT specialists to help you respond to problems as they come up,'" Lehner says.
Judging the risk
Stephen Crocker, an Internet pioneer and chairman of the Security and Stability Advisory Council of the Internet Corporation for Assigned Names and Numbers (ICANN), says he tries to walk a line between "Chicken Little, things-are-terrible" scenarios and "Pollyanna, the-world-is-wonderful" views of the Internet. He says, for example, that he worries little about a physical attack on the Internet -- against major hubs, lines and so on. "I don't know of any physical attack that would have any widespread or long-lasting effect," he says. "The Internet is pretty robust at the physical layer. There are just too many alternate paths available."
But the Internet is not so robust at other layers, admits Crocker, the CEO of Shinkuro, a Bethesda, Md.-based developer of information-sharing technology. He points to the possibility of "systematic failure of operating systems like Windows, or penetration by worms that run rampant and cause massive amounts of chaos," or floodlike denial-of-service attacks. Still, he says, these kinds of disruptions, although annoying and potentially quite costly, are typically resolved in a matter of hours and thus stop short of being the kind of catastrophe that the Business Roundtable report contemplates.
Others agree that the risk of catastrophe is minimal. Asked if he worries about an Internet meltdown, Michael Long, senior vice president of global services at Siemens Medical Solutions, says, "Anything is possible, certainly, with things today like the terrorism situation. But we are pretty confident that if we did have an Internet hiccup, we'd go with alternate communication paths."
In fact, he says, he views the Internet as something of a backup for his dedicated lines from AT&T and Verizon Communications.
Siemens Medical Solutions provides application hosting for more than 1,000 health care customers at 600 sites, mostly through private, dedicated lines.
Long does concede that certain functions would be a "challenge" without the Internet.
For example, Siemens uses the Internet extensively for troubleshooting and remote diagnostics by its major IT vendors, IBM, Hewlett-Packard Co. and Cisco Systems. Also, the company receives 1 million e-mail messages a week via the Internet, he says.
There is a good chance that parts of the Internet will fail from time to time, says Neal Puff, CIO of Yuma County, Ariz. "But having been based on the Arpanet and designed to keep functioning when pieces are broken, it seems less likely that the entire Internet would stop working."
The county currently accesses its ERP applications via a virtual private network over the Internet, and it offers many Web services to citizens from its own data center, also via the Internet. But Puff says that because of reliability concerns, he wants to flip that around, offering externally facing services from a distant site and hosting applications for internal use in his own data center.
Puff says it is less likely that the Internet would be disrupted at a hosting company in a big metropolitan area that has a robust infrastructure and a lot of redundancy than it would be in sparsely populated Yuma County. Conversely, internal users are less likely to lose the use of their corporate applications if those applications reside in the data center and don't depend on the Internet.
These moves will offer some protection against network outages, but not 100% protection, Puff acknowledges. "If the entire Internet goes down, everyone's in a world of hurt, but I try to look at the probabilities."
BNSF Railway Co. in Fort Worth, Texas, also uses a private, non-Internet network for its core operations and for transactions with major customers. But it uses the Internet for many less-critical functions that would be painful to lose if the Internet went down, says Beth Bonjour, assistant vice president for technology.
For example, BNSF uses the Internet for its customer help desk and to provide shipment-tracking information to smaller customers. Offering customers self-help via Web sites allowed BNSF to reduce its support staff, but now the railway doesn't have adequate staffing to handle the fax, telephone and other means of communication that it would be necessary to use if the Internet went down. There have been some limited Internet outages, Bonjour says, "and it's not pretty."
Inconvenient at best
Similarly, Intermountain Health Care uses a dedicated WAN to communicate with its major hospitals and clinics, but it uses the Internet for many other things, such as contact with vendors and health plan brokers and for access to WebMD, an online source of health advice. There are backups for some of those things. For example, ordinary telephone service can be used to communicate with vendors. But for others, such as broker relations, there is no backup. "It would be encumbered tremendously if the Internet went down," says Marc Probst, CIO at Intermountain.
Asked in a telephone interview if Internet alternatives are part of Intermountain's disaster recovery and business-continuity plans, Probst says, "We haven't sat down and gone through that kind of thinking. It's probably a very good thing to do, and we will, right after this phone call."
ICANN's Crocker says that although the Internet has serious vulnerabilities, some of them could be patched relatively easily. He urges IT and business leaders to speak up and demand better technology. "Today, the network operators, equipment vendors, government and business all seem to accept the idea the network is inherently dangerous and can't be modified in any useful way. I think that's fundamentally wrong."
He points to a number of practical proposals for Internet improvements that have gone nowhere, including Internet Best Current Practice 38.
Crocker says the Business Roundtable report and similar critiques carry an "implied assumption" that individual companies can protect themselves. There is some truth to that, he says, because companies can, for example, get multiple copies of critical systems running in different locations, albeit at considerable expense.
But he says that the most important thing companies should do is to band together to improve the overall situation. A "first-class" CIO, Crocker says, should approach his CEO with this message: "Boss, we need to take care of ourselves, but we also need to organize into a powerful user group and bring some pressure on [vendors] so that the network is fundamentally safer tomorrow than it is today."
The little things count
Patrick Cain, chairman of a network security working group of the Internet Engineering Task Force, says he finds the possibility of a catastrophic Internet failure unlikely. He points out that a major earthquake in Japan in 2005 slowed traffic in and out of Japan but went largely undetected in the rest of the world. When hurricanes disrupt traffic along the East Coast of the U.S., traffic is seamlessly routed to the West Coast. And when a domain name server goes down, an alternate server picks up the traffic.
But, says Cain, co-founder of The Cooper Cain Group, it's natural for people planning for disasters to concentrate on the big, dramatic events, like the crash of an airliner into a data center. Meanwhile, lesser but more likely events are ignored. For example, he says, if an organization has some local problem that prevents access by the public to its Web site, that can create a public relations disaster.
"So if you are on the West Coast, maybe you should get a cheap Web host on the East Coast set up as a fail-over site," he says. "But very few companies do that."
Best practice Not practiced
In May 2000, in response to a "resurgence in denial-of-service attacks" against Internet targets, the Network Working Group of the Internet Engineering Task Force issued a request for comments (RFC), titled "Network Ingress Filtering: Defeating Denial-of-Service Attacks Which Employ IP Source Address Spoofing."
Behind the complicated title lay a simple idea. A lot of mischief on the Internet, including denial-of-service attacks that flood Web sites, rely on randomly changing forged source addresses. That is, the offending data packets do not contain the real "return address" of the computer that sent them. But through a simple process called network-ingress filtering, Internet service providers could check packets to ensure that they contain valid, legitimately reachable source addresses, says the RFC, which has since been named Best Current Practice 38 (www.armware.dk/RFC/bcp/bcp38.html).
"To what extent have the ISPs implemented that?" asks Steve Crocker, chairman of ICANN's Security and Stability Advisory Council. "The answer is, hardly at all. They said, 'It's expensive, and besides, no one is forcing it on us.' This is something that can and should be done to improve the overall security of the Internet, but it doesn't fit the model of how someone can make more money by selling a new product."