Business continuity in the face of terrorism

Before Richard Clarke published his book, Against All Enemies: Inside America’s War on Terror, and became associated with election year politics, he was a senior security advisor to the White House with expertise in counterterrorism and homeland security. Following Sept. 11, 2001, Clarke met twice with a CIO organization that called itself the Chicago Research Planning Group (CRPG) but has since renamed itself the Security Board.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Return to special report DOWNLOAD PDF Click here to download InfoWorld's special report Hard-won security lessons

This group, it so happened, had been looking at data security and vulnerabilities from the infrastructure on up, inside and outside a company’s four walls, and what the impact of a terrorist attack would be. A copy of the group’s findings document made its way into the hands of the White House. Clarke was dispatched.

According to Security Board Executive Director Richard Arns, Clarke asked the board whether it could map the entire telecommunications infrastructure crisscrossing the United States. Clarke wanted a master database of every piece of fiber in the U.S. so the government and private industry could understand and mitigate the risks of an attack on the telecommunications infrastructure.

It is no secret that, ever since Sept. 11, regulators have been all over banks, demanding resiliency and diversity (or redundancy) in their data networks. For example, the feds told the banks they must be able to recover certain applications within four hours. Unfortunately, no one but the carriers knows the physical route data takes once it leaves a building and heads to a CO (customer office). Each carrier is extremely reluctant to share its piece of the fiber puzzle with anyone else.

So how could anyone create a recovery plan?

If there is a break in Iowa, can the carrier route around it? Probably. But the metropolitan fiber is often aggregated into a few central locations, making it extremely vulnerable to attack.

According to Arns, if bin Laden’s hijackers had flown one of those planes into a certain building less than 20 blocks away from the World Trade Center, telecommunications on the East Coast would have been cut off for months.

The fiber network does have a honeycomb of diversity, says Ken Kouba, CTO at the Security Board, except in an east-west direction.

“There are two bridges over the Mississippi where almost all of the major bandwidth is aggregated,” Kouba told me.

Fiber today follows right-of-ways — waterways, bridges, tunnels, and railroads — which means all the carriers and all the fiber use the same routes. How diverse or redundant could it be?

Telecommunications has been out of the hands of government for so long that regulators just don’t understand the cascading effects of a data outage. Because carriers must pass off the data to other carriers and each keeps a proprietary stranglehold on how data is routed, the current SLAs from the carriers are just about worthless, Kouba says.

The feds are already asking financial institutions to take another look at the SLAs from carriers on their data lines. This request should put some pressure on the carriers. Furthermore, Arns advocates tighter legal parameters, such that carriers are held more accountable for their SLAs.

If companies knew where in the ground the fiber they are leasing was, they could work with the carriers to design alternative routes and be more conscious, in a business continuity sense, of the real risks.