How long to recover: How long it takes organizations to bounce back depends on how serious they were about disaster recovery before hell broke loose. Backup power generators, fuel supplies, alternative work facilities, redundant data centers in multiple locations, and a well-rehearsed plan for making it all work together are the key elements to disaster recovery, says Richard Rees, security solution director for disaster recovery and business continuity specialists
Fortunately for our scenario, the financial sector is better prepared than most, says Rees.
"The best recent example are the financial institutions after 9/11," he says. "They had solid disaster recovery plans, they'd invested in their infrastructure and rigorously tested it, they knew what to do. They were back and open for business within three days. Their results were dramatically different than other organizations who'd tested their plans maybe once or twice. They could be out of commission for up to six months. There aren't too many businesses who can really withstand that."
Likelihood: Higher than you might think. You can buy a small EMP device over the Internet or download plans for building your own, says Nordling, who says he's been approached by a number of companies who believe they've already suffered an attack.
"There's a tremendous proliferation of information about EMP devices and the barriers to entry are extremely low," he says. "It's not just a tool for terrorists -- it could be disgruntled employees, criminals, extremists, competitors, or college kids who want to build one simply for the heck of it. From talking with members of Congress, they believe an EMP attack will happen. It's not a question of if, but when."
How to avoid this: One option is to install welded-steel shielding on all six sides of any room containing critical electronics, and put filters on all power and communications lines to siphon off high-frequency radio signals. A less costly option is to put your critical systems into a modular data center that's protected against EMP attacks, which you can fail over to when needed. Emprimus Director of Security Jim Danburg adds that some, but not all, Wall Street institutions are already protected.
Tech doomsday scenario No. 3: Google is gone
News flash: Visitors to Google.com were stunned when the world's dominant Web site returned a "404 Not Found" error for tens of millions of Web searchers. All Google services -- Gmail, Google Docs, AdSense - were inaccessible for periods ranging from hours to days, depending on users' locations.
Google has so insinuated itself into our lives it seems almost unthinkable that we might have to live without it. Experts consulted for this story agreed that to take down a company as mighty and well fortified would require someone on the inside -- not necessarily a malicious Google employee, just a stupid one (if such beings exist) with the right admin privileges.
It's not entirely unfeasible. Last December, attackers tricked Google employees to visit a malicious Web site, which then exploited a vulnerability inside Internet Explorer to install an encrypted backdoor into the Google network. From there they accessed the Gmail accounts of Chinese dissidents.
In our doomsday scenario, a Google employee merely installs a rogue application on the network that allows external attackers -- say, an unfriendly nation state with a grudge -- to slip behind the company firewall.