Cyber intrusion or IT single point of failure?
August 2017 | EXPERT BRIEFING | RISK MANAGEMENT
Whether directed at governments or businesses, there are headlines about cyber intrusions virtually every day. Rather than publicly admit the cyber intrusion, victimised companies often claim that the Information Technology (IT) data centre actually stopped working because one component failed – a condition known as a ‘single point of failure’. Why cyber intrusion and not attack?
According to the US Federal Bureau of Investigation (FBI), the average time between the commencement of a cyber intrusion and its detection is eight months, with the critical damage usually going undetected during that period. Here is an example of a ‘single point of failure’ that did not pass the smell test. In May of 2017, British Airways (BA) had an IT data centre outage of some sort which stranded more than 75,000 passengers. A couple of days later, BA blamed the failure on loss of electricity. However, from an IT operational standpoint, the likelihood of such an incident being based on a single point of failure such as a loss of electricity is very unlikely. All major IT data centres have uninterruptible power supplies (UPS) – large battery banks that switch over when a power failure is detected. Most use diesel generators to keep the batteries charged. So did BA fail to design and construct its networks in a resilient manner or was it the victim of a cyber-intrusion? The latter seems far more likely.
United Parcel Service (UPS) IT data centres
Here is an example of just how important a UPS is for IT data centres. A few years ago, we got a tour of the United Parcel Service (UPS) data centre in New Jersey. The enormous New Jersey IT data centre included more than 500 servers and 10 mainframes (think huge IBM computers), and the backup IT data centre in Georgia also had 500 servers and 10 mainframes. The New Jersey IT data centre was controlled by IT managers in Georgia and the Georgia IT data centre was controlled by IT managers in New Jersey. Each IT data centre had a mirror image of the other – that way, UPS could never lose data.
UPS’s IT data centres do not have a single point of failure, since the New Jersey and Georgia IT data centres mirror one another. This is a very common means for large IT data centres to avoid shutdowns. Additionally, both the New Jersey IT data centre and the Georgia IT data centre each had eight diesel generators housed in separate, fireproof rooms. At every moment at least two diesel engines were running, so there was 24-hour power in case the power to each IT data centre was lost.
BA’s IT data centres
Given what UPS does to protect its IT data centres to avoid single points of failure, you can be certain that BA has, or should have, adequate mirror redundancy to avoid this possibility. Hence, the story told by BA is highly unlikely. The US Federal Aviation Administration (FAA) has relied upon the Radio Technical Commission for Aeronautics (RTCA) to investigate cyber security and concluded that cyber criminals direct attacks at airlines to get passenger data. This should not come as much of a surprise, but BA clearly does not want that narrative.
How did we get here?
Before the internet took off in 1995 (thanks to Tim Berners-Lee, Netscape and Microsoft) the conventional wisdom from international police agencies was that only about 10 percent of computer crime is ever reported. Of course, the reason for the failure to report computer crime was that businesses did not want to admit they had been hacked and risk the disastrous public relations fallout that would inevitably follow. If there was a computerised bank heist, the bank may not want to let the public know because it might lead to a lack of consumer confidence; hence, the bank might report to banking regulators that a disk drive failed and it lost €10m rather than admit it was stolen.
The most recent reports from international police agencies is that reporting internet crime is now up to a whopping 18 percent (a slow crawl from 10 percent before 1995.) But the end result is the same: businesses do not want the negative publicity. Large consumer stores like Target, Neiman Marcus, and dozens of other consumer websites have had serious cyber intrusions in recent years and the adverse public perception in each of these cases was palpable.
Cyber crime is a business
Cyber crime is front page news every day and all businesses and governments around the world are targets. To demonstrate how structured cyber crime is today, anybody can buy crimeware as a service (CaaS). It is part of the dark web and as a result all businesses have to build better IT security and avoid these single points of failure. Examples of CaaS include ransomware as a service, phishing as a service and backdoor as a service. So it is critical that all businesses and governments step up their security to protect themselves.
Peter Vogel is a partner and Eric Levy and Eddie Block are senior attorneys at Gardere Wynne Sewell LLP. Mr Vogel can be contacted on +1 (214) 999 4422 or by email: firstname.lastname@example.org. Mr Levy can be contacted on +1 (214) 999 4918 or by email: email@example.com. Mr Block can be contacted on +1 (512) 542 7052 or by email: firstname.lastname@example.org.
© Financier Worldwide
Peter Vogel, Eric Levy and Eddie Block
Gardere Wynne Sewell LLP