Going Dark, Quietly

This blog explores the almost unthinkable, that is going offline, dropping the internet or quite simply going dark. This dark trend is happening and organizations are keeping quiet about it. This article explores five reasons that organizations are going dark.

There are two inspirations behind this blog: Firstly I keep running across organizations and they are quietly telling me they are going dark. The second is the fiction story: Ghost Fleet: A Novel of the Next World War, a key element in the story was compromised computer chips.

Those involved in the cloud may not like this blog, but I feel this story has to be shared and discussed. Remember that going dark can be only part of the solution and large parts or the organization can operate outside of the super secure environment.
Security Primer
Understanding security is an extremely complex and highly specialized area; it is worth taking a little time to establish a framework for thinking about security matters. There are three essential aspects of security: cost, hardness and monitoring systems. Cost is the amount of money the attacker is prepared to spend to gain information, hardness is the firewall and other internal protections in place and monitoring systems involve active counter-intelligence activities.

Security Primer: Cost
When thinking about security systems and serious hacking attempts, the amount of effort involved can be enormous. In other words, the cost of the attack is a very important factor. Consider the example of the recent attack on Home Depot. If the hackers were offshore and used purely computer methods to carry out the attack, then the cost could be considered to be low. On the other hand, an extremely well-funded attack could involve multiple aspects, including bribery, human spies and even physical network attacks.

Security Primer: Hardness
Firewalls and external protections are just the start. Real security extends to password policies, physical network controls and, most importantly, the strength of the network once physically inside the network. A simple analogy to use here is to think of a firewall as a shell on an egg; it’s hard on the surface, and the hardness extends to how hard boiled the egg is inside.

A hardened network functions in similar ways inside and outside the network, meaning that penetration of the network provides very little access to resources. In the example of the retail systems that were hacked, it seems like once inside the network, the hackers were able to move to very soft targets within the network (in this case, the point of sale devices).

Going Dark: Reason Number One, Job Security

The consequences of hacking are an immediate loss of jobs, often of senior executives. Look at the senior executives of Target, Home Depot and Sands. Quite simply when the hacking hits the fan, the executives are often forced out. Target CEO, Steinhafel, had 35 years with the brand and in all likelihood had very little knowledge of security layer, yet he and many of his executives lost their positions[1]. Read http://www.latimes.com/business/la-fi-target-ceo-20140506-story.html for more specifics.
In short: Being hacked will cost you your job and maybe your career.

Going Dark: Reason Number Two, It is Understandable

Cyber security is extremely specialized and it is nearly impossible for non technical executives to understand the limitations and controls on security. Considering the example of Target CEO, Steinhafel, if he had been presented with the going dark option and had the benefit of foresight, he would have been able to understand the operational impacts and put in place management practices to handle this move.

In short: If you cannot understand it, you cannot manage it.

Going Dark: Reason Number Three, Global Hackers

Governments are busy hacking, corporations are hacking, kids in Kenya are hacking. Quite simply the act of plugging in opens the organization up to the entire world. In this global world the normal laws simply do not apply, it is the wild frontier and in this wild frontier hackers roam free from the impacts of the law.

In short: There seems to be little legal consequence for hackers.

Going Dark: Reason Number Four, The Value

Consider the example of a large manufacturer such as Boeing, the stakes of industrial espionage are huge. The contracts are worth billions and inside information could be the lever that wins or loses the deal. Leaving aside the technical industrial espionage, consider the example of a hacker having access to all the sales pricing discussions. This information could be used to dramatic effect in the competitive bids with Airbus.

In short: The value of the information is enormous.

Going Dark: Reason Number Five, Lines of Code

Our businesses are accumulating systems to run nearly every aspect of the business, from the air conditioning to the email, from the financials to the operations, these systems are built using millions of lines of code. Furthermore these systems run on hardware full of chips that contain even more millions of lines of code (there is a great novel about this called the Ghost Fleet by P.W. Singer). Can you account for and trust every chip, every line of code in every system? If not they you have good reason to consider going dark.

In short: Can you trust every line of code in your business systems?

[1] http://fortune.com/2014/10/29/home-depot-cybersecurity-reputation-frank-blake/http://www.gambling911.com/gambling-news/sands-casino-bethlehem-ceo-resigns-following-hacking-022714.html