In the Blink of an Eye
What is significant and unusual in this case is that the hackers also destroyed all of the backup copies of the data stored on those servers. To do this, the hackers had to gain access to separate storage devices onto which the customer data should have been copied. As a result, all of the data stored on four machines has probably been permanently and irrevocably lost. According to news reports, this has resulted in 4,800 separate web sites simply disappearing.
Some of those web sites would have belonged to businesses. Almost certainly, some would have been interactive, designed to at least capture information from and about the people who used them. Some may have been live e-commerce sites, processing transactions and taking orders. It is highly likely that all data collected by these websites has been lost.
Just two months ago, in the April 2011 edition of The Infonomics Letter, we discussed the risks of cloud computing in an article titled ― ‘Rocks Hiding in Clouds‘. Companies like Distribute.IT are examples of cloud providers – they provide infrastructure for shared use by other entities on a commercial basis. It is likely that many of the companies that used Distribute.IT facilities would have regarded the company as an arms’ length IT department that should ―look after all the IT issues‖. Many would have paid no attention to perceived ―technical issues‖ like backup of data.
Now they have paid the price for failing to understand that users of information technology have significant responsibilities that are separate from those of the suppliers of information technology. The emergence of cloud computing, in all its diverse forms, has brought this into stark relief.
The possibility of a legal remedy would be cold comfort to those businesses that have been severely damaged by the breach of Distribute.IT’s security. At best, obtaining compensation will be a tedious affair. In all likelihood, the company won’t have any significant realisable assets, partly because the cost of establishing a hosting service is not all that great, with the probability that most of the equipment would have been subject to finance and partly because the loss of customers and the loss of reputation will have very quickly rendered the business unviable. In actual fact, a commercial transaction has already been completed with another hosting provider taking over the assets of Distribute.IT, leaving the husk in the care of its owners and directors to deal with the aftermath of the hacking event.
As with most cases of loss and damage, the old proverb ―an ounce of prevention is worth a pound of cure‖ is highly applicable. Those who used the Distribute.IT service should have taken steps to ensure that their business was adequately protected against the things that might have been reasonably identified as risk. The six principles in ISO 38500 serve as a framework for discussion.
Responsibility: Just who was responsible for what in the commercial arrangements that existed between Distribute.IT and its customers? Clearly, the company provided infrastructure and it should have provided an adequate security shell around that infrastructure. Perhaps it was required as part of its service to make backup copies of customer data – but what exactly were its obligations in this regard? Was it also responsible for ensuring that backups were retained on media that is physically removed from the network and impossible to access?
Regardless of what responsibility was assigned to Distribute.IT, what responsibility did the owners of affected businesses have for safeguarding their data, and where applicable, the data of others who were using their websites? Would it not have been prudent for them to assume at least a responsibility for ensuring that the data was safe from loss, harm and exposure? Contemporary best practice in information management is strongly oriented to responsibility for the data being first on the shoulders of those who are its owners and custodians, with a lesser responsibility being imposed on those who operate the infrastructure.
Strategy: According to ISO 38500, the plans for IT must serve the needs of the business, while the plans for the business take into account the current and future capabilities of IT. In an arms’ length supply context, the plans for Distribute.IT’s technology should have met the reasonable needs of its customers, and that should have included an effective and secure approach to backup. However, the businesses that use the Distribute.IT service should also have been aware that most forms of cloud computing are immature, lacking standards, key disciplines and controls. They should have planned for the possibility that Distribute.IT might fail, leaving them with no infrastructure service and no access to their data.
Acquisition: The decision to use an external provider to host a web site is one of acquisition, and carries the expectation that the buyer will make the decision ―for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision making, and with appropriate balance between benefits, opportunities, costs, and risks, in both the short term and the long term (ISO 38500)‖. No doubt, the choice of an external provider is a completely legitimate choice in many cases today – as long as the purchaser understands that the balance between benefits, opportunities, costs, and risks will be completely different to an in-house supply arrangement. The crucial question that comes from the Distribute.IT case is: ―Do the increased flexibility and convenience, combined with the reduced cost, offset the risk of reduced control and the risk of inadequate practices on the part of the supplier‖?
How many organisations blindly choose an external supplier purely on the basis of price, with no consideration of the other matters highlighted by the ISO 38500 Acquisition Principle?
Performance: How does a buyer of a commercial product ensure that it performs well, whenever required? In a retail context, we have extensive legal and regulatory frameworks that ensure the quality of products and services. We cannot buy cars that do not comply with strict design rules, because manufacturers are not allowed to sell them. Financial services, telephone and electricity services, health services and many more are strictly controlled. Many contemporary services may only be provided by properly trained and licensed individuals, and many professional occupations carry an obligation to be a continuing member of an appropriate professional body.
When there is an absence of such legal, regulatory and professional control, buyers of products and services take a risk that performance may not measure up to reasonable expectation, and must manage that risk. Until relatively recently, most users of IT managed the risk by directly controlling the infrastructure and environment. They put in place management systems comprising skilled personnel, processes, tools, structure and rules through which they derived reasonable satisfaction that their IT would perform as required. Now, part of the business case for cloud computing seems to be the avoidance of these overheads. The trouble is that removing the need for the buyer to implement these management systems is not necessarily matched by an obligation on the part of the provider to implement corresponding management systems. As we have seen in the case of customers of Distribute.IT, the absence of adequate management systems on both user and supplier sides results in tragic consequences.
There is a clear imperative here. For cloud computing to achieve maturity, it is necessary that an appropriate framework of controls, qualifications and independent assurance be put in place that gives buyers of services reasonable assurance on the quality, reliability and performance of the product they have purchased.
Conformance: Clear, unambiguous rules are an essential part of everyday life, as are the means of educating people about the rules, and ensuring conformance to the rules. Of course, it is also important that the rules should be necessary and appropriate, and that the sanctions for non-conformance should be appropriate.
As information technology infrastructure approaches the status of ubiquitous commodity, there will need to be rules that apply to that commodity. Such rules and conformance mechanisms will be an integral part of the regime through which buyers of IT services will be assured of quality and performance.
Many of the rules for IT already exist, though they lack an effective regime in which conformance can be reasonable assured. In many cases however, the rules do not exist as a formal and universal mandate. Rather they exist as the internal policies and controls of individual organisations, backed up by an extensive body of formal and informal knowledge. One topic for which many organisations with long-standing IT environments have rules is the protection and preservation of data. The rules for backup and archival retention of data are in many cases underpinned by legal obligations, but are also often left entirely to the IT department, because backup and archival are perceived to be ―technical tasks‖.
Until there is an adequate regime of regulation and oversight for cloud computing, at least on a par with electricity and telecommunications, and preferably with the controls that apply to banking and finance (information should be regarded as, and sometimes IS money), there remains a need for buyers of services to verify that the capabilities, controls and safeguards they require are written into enforceable contracts with right of proactive verification as well as substantial remedies in the case of non-conformance. If this is not possible, the buyers will need to ensure that they put in place their own arrangements to afford the protection they require.
Human Behaviour: There are several aspects of human behaviour that contributed to the loss experienced through the hacking of Distribute.IT. The buyers of the Distribute.IT service were arguably too trusting and complacent – either not knowing how much risk was attached to their purchase, or simply expecting the supplier to completely manage that risk. The operators of the Distribute.IT business may have lacked the interest and motivation to provide effective security, and they may have not thought through the potential risk of leaving backup devices permanently attached to the network. They may have had unreasonably high expectations of their customers skill and understanding. They may have been reluctant to invest in what may have been a marginal business, or they may have been reluctant to spend in the hope of making a killing in an emerging market. They may have held supreme belief in their own skills, unable to recognise the possibility that their hidden opponents might have deeper skills.
But perhaps the biggest human behaviour issue that we should attach to this incident is the one linked to how we deal with the criminal act that has been perpetrated. This incident once again reminds us that not all people are committed to the well-being of others. There are many who have the technical expertise to break into computer networks and damage them, and regrettably many of them lack the moral integrity that directs them away from using their talents in a harmful way.
When people act with malicious intent and destroy or damage or deny access to or otherwise inappropriately deal with valuable property, our legal system provides for those people to be brought to justice and face the consequences of their crimes. However, the information age brings two problems of human behaviour that we must solve as we face the increasing prevalence of crimes against information. The first is the problem of presence. The second is the problem of value.
The problem of presence arises because, unlike most cases of criminal damage to a person or property where the perpetrator needs to be physically present for the crime to occur and there is thus clarity of jurisdiction, in a crime against information, the perpetrator needs only a communications network and can be physically far away – out of physical and legal reach. There needs to be a concerted international effort to develop a framework in which the perpetrators of crime against information can be brought to justice as would be the case for crimes against persons and physical property.
The problem of value comes into focus when we consider the disparity in consequences handed down by some courts for crimes against information compared to those applying to crimes against property. There seems to be a tendency of the learned persons who adjudicate in the courts to regard a crime that damages information as being of lesser impact and consequence than a crime that damages property. We need, with considerable urgency, to develop a new paradigm in which prosecutors and judges fully understand the financial impact that goes with a crime against information.
You can read June 2011 Newsletter here – http://www.infonomics.com.au/Web%20Content/Documents/The_Infonomics_Letter_April_2011.pdf