BP has had another agonizing failure as it tries to stop the massive oil deep under the Gulf of Mexico. The President, meanwhile, is taking heat for the disaster and his apparent paralysis in the face of crisis. The consequences of the spill are devastating, and compensation is well beyond the resources of BP, even if the whole company is seized. The crisis deserves to be the proper focus for every resource the President can bring to bear. The problem is that, while he’s got resources, none of them really know enough about BP’s business to do anything useful.
So all the President can really offer BP is cheerleading, coffee, and veiled threats of indictment.
If that sounds like schadenfreude, that’s not my intent. Rather, the BP crisis is giving me a sense of what cyberwar will be like. If it happens, and I think that’s likely, it will be pretty ugly. As I say in Skating on Stilts,
“It’s not just that you could lose your life savings. Your country could lose its next war. And not just the way we’re used to losing – where we get tired of being unpopular in some third-world country and go home. I mean losing losing: Attacked at home and forced to give up cherished principles or loyal allies to save ourselves.”
Hostile nations are probably already seeding our privately owned infrastructure with logic bombs and malware designed to shut down critical services — power, telecom, Internet, banks, water and sewage. Each private company has a private, and unique, network design. Each private company has a private, and unique, set of defenses and recovery plans.
So when an attack occurs, if it’s successful, some of those defenses will fail. Some citizens will spend days, weeks, maybe months, without power or phones or water or access to their bank. We’ll be at war, under attack, hurting. We’ll look to the Commander in Chief.
And he’ll look pretty much the way President Obama does today.
He won’t be able to send troops to protect, say, Verizon’s network. His troops mostly don’t have the skills, and if they do have the skills, they don’t know the network. Even if a company has screwed up badly, failing to adopt basic backup and malware protections, he’ll have to defer to the idiots who got us into the mess until they find a way to get us out.
Of course, by the time they do, the war may be more or less over.
So, if we expect a replay of the BP experience in the event of cyberwar, can we learn something from the current experience? Maybe. Here are a few ideas that occur to me. First, it’s often the case that private companies can quite confidently get us into trouble that they then can’t fix; when that’s true, we ought to be very dubious about their confident assertions that regulation is excessive or unneeded.
Second, the government needs to be much more involved in understanding the problems that companies may face in the event of a surprising crisis — as well as the solutions. Maybe that means insisting on seeing their crisis response plans — and evaluating and testing them. Or having a corps of private, public, or half-of-each (think Marine Corps Reserve) experts who actually can supplement company resources capably in a crisis.
Finally, perhaps we should be developing well-protected, cyberstupid government networks that can be used for critical private functions in a crisis.
As the BP tragedy plays out, I hope we’ll learn more. Americans will forgive the President for being surprised and helpless this time, I think. But not the next time.
Or we could say what the hell, trust the industry reps, and keep going pretty much the way we’re going now.
Then, all we’ll need when war comes is a warehouse full of pom-poms and coffee beans.
(The lawyers, at least, we don’t need to stockpile.)