This week has seen Iran accused of both masterminding cyber attacks on Bank of America and JPMorgan Chase in response to tightening economic sanctions, and inciting Hezbollah to escalate attacks on US assets and embassies across the Middle East and North Africa as a (thinly veiled) response to the ‘Innocence of Muslims’ YouTube trailer. In July there were cyber attacks on the infrastructure of energy giants Saudi Aramco and Rasgas led by a hacker group calling themselves ‘the cutting sword of justice’ and claiming the action as retribution for Saudi Arabian and Qatari actions in Syria and Bahrain. Attacks against leading businesses of these Sunni states are a good indication as to the heritage of the attackers.
Stay current on your favourite topics
As the potential for conflict with Iran increases corporate risk and security teams must be asking ‘what next’? At what point will government sponsored cyber attacks on IT assets be synchronised with physical attacks on real estate through proxies and terrorist organisations? Historically terrorists have focused on achieving specific political objectives by disrupting ‘every day life’ in major centres of population or in economically important locations. Increasingly, however, terrorist organisations are the proxies of powerful emerging states that act as directed. ‘Every day life’ is also changing. Our dependence on centralised IT infrastructure increases almost daily: Global economic assets move into virtual liquidity centres; digital platforms form the backbone of the global supply chain; digital media has the ability to disseminate information, effect huge change, and to outrage; outages in Data Centre assets (e.g. RIM) become more ‘visible’ and ‘tangible’ in the public consciousness. Any terrorist that has read a national newspaper could assemble these basic facts.
Data Centres tend to cluster into small areas of important cities and economic zones. Clustering occurs because of common location requirements: access to land, access to power, accessibility, proximity to clients, physical/topographical attributes and so on. Often there are little more than a few hundred meters of physical separation between the facilities of major financial services firms, colocation providers, telcos and online services companies. A detonation in one or more these high-tech zones, combined with a concerted cyber attack on financial institutions, telcos, defence/police HQs, and media channels could have catastrophic consequences. For many organisations the implementation of DR and BCP plans might be severely compromised.
We might reasonably expect that state sponsored physical attacks in Europe or the US would be directed towards more obvious targets. In recent years intelligence agencies have been successful in limiting the frequency and scale of terror related incidents. At the same time we must understand the geopolitical context of state sponsored terrorism and the willingness of some governments to attack the global economy in its broadest possible context. Data Centre assets in the EU and US may not be at immediate risk, but who can tell about the future? Edge assets in Middle East and North Africa must now be assumed to be at immediate risk.
The next generation of IT Risk and Security functions and Business Continuity Plans must account for a wider range of possibilities. We should expect to see:
- Large corporates establishing cyber Intelligence Units (individually or collectively);
- Increased investments in cyber security and security operations centres;
- Intelligence agencies with increased interest in Data Centre assets and concatenated economic risks associated with their proximity;
- A greater focus on the physical hardening of Data Centre assets and shared intelligence between Data Centre operators in high-tech zones;
- Increased uptake of co-location space in order to diversify physical risks;
- Business Continuity that caters for the ‘what if, after the what if’ and with more closely integrated execution plans that are aligned with customers, partners, and vendors;
Consolidation of application assets out of the Middle East and Africa and towards ‘safer’ jurisdictions.