While it is unfortunately a regular part of life today that websites can go down – so much so that there are now services that track to see if a website or Internet Service Provider (ISP) is down. Much of the time this is due to a technical problem at a localized level, but in some cases outages impact an entire region, such as when a severed fiber optic cable disrupted Internet access in December for parts of Eastern Europe, Iran and Turkey.
That recent outage rendered Google and its services unavailable to users in the region for a mere 30 minutes – a perhaps typical timeframe for an unintentional outage. In other cases – including Iran today – countries limit Internet access to control the flow of information, such as Egypt during the 2011 Arab Spring demonstrations.
Then there is the issue of whether a service should be shut down if there is a legitimate and imminent threat. A cyber attack today could impact critical infrastructure and seriously cripple a government’s ability to communicate. This was seen in recent years in the ransomware attacks on such cities as Baltimore and Atlanta. While critical infrastructure, including the electrical grid, wasn’t impacted, in both cases EMS and payroll systems were affected for extended periods of time.
The question is, what should an IT team do if they expect such an attack? Is shutting down servers, blocking access, and closing ports really an option?
“It is a curious question, and something that has not come up yet,” explained Sasha Romanosky, Ph.D., policy researcher at the RAND Corporation.
“It isn’t entirely clear what can be ‘shut down’ when we’re talking about network systems,” Romanosky admitted to ClearanceJobs. “Is this a case of sending people home while turning off the web servers or something more extreme?”
The Complexity of Networks
Even during the terrorist attacks of 9/11, shutting down servers would have been a complex ordeal. Today there are multiple systems of computer networks, including cloud storage.
“The modern web services have so many different layers between the user and the data that it isn’t just flipping a switch,” said Romanosky. “There are routers, load balancers, multiple connection ports and then you get to the web servers, but the actual data could be on other servers. Shutting down doesn’t make sense.”
For a business, the better solution may be to prepare for an attack and then have a recovery plan in place, should some sort of attack occur.
“Any organization with sensitive or critical data should constantly be fearful of security threats,” suggested Jim McGregor, founder and principal analyst at TIRIAS Research.
“As a result, they should be constantly upgrading and maintaining their security platform,” McGregor told ClearanceJobs. “Eventually, AI will improve security and reduce the threats, but never eliminate them.”
Shutting It Down
There have been cases where governments have shut down Internet access, but even in those extreme cases, that doesn’t mean all services were shut down. The connected world of 2020 is very different, and exponentially more complex, than that of even just 2001.
“In nation state attacks I could see that by disconnecting you can reduce the ability for someone to attack you,” said Romanosky. “That could include no public facing IP address and no access, and perhaps that could protect the servers and data, but that is something extremely monumental.”
Such a drastic move could still allow the government to conduct business via an intranet.
“You could drop traffic off the ISP, and those with internal access could still conduct normal business,” added Romanosky. “The Department of Defense (DoD) relies on systems that could do just this, so I suppose it isn’t the craziest thing to do.”
However, even if there is only internal access it remains a network, and all it takes is one point to be breached externally and in such an instance, the network might have remained online.
This is why shutting down doesn’t really make sense in most situations. It locks out those who might need access during a crisis and unless literally every system is switched off, there remains the chance that a rouge actor could find a way to access the information.
“In business recovery and continuity it isn’t about limited access, but it is about mirroring the data and services to another area, much like backing up your data,” explained Romanosky. “That is generally considered a best practice.”
Balkanization of the Internet
The Internet is anything but compartmentalized today, even if more and more content is hosted in the cloud, simply because it is so interconnected.
“At the other extreme we hear about Russia’s Balkanization of their Internet and how it could be separate and not connected to the rest of the world,” said Romanosky. “That requires big muscle movements. Moreover, in countries where the Internet is more managed by the government or dictator it would be possible to shut part of it down. We’ve seen countries do this in times of civil unrest.”
Whether it’s a government trying to keep information out, or a company trying to protect the information within, it’s clear protecting IT isn’t as simple as just shutting a system off. A government agency that opts to shut down one system could impact related systems in ways that might not have been foreseen.
“As to when you should ‘pull the plug’ – that is a difficult decision and I don’t think there is a clear answer,” added McGregor. “If there is that great of a concern, then the system probably already has a full backup and contingency plans.”