Dateline: Friday, Nov. 7, 2024: It’s rather cold this morning, when John Smith arrives at the control center of Nebulous Inc., one of the five companies delivering cloud services to the world. He has to resume his post as chief operator for the huge environment buzzing with data and services from companies all over the globe. Nebulous was created in 2017 when the service provider market started to concentrate and large enterprises finally embraced what was then known as “public cloud.” The need for extremely low cost and global reach resulted in the merger of the largest environments with key global network providers. The result was five companies delivering capacity and services to the world, to enterprises and consumers alike. Information Technology had truly become a commodity in the same way as water and electricity. People no longer cared about the technology, just about the service delivered.
In 2019 the United Nations developed the global information protection act, removing the last barrier of free storage and movement of information anywhere in the world. That resulted in the disappearance of the last enterprise datacenters. Through a variety of tools, including smartphones, tablets, intelligent TV’s, cars and many other devices people have access to the power of the cloud anywhere around the globe. Libraries, pictures, music, films, everything is maintained in this web of technology. Most of the datacenters are located either underground in the desert, powered by solar farms, at sea, powered by waves, or in the far north, powered by wind, but they are managed by key centers located across the globe.
John enters the facilities and gets his eyes scanned for authentication. The control room is calm, operators are supervising screens and workloads are reasonably low as usual towards the middle of the month. He sits down behind his desk and asks for his mail that flashes up on his screen. It looks like there is nothing special, the usual routine. It will be another calm day. John is thinking about this evening, when he’ll go out with friends.
He goes on and starts his daily work. About one hour later, from the corner of his eye, he suddenly sees a small red area appearing on the big screen showing the location of the company’s datacenters around the globe. What’s that? One of the interconnection points with CGC (Celeste Global Cloud) announces that the interconnection no longer responds. Strange, that never happened before to John’s knowledge, but let’s not worry, he thinks, other interconnections will take over the traffic. Maybe they have an outage in a datacenter, that’s routine. Five minutes later, a second reports a similar issue, and then a third. John tries contacting his counterpart at CGC, but draws a blank screen. No contact, what the heck is happening?
Then, the same thing happens with an interconnection with Money ltd., the cloud managing most of the financial transactions. Again, John tries contacting and draws a blank. Something serious is happening. Piet, the head security guy on duty rushes over and tells John the intrusion detection software is announcing attacks in several places around the world and they seem to emanate from both Money and CSC. His staff is trying to contain them to keep the service running, but if the frequency increases they may have to shut down the service. John cannot take that responsibility. By now, he is sweating heavily. What should he do? This is serious.
Suddenly a high priority message appears on his screen. It reads: “The Bit Liberation Movement has taken over control of CSC, Money and Stardust and is shutting them down to stop the capitalist use of information technology. The United Nations needs to agree a list of demands prior they release the information flows. Nebulous should be used for governmental agencies to gain an agreement with the Bit Liberation Movement while D&D (Dupont & Dupond) will manage the information of the public. Any attempt by Nebulous and D&D to perform other tasks will have major implications.”
Wow, how could that happen? Before he has time to come to a conclusion, his screen blinks again and one of his contacts at CSC appears. Behind him is a flag of the Bit Liberation Army. He says: “Hey John, you will hand us over all controls of Nebulous, or we blow out the service. Ask Piet to open up the security gates. A member of our team will be in your offices in five minutes and tell you what to do.”
What the story teaches us
Let’s leave fiction here. This is obviously just a catastrophe scenario. But it teaches us a couple things. Information is the backbone of most economic transactions these days. And most information is going digital. Which means it travels through networks managed by a small amount of companies. As clouds consolidate, the information is concentrated. Companies are very good in securing their environments from external attacks, but what about attacks coming from the inside? As the backbone environments of information technology are concentrated, shouldn’t we take precautions? This spring, Amazon got a four day outage that affected many companies because of a human error. What could have happened if somebody intentionally wanted to harm the environment? Shouldn’t we, as the Cloud Security Alliance suggests, perform background checks on the operations staff? Shouldn’t we put controls in place to ensure one person or a small group cannot put the environment to a halt. As we centralize our information technology, we concentrate the information lifeblood of the world. And this requires protection in the same way as our electricity grid and our water supplies. Who is looking at that?
What do you think about the possible future scenario I postulate in this blog entry?