Avian Flu: the Use of IT to Mitigate a Pandemic and its Effects on Information Security Frank H. Katz Armstrong Atlantic State University Department of Information Technology 11935 Abercorn Street Savannah, GA 31405 912-344-3192
[email protected] ABSTRACT The infrastructure of computer networks in the United States is not only vital to our nation’s economy, but is also a crucial element of our national security. Professionals in the Information Technology community are routinely concerned with the day-today threats of viruses and hacks into these networks. However, it is essential that this community take a hard look at the use of these networks with regards to business continuity issues resulting from potential disasters. One such issue that cannot be overlooked is the effect of the often mentioned but seemingly forgotten Avian (H5N1) Flu on the use and security of these networks. From March, 2006 through October, 2006, I was a member of an interdisciplinary committee at Armstrong Atlantic State University (AASU) that analyzed various issues relating to the Avian Flu (also known as the Pandemic Bird Flu). My role was to investigate the effects of this potential disaster on IT, as well as the use of IT to mitigate the effects of a potential pandemic. We presented our findings in a lecture to the AASU community as part of the AASU Faculty Lecture Series on October 20, 2006. This paper describes the results of my subsequent investigation into the possible effects of an Avian Flu epidemic on Information Technology. It attempts to answer the question, “is the IT community prepared for such a pandemic?” In doing so, it describes the need for effective business continuity planning within the IT community in order to mitigate the effects of such a disaster.
Keywords Information, Information security, Computer security, Internet, networks, risk assessment, pandemic, bird flu, avian flu
1. INTRODUCTION In 1997 and 1998, the Avian Flu (H5N1 strain, often referred to as Pandemic Flu) was first responsible for infecting people in Honk Kong. By 2003, the World Health Organization (WHO) had identified four confirmed cases and four confirmed deaths as a result of infections from the virus. As the reports of human cases throughout Southeast Asia have increased over the past four years, the potential of an Avian Flu pandemic has increased. Although still mainly limited to Southeast Asia, public health officials in the United States and other countries have been
proactive in planning for a possible disaster. These agencies, in particular the U.S. Centers for Disease Control (CDC) of the U.S. Department of Health and Human Services, and the U.S. Federal Emergency Management Agency (FEMA) of the U.S. Department of Homeland Security (DHS) have encouraged American businesses to plan for the possibility of such a pandemic. The threat to the security of the United States was significant enough that in a speech at the National Institutes of Health (NIH) on November 1, 2005, President Bush “outlined a $7.1 billion strategy to prepare for the danger of a pandemic influenza outbreak.” [10] Considering that “information security’s primary mission is to ensure that systems and their contents remain the same,” [11] then disaster recovery planning is crucial to the security of an organization’s information. This is because the “key emphasis of a Disaster Recovery Plan (DRP) is to reestablish operations at the primary site” of the organization. Business continuity planning (BCP) takes this process one step further. It “prepares an organization to reestablish critical business operations during a disaster that affects operations at the primary site.” [11] Certainly if the primary location cannot be used, this plan must be implemented to prepare for continuing the business somewhere else.
2. PLANNING AND PREPARATION With the possibility of an outbreak of Avian Flu on the horizon, the CDC has issued numerous documents containing guidelines for American corporations and organizations to plan for and mitigate such an emergency. These guidelines issued by the CDC describe the importance of the need for the private sector to prepare for, respond to, and recover from a pandemic. Since “the private sector owns and operates over 85 percent of the critical infrastructure in the United States . . . and touches the majority of our population on a daily basis, through employer-employee or customer-vendor relationships, it is essential that the U.S. private sector be engaged in preparedness and response activities for a pandemic.” [9] The planning guidelines include various documents and checklists. As a result, many private sector organizations have begun to make their own preparations for the pandemic. With Hurricane Rita approaching Houston, entrepreneur Jay Steinfeld, owner of Blinds.com, a company that sells window
treatments, created a 15 page planning document detailing how his company would operate during a natural disaster. His 48 employees were given passwords to access the company network from home, a phone number to find out whose help was needed after the storm, and vendors were given numbers to track production schedule changes. As a result, Blinds.com lost only one and a half days due to the hurricane. And his plan is ready for the next disaster. He stated that “within an hour, we can have the whole company ready to go,” [5] which in the case of pandemic flu, could be the difference between an organization and its employees being able to continue or having to close shop. The U.S. government has emphasized that “although social distancing is critical for helping to limit the spread of the pandemic, it will be difficult to maintain if people feel that they do not have access to the resources, information, and support systems necessary to keep them safe. A severe pandemic could dramatically reduce the number of available workers and significantly disrupt the movement of people and goods, which could in turn threaten essential services and operations across our Nation.” [9] Given the importance of social distancing, it has been considered that that telecommuting or teleworking should be one of the primary elements of an organization’s pandemic flu business continuity plan. Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA) told the U.S. House of Representatives in October 2006 that “in addition to a flu pandemic that could last as long as 18 months, teleworking can help the government continue operations in other emergencies.” [3] However, despite the importance of telework in an organization’s business continuity plan, at the time of his testimony, Kurtz stated that the U.S. government had “done little to study how a flu pandemic would affect the Internet and systems administrators who keep it running.” [3] In testimony to the same House committee, Scott Kriens, chairman and CEO of networking vendor Juniper Networks, Inc., stated that private business managers were “ahead of government agencies in embracing telework as a way to get optimal performance from their workers.” [3] In October 2006, prior to that year’s flu season, Scott Adams, CIO of business and technology services of commercial real estate company The Cadillac Fairveiw Corp. in Toronto, focused on how to “enable its 1,600 employees to work from home.” [1] Adams said that his company had begun to use “MobiKey, a wireless service from Route1, Inc., that allowed end users to use a Universal Serial Bus device for remote computing.” Such a device has two components, one being the MobiKey, a USB device that “turns a home computer into a thin client. The other component is a wireless device service brokered by Route1. While an end user is connected to his office PC through MobiKey, the computing applications and data remain behind the corporate firewall.” [1] In this way, not only were the employees able to work remotely, but by using thin clients, the data remained secure on the corporate servers. It will take this kind of innovation to enable American businesses and organizations to keep functioning in the face of an Avian Flu epidemic. However, given that according to Greg Garcia, the Department of Homeland Security’s assistant secretary of cybersecurity and communications, “as much as 40 percent of the workforce would be unable to go to work during peak periods of
an outbreak,” [4] one has ask whether the Internet can handle the increased load resulting from perhaps hundreds of thousands or even millions of American workers connecting to work from their homes?
3. EFFECTS ON THE INTERNET The biggest concern about using the Internet to mitigate the effect of pandemic flu is that pounded by overuse, it could just shut down within two to four days of an outbreak. This was a disturbing finding of a simulation held in January 2006 in Davos, Switzerland, by the World Economic Forum and management consulting firm Booz Allen Hamilton, Inc. [12] Their war game’s assumption of total absentees of 30% to 60% trying to work from home would create a tsunami that would quickly flood the Internet. “We did not assume that the backbone would be gone, but that the edge of the network, where everyone was trying to access their office from home, would be overwhelmed,” stated participant Bill Thoel, vice president of Booz. [12] Another problem would be the absence of maintenance personnel to keep the systems running. On the other hand, some experts in the U.S. aren’t so sure that the Internet would be rendered unusable. “We don’t believe that the Internet will be compromised in a matter of hours or days,” said Brent Woodworth, worldwide manager for IBM’s Crisis Response Team, because “most traffic is reroutable.” [12] Still, the Internet, especially local area networks, according to Paul Froutan, vice president of research and development at Rackspace Managed Hosting Ltd., are often looked at as “self-regulating supply-anddemand mechanisms,” [12] in that the more people that use the Internet, the slower it will get. Discussions of how to ensure that the Internet would still function in case of a massive increase in usage from telecommuting workers during an epidemic are already underway. Some options include prioritizing traffic on the Internet, such as blocking or severely limiting video transmissions. According to business continuity planners, businesses as well as home users would first be voluntarily asked to restrict their high-bandwidth usage. If that didn’t work, the government might have to force restrictions. “Is there really a need for a You Tube during a national emergency?” asked John Thomas, vice president of a New York-based financial institution. [6] When looking at the continuance of operations, corporations know that despite the insistence on telecommuting, some employees will still have to come to work in order to keep the systems up. Elizabeth Byrnes, a continuity planner at AT&T Inc. stated that AT&T has identified critical employees who would have to come to the office in a pandemic, but, as she added, “will they come in? I don’t know.” [6] A pandemic in the U.S. could also lead foreign enemies to believe that we are in a “weakened state” said George Johnson, chief technology officer of the ESP Group LLC, and application services provider in Arlington, VA. This could result in “heightened risks of cyber attacks,” he warned. Not only that, but increased numbers of teleworkers may also expose networks to attacks, as there would be no way to ensure that each employee met even the minimum standards of computer and information security. [6]
4. THE CURRENT STATUS OF PREPAREDNESS As recently as January 10, 2008, the leading IT consulting firm Gartner Inc. released a poll of information security and risk management professionals that showed that most business continuity plans could not “withstand a regional disaster because they are built to overcome severe outages lasting only up to seven days.” [2] Gartner analyst Roberta Witty said that the results show that “organizations must ‘mature’ their business continuity and disaster recovery strategies to enable IT operations and staffers to endure outages of at least 30 days.” [2] “Gartner surveyed 359 IT professionals from the U.S., U.K., and Canada during 2007 and nearly 60% said that their business continuity plans are limited to outages of seven days or less.” In addition, the results showed that most of the companies surveyed were focusing on internal IT situations, not regional disasters like epidemics. Witty did say that “companies are starting to take pandemic concerns more seriously . . . as the survey showed that 29% of organizations now have pandemic recovery measures in place, up from just 8% in 2005.” [2] Given this information, it is necessary to explore the current state of preparedness in the IT community. It can only be surmised that despite efforts to the contrary, the concern of the threat posed by pandemic flu in the IT community mirrors that of the U.S. population in general. As Scott McPherson, CIO of the Florida House of Representatives and head of Florida’s CIO pandemic preparedness committee stated in July 2007, “if you live in Jakarta, this is all you think about. If you live in the United States, all you think about is Paris Hilton.” [7] This attitude is backed up by poll numbers released on July 2, 2007, by Ipsos Public Affairs. In June of 2007, Ipsos conducted an online survey of over 1,400 U.S. residents age 18 and older. “When asked about the avian flu, only 27% of the respondents said that they were ‘concerned’, down from 35% in a similar survey” in 2006. [7] It is quite probable that these attitudes exist because the enormity of the risk of pandemic flu may be hard for the average person to comprehend. It’s also likely that as the number of human cases and deaths in the first half of 2007 fell below those in all of 2006, the general public had put the threat of pandemic flu in the back of their mind. [7] Myles Druckman, vice president of medical assistance of International SOS, a health and safety consulting service, stated in November 2007 that “there’s been a bit of what we call pandemic fatigue . . . when it fell out of the media, it also fell out of a lot of clients’ priority lists.” [8] But if that is the case, the state of preparedness, while certainly better than three to four years ago, must be heightened if IT is to cope with the problems caused by an epidemic.
5. CONCLUSIONS Despite what appears to be a general apathy toward the pandemic flu, IT managers are nonetheless continuing to prepare for the worst. Companies are still creating and testing their plans. At Gartner, Inc.’s data center conference held in Las Vegas in November 2007, “Bob Kallas, director of computer support services at an unnamed company said his firm conducted a test several months ago to see how many workers his company could support remotely. They picked a day and then told several hundred employees to work from home. ‘We want to measure readiness to be able to support the company.’” [8]
If organizations have not yet drawn up disaster recovery and business continuity plans that include preparations for the Avian Flu, they are going to have to do so. Remote use of the Internet from home will have to be an important component of these plans. Organizations that have such plans are going to have to come up with imaginative ideas, like Bob Kallas’ did, to test their plans and alter them as necessary. They will need to ensure that their employees are protected, their businesses continue to function, and their data is secured. It will not be enough to count on the Internet to provide a path around potential pandemic flu quarantines. Organizational IT managers will have to provide consistent standards and policies to ensure that the data and information systems of those employees who do their work from home are secured. These standards will have to include password protection and encryption, and protection of data while being stored and in transmission. As previously described, the use of thin clients at home, remotely accessing data protected behind proxy servers and firewalls will go a long way toward the protection of that data from corruption and breaches of confidentiality. Thin client computers are easier to secure, since the data remains on the server, reducing the the threat of theft. They enhance data security because any kind of mishap (or lost computer) will not compromise any data, and are easier to administer because the client is managed entirely at the server. Despite the advantages of thin client computing, most organizations provide their employees with more robust notebook computers. Consequently, IT managers are going to have to determine whether the need to telecommute in the face of a quarantine from pandemic flu is worth the cost of either replacing existing fat client computers with thin clients or converting them to thin clients by the use of technology such as MobiKey. Policies that dictate proper practices in the home workplace cannot just be created, they will have to be enforced, either by automated means or by risking the health of employees to inspect home work settings. There is no doubt that the Avian Flu represents a serious threat to public health and the security of our nation. At the same time, its effects on the workplace may have a significantly harmful effect on the security of corporate and organizational information. It will take imaginative and well thought-through prior planning and testing by organizational IT and Information Security staffs to ensure their continued functioning during a pandemic while maintaining the availability, authenticity, integrity and confidentiality of their information resources.
6. REFERENCES [1] Fisher, Sharon, Planning for the flu season – and a possible pandemic, retrieved October 6, 2006 from http://www.networkworld.com/news/2006/100606-planningfor-the-flu-season.html?fsrc=netflash-rss [2] Fonseca, Brian, Eight-day IT outage would cripple most companies, retrieved January 11, 2008 from http://www.computerworld.com/action/article.do?command= viewArticleBasic&articleId=9056798 [3] Gross, Grant, Tech groups: Teleworking can slow bird flu, retrieved October 4, 2006, from http://www.itworld.com/Tech/2987/060512telework/pfindex. html
[4] Hayes, Heather B., DHS offers advice for ensuring telecom during a pandemic, retrieved January 9, 2008 from http://www.govhealthit.com/online/news/350155-1.html [5] Pentitila, Chris, How to Prepare for a Pandemic, retrieved October 4, 2006 from http://www.entrepreneur.com/management/insurance/riskma nagement/article160212.html [6] Thibodeau, Patrick, Flu pandemic could choke Internet, requiring usage restrictions, retrieved February 13, 2007 from http://www.computerworld.com/action/article.do?command= viewArticleBasic&articleId=9011125 [7] Thibodeau, Patrick, Pandemic Planning Not at Fever Pitch, Computerworld, July 16, 2007, p. 14-16 [8] Thibodeau, Patrick, Remember the pandemic threat? (some) IT planners do, retrieved December 4, 2007 from http://www.computerworld.com/action/article.do?command= viewArticleBasic&taxonomyName=disaster_recovery&articl eId=9049438&taxonomyId=151&intsrc=kc_top [9] United States Homeland Security Council. July 2007. National Strategy for Pandemic Influenza, Implementation Plan, One Year Summary, p. 21-23 [10] White House Press Release, retrieved February 14, 2007 from http://www.whitehouse.gov/news/releases/2006/12/print/200 61218.html [11] Whitman, M. and Mattord, H. 2005. Principles of Information Security, 2nd ed., p.226-228. Boston: Thomson Course Technology. [12] Wood, Lamont, Would the bird flu kill the Internet, too?, retrieved October 4, 2006 from http://www.computerworld.com/action/article.do?command= viewArticleBasic&taxonomyId=16&articleID=9001491