Telework key to surviving security disaster, expert says

THE MERGING PHYSICAL-CYBER THREAT The series: The threat with the most disaster potential Why the catastrophic cyberattack may never come Who best to avert a disaster? Home is where the heart (and disaster back-up plan) is Cybersecurity czar: DHS overhaul will improve preparedness

You've advocated teleworking as a way to stay running in the face of a disaster. How would it help?

Kurtz: The attacks on the London transportation system this summer showed we need to think about our working environment. We need to plan for disasters of different types. It could be a natural disaster or the threat of a terrorist attack where you have an unwillingness of people to move if needed and you have a situation where people can't get to work. But our IT infrastructure gives us the ability to be far more resilient and live and plan in an environment where we can reconstitute ourselves in an attack.

The idea is that in the event of a disaster, or even the threat of one, you don't have to bring everything to a screeching halt. With telework, you can keep business flowing before, during and after an incident because you're not shutting everything down during a threat to move people around. After the London bombings, there was the problem of people getting to their physical work locations with the underground shut down. The vulnerability is that people can't get to their job. What if something happened and it became very difficult for people to get into Washington D.C.?

There is a growing trend in the private sector where more people are working from home. How receptive has the government sector been to the concept?

Kurtz: The financial sector takes the issue of continuity very seriously, with backup facilities and looking at which people could work from home. The federal government hasn't thought these things through as clearly as it could, though. It has as far as where you deploy people and who takes charge in a disaster, but the IT resource hasn't been understood as well. There's not necessarily an incentive for agencies to look at telework as an option. They've focused on how to do it, but only within their own four walls. There's not as much thought on how to do things in an interconnected society. There's no immediate return, no immediate reward for promoting telework.

Do people take more of an interest when the potential economic benefits are weighed?

Kurtz: Well, we've tried to also talk about how teleworking can lower overhead and real estate costs in the long run. It must be seen as more than just an issue of continuity. But the hook the government must really latch on to is how telework will really help in terms of continuity, especially Washington, New York and other places where there are major federal processing centers.

This seems geared toward continuity in a physical disaster. Wouldn't teleworkers be out of commission if the disaster were Internet-based?

Kurtz: People often use the doomsday cyberattack scenario -- the major Internet meltdown -- to get organizations to take security more seriously. I would certainly not set aside the idea of a major attack or disruption targeting the Internet. But I see a larger resiliency with the Internet and its ability to operate. I think if enterprises take steps to improve their own security, that'll reduce the likelihood of a widespread outage. The private sector needs to do as much as it can with Internet security for its own reasons. And the federal government needs to provide that incentive. The government needs to say, what would you do if a major disruption happened?

You said you wouldn't set aside the possibility of a major attack or disruption to the Internet. What kind of scenario worries you most? Kurtz: One of the things I worry about is data integrity. What happens when you have the information, but it's been corrupted? Maybe the decimal point is out of whack and the number is off. When we think of a major cyberattack, the big worry is whether the information is right. My big concern is an attack where information is available, sites are running but the data has been manipulated and made wrong. The big risk is one of confidence; that this happens and in the future there is no longer the same amount of confidence in the information you get online. The insider threat certainly comes to mind in this area, where financial data can be defaced, as well as product specifications. It can be corruption of data that's immediately obvious or obvious over time.

How do you guard against that kind of threat?

Kurtz: If a CEO contemplates whether to enter a new market and open a new office in a new city, they evaluate the risks. We need to put the same consideration into our IT infrastructure. The risk exposure to IT must be part of the CEO's psyche. If you suffer a virus attack and you're down for several hours, it's better than being down for days. You may not be able to stop the disruption, but you can minimize it. This is another area where the benefits of telework come into play -- a virus in one place may not have same affect as in another location.