First, nearly everyone in the business believes that we are living in, yes, a pre-9/11 era when it comes to the security and resilience of electronic information systems. Something very big—bigger than the Google-China case—is likely to go wrong, they said, and once it does, everyone will ask how we could have been so complacent for so long.
This was one of the key points raised in a very interesting article (“Cyber Warriors”) by James Fallows in the March 2010 edition of The Atlantic. The article uses the highly-publicized cyber attack against Google earlier this year by Chinese hackers to illustrate the growing risk of cyber terrorism. Fallows goes on to say, “[Cyber] attacks—not just from China but from Russia and elsewhere—on America’s electronic networks cost millions of dollars and could in the extreme cause the collapse of financial life, the halt of most manufacturing systems, and the evaporation of all the data and knowledge stored on the Internet.”
I was reminded of this article when I read the news yesterday in the Wall Street Journal that Google and Microsoft are competing to sell “cloud-based” email and other apps to the federal government. According to the article:
In what vendors consider a key step, the GSA [the General Services Administration, the U.S. agency that oversees government procurement and manages federal property] on Thursday certified that Google’s email and word-processing service, known as Google Apps, meets security requirements to qualify for use by the agency, a GSA spokeswoman said. Microsoft says it is close to obtaining the same certification for a Web-based version of Exchange…
In the early days of software-as-a-service, security was arguably the top concern many companies had about deploying a SaaS application. While security remains important today, it is no longer a roadblock to implementation, as SaaS has evolved from early-adopter stage to broad adoption, and as solution providers have invested in security (e.g., SAS 70 Type II certification). Google (and presumably Microsoft too) getting the stamp of approval from the federal government is an important milestone for cloud computing and SaaS. In the WSJ article, Parker Harris, executive vice president of technology at Salesforce.com, which is also seeking GSA approval, agrees: Google’s certification “is validation for cloud computing for the government, and that helps the entire industry.”
Longtime readers of Logistics Viewpoints know that we are generally big fans of software-as-a-service, especially for TMS and global trade management applications, due in part to the network-related benefits the model provides. But we have also raised some flags of caution (see “When a Software-as-a-Service Solution Goes Down” and “SaaS TMS and Supply Chain Risk Management”). After reading the article by Fallows, I now realize that the threat is much broader, and the potential consequences more dire, than I previously thought.
Is a 9/11-like cyber attack a low probability, high impact supply chain risk? Perhaps, and there is plenty of literature on how to manage such risks, which includes keeping your fingers crossed and doing nothing. Doing nothing (or not much more than what you’re doing today) might be a justifiable decision, but it’s a decision that has to be reached after your supply chain team and corporate executives have thoroughly analyzed and discussed this risk.
The goal is to avoid asking, sometime down the road, how you could have been so complacent for so long.