Opinion

Why Digital Infrastructure Must Be Resilient

July 27, 2020
Melissa_Hathaway-Square.jpg
hathaway-landscape-2.jpg
Shutterstock

This article is a part of Global Cooperation after COVID-19, an essay series offering analysis of the post-pandemic world.

O

n March 11, 2020, when the World Health Organization (WHO) declared the COVID-19 virus a global public health and safety threat, our leaders should have amplified the message, preparing people for a 1,000-day journey. Instead, our leaders managed the announcement of the pandemic as they would a quarterly earnings forecast, asserting that everything would be fine by the next quarter.

Yet, the truth is that we have a long journey ahead of us, one that will take at least 1,000 days — and likely longer. While there are at least 14 vaccines in human trial, we should temper our hopes. Alex Gorsky, the CEO of Johnson & Johnson, stated that “we are taking what normally takes five to seven years, and doing it in five to seven months.” He cautioned that even if we get an effective vaccine, it won’t be clear how long its protection will last or how much of the population it will inoculate. Dr. Anthony Fauci, director of the US National Institute of Allergy and Infectious Diseases, echoed this point, telling the BBC that we need to have evidence that a vaccine is actually going to work.” In fact, it’s difficult for a vaccine candidate to make the transition from the laboratory to clinical trials. Vaccines are held to a higher standard than conventional drugs because they are given to healthy individuals. Regulators usually require a vaccine to undergo three phases of development in humans to monitor it for safety and effectiveness, a process that typically takes years. In the COVID-19 pandemic, its not yet clear what regulators will accept as proof of a successful and safe vaccine. In its guidance to the industry, the US Food and Drug Administration has said that to be approved, a vaccine would need to be 50 percent more effective than a placebo and show evidence beyond blood tests of an immune response. Once a vaccine is approved, it will take between 18 and 24 months to manufacture at scale, distribute and begin administering to a global population of approximately six billion people. Therefore, an optimistic point of view is 1,000 days from the WHO’s declaration, or — rounded up to mark the occasion — New Year’s Eve of 2022. A sobering thought.

While we mourn the loss of our loved ones, jobs and freedoms, we may not recognize that we are also embracing a digital transformation as a survival tactic to remain connected to our friends, families and institutions of education, and to keep our businesses afloat. The internet has become the lifeline. What is your digital channel of choice — Zoom? Teams? FaceTime? Webex? WhatsApp? WeChat? Neither our political leadership nor the business titans ever imagined that the survival of our businesses and society would depend so dearly on the digital backbone and resilience of these systems to maintain continuity of operations.

The First 100 Days

The first few months of the pandemic were extraordinarily difficult, as we all adjusted to this “new normal.” The world went home to work and began more widely using technologies that had actually been available for the past decade. Telemedicine, remote learning and online education providers were among the early adopters of these technologies, out of necessity. But even the Global 1000 businesses adapted and adopted quickly, and reported positive results regarding their increased productivity and meeting key performance criteria. Networks were operating at 20 percent to 40 percent over their pre-pandemic traffic levels. People were using that network capacity to tame their cabin fever and keep up some semblance of normalcy. Verizon’s CEO Hans Vestberg highlighted the capacity draws in April, which included a 150 percent increase in online gaming; a 1,200 increase in collaboration tools; a 50 percent increase in video streaming; a 40 percent increase in downloads; and 800 million phone calls a day — formerly the peak that telecoms usually observed on Mothers Day, but now an everyday volume. Internet service providers (ISPs) and telecommunications companies were trying to build more capacity in the system but also experiencing more and more outages. Beyond the glitches and outages, malicious actors took advantage of our increased reliance on digital tools and broader exposure to cybersecurity risks to not only ramp up scams targeted at individuals but also to ransom businesses, disrupt critical infrastructures and attack governments at all levels.

In April, Tata Communications’ network infrastructure across Europe and India suffered an outage that affected 80 network interfaces across multiple regions and cities. The same month, Russian state-owned telecommunications provider Rostelecom redirected internet traffic meant for more than 200 of the worlds largest content delivery networks (CDNs) and cloud hosting providers through its networks. This Border Gateway Protocol (BGP) hijack demonstrated the fragility of the network by using misleading or fraudulent BGP route announcements to redirect traffic from its intended destination.

Neither our political leadership nor the business titans ever imagined that the survival of our businesses and society would depend so dearly on the digital backbone and resilience of these systems to maintain continuity of operations.

In June, IBM’s Cloud infrastructure suffered a widespread outage that affected multiple services hosted on their platform and crippled enterprise environments all over the world. Just a couple of weeks later, T-Mobile had a serious outage in the United States that impacted public safety and the general public’s ability to communicate. For at least 13 hours, many customers couldn’t make or receive calls, including 911 emergency services. T-Mobile deployed hundreds of engineers to work with partners to stop the “IP traffic storm” that created “significant capacity issues across the IMS (IP Multimedia Subsystem) core network.” T-Mobile had to add a lot of capacity on the fly. That same week, Cloudflare — one of the worlds largest network operators, which supports more than 27 million internet properties — suffered an outage too, caused by a “massive spike in CPU utilization on [their] network…caused by a bad software deploy that was rolled back.” At least a dozen data centres were affected, disrupting a large number of online businesses and websites. Akamai — a global CDN — reported the largest-ever packets-per-second (PPS) distributed denial-of-service (DDoS) attacks the same month. One of the attacks observed was against an unnamed large European bank that was barraged by 809 million PPS, the largest attack ever recorded on Akamai’s platform. Within days, another attack of 1.44 terabits per second targeted an internet hosting provider, interrupting its service for only 10 minutes and showing how easy it is to exploit weaknesses in an enterprise’s defence. Attacks at this volume and velocity can destroy the victim’s infrastructure, which made these events even more alarming. June closed with a series of short-term internet and communications outages in London. British companies Sky, TalkTalk and Virgin Media kept thousands of customers trying to work from home without internet services for at least six hours.

Clearly, the first quarter of the pandemic closed with poor results for society’s digital resilience. Governments reacted by issuing guidance and warnings. The US Secret Service issued a security alert, warning that managed service providers (MSPs) — companies that provide “management services for a customer’s IT infrastructure using remote administration tools” — were being targeted and used to gain access to the internal networks of their customers. The Investment Industry Regulatory Organization of Canada similarly released an education notice to industry, driven by companies’ increased adoption of cloud services due to the pandemic and, therefore, growing cybersecurity risks. This adoption coincided with a rise in the number of attacks targeting cloud services and exploiting the vulnerabilities underpinning software applications, resulting in business disruption and loss of sensitive data. The alert provided advice on the best practices industries could deploy to mitigate these risks.

Governments also highlighted the geopolitical competition for the vaccine — the thirst to be first. In May, the Federal Bureau of Investigation (FBI) and the DHS Cybersecurity and Infrastructure Security Agency warned health-care, pharmaceutical and research sectors working on COVID-19 research that their networks would likely be compromised by the Peoples Republic of China and urged them to protect their systems. The director of the FBI was blunter, stating that China is working to compromise American health-care organizations, pharmaceutical companies and academic institutions conducting essential covid research.” In mid-July, the United Kingdom’s National Cyber Security Centre warned that Russian intelligence services were also conducting different malicious cyberspace activities in an effort to steal vaccine research data in the United States, Canada and the United Kingdom.

One Quarter Behind Us, at Least 10 More to Go

The first 100 days of this crisis should make us appreciate the value at risk to society. The weaknesses that have been exploited against the ISPs, MSPs, CDNs and other communications providers are not just opportunistic — they undercut the ability of businesses, and the ability of every one of these businesses’ customers, to deliver goods, services, data and capital across borders. Moreover, conducting espionage against health-care, pharmaceutical and research sectors working on COVID-19 solutions presents the thief with an opportunity to advance its country and society’s recovery more quickly — and thus, their economy and position in the world.

The next 10 quarters or 900 days of this journey require a strategic mindset and an infrastructure investment not currently being considered by governments and fiscal authorities around the world. At the forefront of these investments, leaders should focus on securely expanding the digital infrastructure’s capacity. Supporting long-term work-from-home, learn-from-home and telehealth activities requires expanding existing and developing new broadband programs. The digital infrastructure needs to be affordable, reliable and within the reach of every citizen, whether city-based or rural.

Moreover, the strategy should consider new technologies and digital innovations not even conceived yet. Why not design the digital infrastructure for overcapacity — and leap ahead of 5G and start investing in 6G technology? If we accelerate the research and development investments for the next generation of digital infrastructure and combine that work with leadership in the standards organizations, we could position for a better future. With quantum-safe cryptography (cryptographic algorithmic systems resistant to quantum computer attacks) and a push for privacy, safety and security by design, we could create a more resilient digital society within 2,000 days.

While looking for long-term solutions, we should also address some short-term issues. The digital platforms that have unlocked our isolation by keeping us connected and that move and store our professional and personal data should be required to be well-engineered — designed with privacy, safety and security at their core. We must become much more strategic in how we create and deploy new digital technologies. Vulnerabilities in these technologies present existential threats to our economy and sovereign security. To address these threats, “an emergency counter-measures board and mitigation process should be initiated that is global and convenes the best talent, regardless of nationality….we must work together to reduce the risks and heal our digital environment as quickly as society can.”

Our governments also need to apply creativity to helping businesses understand how to protect their data and systems, translating corporate digital risks into operational exposures. Business leaders need to understand which of their business-critical systems, data and operations are exposed, and to implement operational, administrative, technical and legal controls to mitigate the risks. Why not, say, mobilize the talent of Hollywood, or launch a John Oliver-style series, to educate executives in an engaging way about the importance of patch management, multi-factor authentication and regulatory requirements on their overall business operations?

Finally, we should remember that we only recently began this digital transformation. Our approach cannot be inadequate or piecemeal, especially given the other stressors in society (unemployment, debt, widespread illness and so forth). We must address our current and future digital risks, work that demands informed and prepared leaders. We cannot allow our digital future to be reduced to 90-day increments, unless they truly build toward strategic outcomes.

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.

Essay Series

We are in the midst of fighting the first phase of the COVID-19 crisis, but it is already clear that the impacts will be manifold and enduring. It is not too early to reflect on the lasting impact that the outbreak is sure to have on global cooperation, globalization, faith in public action and in science, social cohesion, and the trade-off between civil liberties and personal privacy.