Skip to main content

How Cities Can Avoid Ransom: Pull the Plug

About ten years ago a shipment of flowers from Latin America to the Miami Airport was found to have a dangerous insect not native to the US; it could have had (and maybe has) disastrous impact on the US flower industry were it to survive further north.

It must be an impossible job to try to keep bugs and viruses that don't belong here out of the US; imagine how many carriers of viruses just boarded a plan somewhere else.

Hold that thought.

This Internet Thing Is Gonna Be Big
I remember trying to convince a customer back in the 90's (before ChiliSoft) that this Internet thing was gonna be big, and the dozen ways it would make them faster, stronger, better than their competition--or whatever the pitch was back then. More efficient, less money. Tastes great, less filling.

It took some time, but eventually most businesses adopted the Internet in some way--for browsing, email, external services like booking travel, and ultimately apps.

Businesses and governments were sold on efficiencies of "the cloud" (a still-ridiculous invention of a metaphor that somehow stuck), and software as a service. Pay monthly, pay yearly, no software installations, out with the old, in with the new.

Even in Lancaster, PA, we're so enthralled with the idea of the Internet we gave a no-bid contract to a tiny networking company to provide high-speed Internet--a great idea, poorly executed.

Ransom
And then the holdups began. Dozens of cities now have been attacked and their computer systems held hostage for ransom, payable in Bitcoin, of course, the currency of choice among thieves who prefer to remain anonymous. Ransom works very, very well for them.

I'll skip to the point: you can't win this game. If you run a city, a utility, a state--any government or authority or even any business--you can't win this game. You can't.

And your insurance companies are not going to back you anymore. You're building a house on a flood plain, and ya know, it's simply gonna flood. And nobody's going to have your back.

Pull the plug.

It's really the only thing you can do. Ok, yes, some vendor is going to sell you (scare you, for good reason) on their protection services, or some amazing piece of hardware designed to detect and prevent intrusions.  The hackers, though, figure out new ways to get around the new ways designed to keep them out; the escalation continues and new holes appear as current ones are patched.

And of course it's not just tech: it's likely your employees are getting duped by something in email or on a site. They click on a link that wasn't flagged by the security software, or open the attachment (no--no no no no!), or something.

You just can't control human behavior enough, and you can't keep up with the large number of old and new vulnerabilities.

So pull the plug.

Literally.

Turn Off the Internet
That sounds radical, but here are some ideas that don't quite include caveware, and while I'm not a security expert,  I am somewhat technical and developing something with security as a factor:
  • Go back to sneakernet. Disconnect everything from the web, move files around on SD cards or USB drives (there's a vulnerability right there--USB drives and SD cards).
  • Go back to a closed network. Run all applications internally. Demand your "cloud" provider to install an internal cloud, and don't allow it to connect to the internet randomly--require it at specific times through specific ports, using an encrypted connection (for updates, etc). Then pull the plug again.
  • Run two networks: internal and Internet. Don't connect the two. Ever. Don't move data from the outside in, and rarely from the inside out.
  • Remove all USB and SD slots (or any other storage connection) from all computers. Just super-glue them shut. That kills the sneakernet idea but hey.
  • Kill the wifi--yes the internal wifi. You don't need it. Stick with hard-wired networking. Ok maybe you need it, but you can limit it to just tablets (but not smartphones; smartphones are typically internet connected).
  • Revoke the computing privileges of anyone who violates the security rules, or simply show them the door. I know it's not that easy, but damn, people, don't click on the attachment.
  • ...and other draconian measures.
Start with Nothing
You'd be surprised how much you learn about what you do, why you do it, and other ways it can be done when you start with the draconian, start from scratch, assume caveware (i.e. nothing).

What can you do without? What can you do differently? What happens when instead of emailing someone, you sit down and talk with them. Or print a couple of copies, hand them out, and talk about it? What positive effects flow from that interaction? What can you gain from doing less?

Everything's out to get us. Feels that way sometimes, doesn't it. So close the airports, stop all trade of agricultural products, shut down everything. Don't venture outside, and if you have to, wear a mask.

But that's no way to live, of course.

So what's the proportional and functional response such that we can continue to live and operate in what appears to be an increasingly dangerous world?

I'm not sure. But do voting machines really need any electronics at all? And if so, do they need to be networked? No, and no. And software to run cities and utilities do not really need to run on the Internet; there's no intrinsic need for cloud computing, or at least internet-connected "cloud" computing.

This Effects My Project
I love tech, I love what's next, and I'm working on something super fun and cool and very next but it has one big problem: it's an internet-connected device, and I really don't know the answer to the security issue. Even assuming we had the ability to make it the most secure thing ever, it will be open to attack, which means it will likely be attacked, which means someone might be able to control it remotely, which would be very, very dangerous.

So I'm thinking a lot about how to pull the plug, or whether it really needs to be internet connected at all, or just sometimes. Right now I'm leaning toward pulling the plug, but enabling the transfer of data in some way, just not directly from the internet.

I'm glad I'm not a city. But if you are a city and want to learn about pulling the plug but still running your systems, fell free to contact me for help.



Comments

Popular posts from this blog

Beta Signup

I've been working for quite a while on a new search concept, though the further in I get, the closer the rest of the world gets to what we're doing.

So today I'm inviting you to sign up for the rather modest beta, which will be ready soon if we can nail down a few difficult  details.

Jawaya is a way of navigating the web and getting better results. And that's as much as I can say right now, because we're not a funded startup, and things are moving really fast in this space--it's going to be very competitive. I predict there will be about 10 funded startups in the next 6 months doing something similar. One of them will be mine, and we aim to make it the best.

We're raising a round of capital to fund the team, and are shooting for early sustainability. This is my fifth company; my fourth in the tech space, and my third software company. I think it will be the biggest and can possibly have a positive impact on the world by reducing the amount of time it takes for…

Search & Privacy

I've been using DuckDuckGo.com (DDG) for search recently instead of Google because of its privacy features--it doesn't track you or store your searches. And generally I find it to be useful, delivering relevant content better than or equal to Google's relatively commercial content.

When I want to shop for something, I go to Google because it's a strong engine for that--it's a commerce discovery platform when it comes down to it. Or Amazon.

DDG doesn't track anything, which is meaningful these days when every site and likely every agency tracks what you're doing.

I still think there's a space for curated search, which is what I attempted to do with the unfortunately named Jawaya, a social search or curated search engine of sorts. And I've been building a similar tool for myself as a side project that will approximate that. It's much more powerful with a network of people curating search results. So I might open it up at some point to see if that …

Where Innovation Happens

As I get closer to a go/no-go decision on a project, I've been thinking about the difference about my vision for the project and the supportive innovations to enable the core innovations

The vision combines (in unequal parts) product, core innovation as I imagine it, the application of that core innovation, design, marketing,  developer ecosystem, and business development. The core innovation enables everything else, but it's the application of the innovation that makes it meaningful, useful, and in this case, fun.

This week we're testing initial approaches to the implementation for our specific application, and that's where we'll develop the enabling innovations, which is basically where the rubber meets the road.

The difference is that the enabling innovation happens at the source of real problems only encountered in the making of something, and in a project like this just getting the essence of it right isn't enough; it also has to be safe, the components h…