This chapter examines the impact of catastrophes on information security and suggests who might have responsibility for maintaining an appropriate level of data protection when a catastrophe occurs. The author asserts that catastrophe contingency planning is very different from regular forms of business continuity and disaster recovery planning in terms of size, focus, scope, and content. Catastrophe contingency plans (CCPs) must comprehend a broad range of potential events affecting large numbers of humans and other living creatures, information processing capabilities, information and media, buildings, and infrastructure, and the like, each with its security considerations, and each characterized by its own roles, responsibilities and liabilities. The intent of the chapter is encourage the development of more comprehensive and realistic CCPs, that is, plans that delineate roles and responsibilities clearly and liabilities should CCPs go awry.
“… Brownie, you’re doing a heck of a job.”
– President George W. Bush to Federal Emergency Management Agency (FEMA) director Michael D. Brown in Mobile, Alabama, White House Press Release, September 2, 2005
“On September 12 [2005] Brown resigned …”
See letter at http://www.cnn.com/2005/US/11/03/brown.fema.emails
TopBackground
In the wake of Katrina, a Category 5 hurricane that passed east of New Orleans on August 29, 2005, the levees were breached and New Orleans was flooded. There was plenty of blame to go around for the lack of preparation to prevent the breach and for the inadequacy of the rescue and recovery efforts. Local, state and national politicians and other government representatives were roundly criticized for their lack of planning and foresight and their failure to act appropriately and timely in the face of a mounting disaster and evolving catastrophe. On the one hand, the designers and builders of the levees were attacked for their having under-designed these protective structures. On the other hand, those responsible for responding to the event were first praised and subsequently pilloried for the inadequacy of their performance and the great suffering and destruction of property and lives that ensued.
Could this catastrophe have been averted? Or, if the risk of occurrence was considered too low to spend the extra funds on stronger and better designed levees, could the response and recovery process have been better organized and better planned?
Complete protection against such disasters is prohibitively expensive and usually cannot be justified based on the risks. But some level of planning and preparation is expected from our officials and emergency services. Someone has to take on the responsibility for developing and implementing such contingency plans. And, yes, some should be take the blame if the plans go awry and if it is apparent that the damage could have been averted.
Often it takes a tragedy to have better preventive and responsive measures put in place. The magnitude of the Indonesian tsunami of December 2004, with deaths estimated more than 200,0001, was unprecedented in modern times and unforeseen. Before the event, monitoring devices were not considered necessary. After it happened, as is generally the case, perception of the likelihood of such a devastating event changed quickly, with pressure to build early warning systems in the Indian Ocean as exists in other oceans susceptible to earthquakes. Also, we are now seeing much greater responsiveness, in terms of warning coastal dwellers of a possible tsunami.
It is virtually impossible to predict major devastating events, natural or human-induced, in regard to scope, timing or both, as is very well argued in the book The Black Swan (Taleb, 2007). Therefore, it behooves those in power to plan for catastrophes as a whole. They must take responsibility for those plans, and step up to being strongly criticized and severely disciplined if their planning and responses are clearly inadequate and should have been more effective given the state of knowledge and capability prior to the event.
When the avian influenza (or bird flu) pandemic was originally confirmed to have infected human beings in 1997 (CDC, 2007), there were grave concerns that the outbreak would evolve into a human pandemic. Subsequently, there have been some efforts to plan for such a rampant spread of disease in humans, but there remain many who cannot or will not fathom the scope of the required Catastrophe Contingency Plan (CCP). A catastrophe, of the likes of a flu pandemic, would be unprecedented in modern times. The anticipated birdflu outbreak has been compared to the global flu pandemic of 1918. However, the world was not nearly as complex, intertwined and global 90 years ago, nor did it have today’s multitude of interacting processes.
Today, with such reliance on nations’ critical infrastructures and interdependencies within, between and across sectors, both domestically and internationally, the potential impact of a catastrophe, such as a pandemic, is huge.
There are many who view CCPs as merely simple extensions of regular business continuity and disaster recovery plans. However, as you will see from reading this chapter, CCPs not only include considerations that are very different from regular disaster plans, but they also involve more sophisticated and complex tools and methods. These methods go well beyond those prescribed for regular emergency preparedness and continuity planning.