Personal tools

OFA Featured Work #1: The Devil’s in the Cloud

There appears to be consensus in many quarters today that migrating to the Cloud is highly desirable – indeed, that we have already embarked upon an irresistible and indeed inexorable migration. Multinational IT vendors view this transition as the next great market opportunity; governments see in it an opportunity to finally rationalize their Byzantine legacy systems without incurring massive up front capital costs; and enterprise users find the value proposition increasingly compelling as their systems become more complex, expensive and difficult to maintain.

Welcome to OpenForum Academy's 'Featured Work' Series

OpenForum Academy has long been a leader in examining the paradigm shift towards openness in computing that is currently underway and exploring how this trend is changing the role of computing in society. Our new 'Featured Work' series builds on this, and on the notable output of our Fellows, by selecting and presenting thought-provoking essays or research that can help educate and inform readers interested in Open Innovation.

Andrew Updegrove on the Cloud

Andy UpdegroveAndrew Updegrove is a co-founder and partner of the Boston law firm of Gesmer Updegrove LLP. Since 1988 he has served as legal counsel to over 135 standards development organizations and open source foundations, most of which he has helped structure and launch. He has been retained by many of the largest technology companies in the world to assist them in forming such organizations.

 He has also written and spoken extensively on the topics of consortia, standard setting and open source software, has given testimony to the United States Department of Justice, Federal Trade Commission, and Congressional and State legislative committees on the same topics, and has filed “friend of the court” briefs on a pro bono basis with the Federal Circuit Court, Supreme Court, and Federal Trade Commission in support of standards development in leading standards-related litigation. In 2002, he launched, a website intended to be the most detailed and comprehensive resource on the Internet on the topics of consortia and standard setting, as well as Standards Today, a bi-monthly eJournal of news, ideas and analysis in the standard setting and open source areas with over 7,000 subscribers around the world. In 2005, he launched the Standards Blog. serves over 10 million page views annually.

He has been a member of the United States Standards Strategy revision committee, and received the President’s Award for Journalism from American National Standards Institute (ANSI) in 2005. His current and past Board service includes the Boards of Directors of ANSI, the Linux Foundation and the Free Standards Group, and the Boards of Advisors of HL7 and Open Source for America. He is a graduate of Yale University and the Cornell University Law School.

The Alexandra ProjectAndrew has explored issues related to technology and society in many forms. One recent example was the publication of his first novel, 'The Alexandra Project,' a thriller focused on Cyber Security. The Alexandria Project first appeared as a serial at The Standards Blog, where thousands of readers enthusiastically awaited the next weekly instalment. It is now available in collected form for $2.99 or less at Amazon, iTunes and Barnes & Noble (and in ePub and PDF formats at GooglePlay).

Engaging with the Cloud follows naturally from Andrew's previous publications. 'The Devil's in the Cloud,' our choice of featured work, represents a substantial thinking tool on the subject. It was originally released in four parts on Andrew's blog, ConsortiumInfo on April 23rd, 24th, 25th and 26th 2013. The original text can be read here, here, here and here. More articles from Andrew can be found in the extensive ConsortiumInfo archives.

The Devil's in the Cloud: Our Headlong Rush into Ultimate Cybersecurity Vulnerability

There appears to be consensus in many quarters today that migrating to the Cloud is highly desirable – indeed, that we have already embarked upon an irresistible and indeed inexorable migration.  Multinational IT vendors view this transition as the next great market opportunity; governments see in it an opportunity to finally rationalize their Byzantine legacy systems without incurring massive up front capital costs; and enterprise users find the value proposition increasingly compelling as their systems become more complex, expensive and difficult to maintain. 

Meanwhile, the data, records, pictures and social relations of individuals (often without their pausing to think about it) move with the tap of a key from hard drives and back up device from the supervision of their owners to who knows where, owned by who knows who, and vulnerable to who knows what?

As this process continues, all-too predictable market forces will drive cloud services towards commoditization, and with commodization will come consolidation – again, in response to classic market influences. 

At the same time, as the share of global electric power consumed by data farms and networks approaches an incredible 10%, concerns over climate change and rising energy prices will drive the data farms that receive all this data to cluster around the lowest-cost energy sources – wind farms, hydroelectric dams and, someday, perhaps solar and geothermal sources as well.  Already there are millions of servers humming in data farms adjacent (for example) to the Columbia River in Washington state that dwarf the agricultural farms that they have replaced. 

Ten years from today, what percentage of all that matters will live within an increasingly smaller number of ever more enormous data complexes?  Not just the transactional wherewithal to enable transportation, finance, government, food production, power transmission, manufacturing and education to function, but – far more consequentially – all data and, indeed, all human knowledge, less and less of which will find its way on to non-electronic media (remember paper?) for archival purposes at all.

Let us add one final trend: as the First World becomes more networked and Cloud dependent, its asymmetric vulnerability to less network-reliant enemies will increase exponentially.  After all, when the United States has a military budget equal to that of the next 17 most militarily profligate nations combined, what incentive can there be for a lesser country that wishes to tweak the lion’s tail to spend a Rial or a Won on traditional weaponry?

This last trend has been well-recognized as a reason to take electronic cybersecurity more seriously. But this realization masks a far more serious vulnerability entirely, because systems that are the victim of a cyberattack can usually be restored again – often within hours. But a data farm that has been transformed into a smoking ruin by kinetic weapons of war or a terrorist attack will never be brought back on line again.

In the next instalment, we will explore how remarkably simple it would be for a nation – indeed for the entire First World – to be reduced to a state of famine and near-non-existence by an enemy the identity of which it may never learn.

The moral of the story is that equal attention must be spent to developing and mandating adherence to standards of physical security for our Internet-dependent modern society as well as standards intended to protect against cyber attack.  To do otherwise will be to render ourselves vulnerable to a degree of societal destruction that would rival that induced by a nuclear war.

Does that sound false and alarmist?  Keep reading and make your mind up then. 

The Devil’s in the Cloud: New Year's Day, 2023

As the sun set on New Year’s Eve, 2022, a dozen anonymous container ships were approaching major ports in the United States and Europe.  Like many carriers nearing the end of their useful life, their histories were mongrel in nature; originally owned by major shipping magnates in Greece, they had passed through multiple hands and were now flagged in Senegal, and chartered by a concern in Amsterdam. Three years ago each had been subchartered by one of several much smaller companies with offices in many out of the way places. 

The terms of each charter contract made the company responsible for the upkeep of the ships it had leased, and in due course over the first year of the engagements each ship had undergone repairs in small ship yards in the Indian Ocean and in Southeast Asia before returning to ply its trade in the various shipping lanes of the world.

Over the two years that followed, the ships loaded and unloaded tens of thousands of anonymous containers. Those containers, one might expect, would have contained anything a container could hold – phonebooks from printers in Calcutta destined for telecommunications carriers in France; timber transshipped at the mouth of the Amazon for furniture companies in South Carolina; consumer electronics from Taiwan bound for Southampton; plywood shipped from Kyoto to Seattle made from trees shipped from Seattle to Kyoto. All of the infinitely varied stuff of global commerce that passes from point A to point B before being transferred to trucks and trains for forwarding to points C and D.

Most of the time, the ships loaded and unloaded in ports in Africa, India, Indonesia,  Bangladesh and other parts of the Indian Ocean and South Pacific.  But occasionally they also journeyed to England, France and Italy, and to the Port of New Jersey, to Los Angeles and to other U.S. destinations.

Thus it was that there was nothing to remark upon when the members of the aging fleet neared their current destinations:  some were closing on Seattle, Los Angeles, New Orleans, Newport News and Boston.  One ship had steamed up the St. Laurence Seaway, through the lakes and locks and onto the broad waters of Lake Superior. Others were nearing ports in the English Channel, the Baltic, and the Mediterranean. The papers of each ship were in order, and pilots were preparing to meet them, expecting nothing but business as usual.

To the practiced eyes of the pilots, each ship would be different, although all were of approximately the same tonnage and age. But each pilot would swiftly note two aspects of each ship that would stand out. The first was that each hull had been modified to install large doors in its bow, ostensibly to allow roll on/roll off loading of cargo. That would be curious, because each ship had also been configured to carry containers, which would most often be loaded from above.  The second aspect was that each ship was riding unusually high, showing more bottom paint and Plimsol lines then one would assume for a ship carrying a profitable cargo of well-stuffed containers.

In the faint light of the pre-dawn hour, none of these similarities would be evident. Nor would the ships stand out in the other outer harbors the fleet was approaching, each of which was still bathed in darkness.  Certainly no one would notice as the doors in the bows of the ships swung open, because all lights had been extinguished inside. The only indication that something unusual was afoot would be the sound of the drones – hundreds of drones with muffled engines – that emerged one at a time from each ship before pursuing its unerring course towards its target, flying only a few hundred feet above the water, and then the land.
Some of those targets were only a few score miles away, while others were many times more distant. It hardly mattered, though, because the United States and Europe were at peace. In the modern world, only the United States, with its many carrier fleets, could project real military muscle against distant enemies. Why, then, would any First World nation need the types of coastal or anti-aircraft defenses that were the order of the day before the nuclear age? These fortifications had long ago been abandoned and fallen into ruin.
Even after the first drones began striking their targets, there was great confusion, because instead of firing easily-seen missiles, the drones, like the German V-1 “buzz bombs” of the Second World War dove to the attack. The small night time staffs working at the targets had no way of knowing what was striking them – surreptitiously planted bombs? Truck bombs? Artillery fire?  Missiles? And from where??
As realization spread that the nations were under attack, their governments and militaries struggled to understand what had happened, and to react. But the drones had already reached their destinations. Off shore, still under cover of darkness, the crews of the container ships sped off in small, fast boats.  Soon they would rendezvous far off shore with the submarines that awaited them, while the container ships settled deeper into the water, their seacocks open and sea water flooding their holds. 
Needless to say, the countries that had been struck launched no counterattacks, because there was no way to know who to attack without weeks of investigative work in any of the ports that the ships had visited in the years preceding; the drones could have been loaded in any of those ports, and the tangle of ownership of the companies that had leased the ships led through seemingly endless layers of holding companies. 
Indeed, the civil and military leaders of the target countries never did truly understand what had hit them. To do so would require sophisticated networks to gather and analyze data of all kinds. 
And that was now impossible.  Because, of course, the targets were the data farms.

The Devil’s in the Cloud: The New Dark Ages


When the New Year’s Day sun rose in Europe and the United States, the reality of what had happened was hidden to almost all. Only a hundred or so targets had been struck, and the smoke from the ruins that remained was already dissipating. What people did immediately realize was that certain things that they were used to working now did not.

The things that no longer functioned included anything that relied on electricity to operate. Which was, of course, virtually everything except automobiles. This was necessarily the case, because all of the elements that coordinated and controlled the power grid had been destroyed. Even many battery powered devices were silent – the cell phones had no dial tones, and the radios generated only static, because the management software and servers that enabled telecommunications had also been annihilated. Perhaps most discomfiting of all, there was no Internet, nor any of the services that relied upon the Internet.

For the first few hours, the effect was unusually peaceful, the way a power outage can sometimes be, with neighbors remarking upon how nice it was to simply sit on the porch and talk, just like the old days.

But by mid day, the novelty was replaced with consternation, because there was virtually no information available about what had happened, and how it would be made right. True, some emergency broadcast radio channels were operating, but because those that controlled them had so little knowledge about what had happened, or the extent of the damage, there was little they could say. Worse, if they had shared what information they did have – that those ostensibly in control had no idea how they would go about restoring the power grid, let alone the Internet, in any reasonable amount of time – mass panic would certainly ensue.

There was little to prevent the arrival of that state of affairs in any event. For those that were fortunate, it was a matter of days. For others, it arrived before the night of the first day had fallen. Riots and looting broke out in many cities, fueled in part by fear and in part by opportunism.  

By the second day, the true severity of the situation began to penetrate the consciousness of more and more people. The gas in the tanks of their cars was the last gas they would have until who knew when, because gas stations had no generators.  And if they did, there would be no more deliveries of new fuel to the stations, because there was no more Internet to support inventory and shipping controls, or to monitor supply or demand.

Needless to say, the banks did not open. Nor did ATMs operate, although in truth the relevance of paper money was rapidly becoming less and less evident. The capital markets stayed closed as well, as did every element of the transportation system, dependent as it was on computerized management, and as workers became less and less willing to use precious gasoline driving to work.

As the fuel ran out in cars and trucks, the delivery of essential items – food, heating oil, medicines, clothing, replacement parts – speedily came to an end.

As had always been the case in the past when a natural or man-made disaster had struck, police, firemen, EMTs and other first responders sprang into action. But this time, everything was different. For one thing, they lacked reliable communications. For another, they lacked information.

Databases that used to live on local servers had long ago been moved to distant data farms, and now those data farms – both the primary locations as well as their back up sites – had been reduced to rubble. Data as basic as the addresses and phone numbers of a police department’s own personnel were suddenly unavailable. Desk sergeants were reduced to rummaging through desk drawers, hoping that someone had printed out a copy of one piece of information or another for temporary reference.

The same crisis developed quickly in almost every other setting. Most hospitals had power from backup generators until their fuel supplies gave out, but their patients no long had a medical history to consult, because paper records had all been replaced with electronic medical records. All of those records – of course – were remotely hosted, or at least had been, prior to the attack. Now they had ceased to exist. Nor could doctors order medical tests, because the servers that hosted the diagnostic software also no longer existed. Doctors that had never been trained to diagnose through personal observation found that they suddenly were scarcely more able to treat their patients than the patients themselves.

So also at airports, where suddenly air traffic controllers and pilots were reduced to line of site navigation. But every airline shut down operations immediately, because they had no way to know who had paid for a ticket and how had not, or whether planes would be full or empty, or whether there would be sufficient fuel at any given airport to refuel once a plane had arrived. Railways were only a little better off, because their signaling systems no longer functioned. That hardly mattered, though, because the trunk lines that long ago carried rail freight from main lines to factories and small towns had long ago been abandoned. There was little point to moving items from one transhipment point to another, since there were no longer any trucks to complete the shipment to its final destination. Buses, of course, needed fuel. And soon they had none.

First responders did the best they could at the local level for as long as they could. But as time went on, what they could do became less and less. They had no food to dole out, nor any way to bring heat to the emergency shelters that had always served their appointed purposes in the past. As the reality of the situation began to sink in, police, fireman and eventually even the National Guard did what could be expected – they left their posts and returned to their families, to do what they could to protect them instead.

Meanwhile, supplies of medications at pharmacies and hospitals rapidly dwindled. When stocks of insulin and other urgently needed medications gave out, the results were both tragic and predictable. 

The shock of realizing that vital information had been lost – perhaps forever - played out over and over in millions of businesses, universities and government agencies in the days that followed. The impact was numbing and immobilizing. Theoretically, millions of new servers could be ordered, built, bought, shipped and installed over a great deal of time, and those servers could be reloaded with software and that software could be reconfigured, over another very long time. But how could those servers be ordered, paid for, shipped and installed without access to the data, software and computing power that had been destroyed? Over time, perhaps, yes, but how to accomplish anything until that had occurred? Or survive until it had?

So also with the power grid. The days were long gone when every town had its own generation facility. Instead, the grid had become like an ocean of power into which producers poured electricity and from which users pulled it out, matching up accounts between buyers and sellers through highly complex software. Maintaining that grid had become an almost infinitely complex balancing act. Take down one part, and the impact could cascade through a wider and wider area. Bringing it back up was a vastly intricate job, predicated on the assumption that virtually all generating capacity would be available to once more be linked together.

True, wind turbines continued to turn and the dynamos deep inside hydroelectric dams still spun. But renewable energy constituted only a very minor part of total energy needs. The coal-powered facilities that remained continued to produce, but only for a few days, until their on-site coal supplies ran out, because the transportation system was down. Gas-fired plants had already shut down, as had all nuclear facilities, out of fear that could be the next targets of attack.

Every way that those in charge sought to turn, there were missing pieces – missing pieces in everything and everywhere. It was if in an instant all of the modern infrastructure of two continents had in a matter of hours been turned into confetti and blown to the four corners of the earth. Here there was still a bit and over there another, but too much of what should have been in between was unavailable to allow anyone to start to repair anything at all. And there was no place to start, because your communications were down, as were your analytical tools. 

In the best of times, perhaps it could all have been put back together again. But these times were anything but fortunate. To rebuild required vast amounts of coordination and communication. But chaos increasingly prevailed in the streets as food and fuel ran out. Soon, only armored vehicles could safely move about, when they had the fuel to do so. Those charged with maintaining order and with restoring normalcy became first, demoralized, and then desperate. 

It was not long before they realized that action of any sort was no longer possible, and gave up. And who could blame them?

It was both cruel and deliberate that the attack had been planned for midwinter. Those who relied on natural gas for heat were immediately at risk of freezing to death, while those with oil furnaces were able to keep the cold at bay only until their tanks ran dry.  Those that had full tanks stayed warm while they starved; it did not take long to consume their last can goods. Assuming that they had not been attacked by those that sought to steal them.

By the time that spring arrived, most of the population of northern Europe and the Northern United States had starved to death, been killed, or (in some cases) killed themselves. Many of those that lived farther south were not much better off. There were no seeds; there was no fuel for the tractors; they could not hold out until what few crops they could plant and hoe had matured.

Except for isolated pockets of elected leaders sheltering at military bases that could do little but preserve their own safety, all federal, state and local governments had utterly collapsed. Soon, well-armed, but hardly well-ordered, militias began to spring up. In most cases, they brought more fear than safety to the territories that they staked out.

The often imagined cinematic scenario of a dystopian, post-apocalyptic nightmare world had been made real. Not by means of thousands of nuclear weapons delivered by intercontinental ballistic missiles, but by flights of simple, but well-targeted drones bearing conventional weapons, launched from a a tiny fleet of out of date cargo ships.

In the face of such enormous need, the rest of the world did what it could, which was not much. A few nations sent relief efforts to coastal cities, but so many of those efforts were met in the United States by armed mobs intent on getting as much as possible for their starving families, these efforts soon ceased. And indeed, with more than 800 million people in Europe and the United States in the worst need imaginable, and with no means to distribute what they so urgently required, what could a poor or a small nation do to make a dent, in any event?

And then, of course, there was the danger that whoever had attacked the West could also attack anyone that came to its aid.

The Devil’s in the Cloud: The Ghost of Christmas (Cyber) Future



It would be convenient and consoling to pretend that what I’ve described over the last several days is simple science fiction. But sad to say, the only thing that is doubtful about the scenario I have described is that it might be difficult for the perpetrator to build a thousand drones without Western espionage becoming aware of the plan. 

But would that really be so hard? Many countries are building drones now; the technology is not complex. Indeed, Germany launched V-1 drones against Britain more than seventy years ago. With GPS today, building and guiding sufficiently reliable drones of the primitive type needed to stage the attack I have described is within the technical ability of every nation that could be imagined to be an enemy. And there are plenty of old ships to go around.

The moral of the story is that we are turning a willfully blind eye to a vulnerability that we are rapidly creating.

And I use the word 'rapidly' advisedly.  There is already an OMB program in place called the  Federal Data Center Consolidation Initiative (FDCCI), under which the Federal agencies will close 1,200 out of about 2,900 data centers.  But that may only be a first step.  The Department of Homeland Security has already consolidated its information much farther.  Where once its enormous data resources were spread across 46 data centers, everything now lives in just five. As noted in a recent article, "although having fewer data centers gives would-be attackers a smaller zone to target, the threat is offset by a smaller perimeter that has more controlled resources within it." 

That may be fine if you are only worried about terrorist attacks by a few individuals.  But it also dramatically increases the damage that a successful cyber attack could do if some or all of those centers are breached.  And it's abundantly clear that unless those five centers are buried deep underground, the type of scenario I've described could already have devastating effect today.

So why are we doing this?

In part, this is because it is easier and cheaper to place servers in industrial buildings, and in part because we live under the illusion that because we have not had a major war on Western soil since the 1940s that it cannot ever happen again.  Which is, of course, patently absurd. Indeed, war has been intermittent in the Middle East for decades, threatening to spill beyond those borders, and was actively pursued in the Balkans only two decades ago. How much more likely would an attack become if a drone-filled ship could replace an army, navy and air force all rolled into one, and without incurring a single casualty on the attacker’s part? 

But one need not look to the indefinite future to find a reason for concern. Should we be willing to roll the dice that North Korea or Iran would never try such a gambit, and especially if it were possible that we would be unable to trace the attack to its source in time to retaliate? But even if we assume that currently known adversaries need not be of concern, what about ten or twenty years from now, as the global population expands, and as water and other natural resources become every more scarce?

If the picture I have painted is dreadful to comprehend, it should be. Indeed, if we continue on our current course of centralizing Cloud services without housing them in appropriate protected environments, we should expect that a scenario such as the one described will certainly occur to one or more nations in the foreseeable future. With 5,000 years of history to look to for precedent, we would be reckless to assume otherwise.

Happily, and unlike the challenges presented by cyber attacks, addressing the threat described is not even difficult.  Only expensive. 

The most obvious solution is simply to mandate that Cloud services and related infrastructure be placed underground. Indeed, the medieval solution (fortification) remains beautifully suited to the current task. There is nothing technically challenging about digging a hole in the ground, filling it with a data farm, and covering it again with 30 feet of dirt and concrete.  It’s only a matter of deciding to incur the extra cost (if you’re wondering what a structure would be like, you can find one described here).

While it's true that the U.S. today has a "bunker busting" bomb that could reach deeply buried resources, the U.S. is the only nation that has a stealth bomber capable of carrying the 30,000 pound behemoth. It is far harder to imagine how any nation could mount a concerted attack against U.S. data centers using ordinance of this nature for the foreseeable future.

While it's true that the U.S. today has a "bunker busting" bomb that could reach deeply buried resources, the U.S. is the only nation that has a stealth bomber capable of carrying the 30,000 pound behemoth. It is far harder to imagine how any nation could mount a concerted attack against U.S. data centers using ordinance of this nature for the foreseeable future.

What is needed is for a thoughtful set of requirements to be set out that identifies critical infrastructure, and then specifies what level of protection against kinetic attack will be required. Of course the same effort should be dedicated to ensuring that the facilities are protected against cyber attack as well. I have described such a set of requirements in detail in the past. You can find those requirements, as well as another equally credible attack scenario, here. As you will see, this is a task based not on rocket science, but on common sense.

It’s hardly surprising that we should find ourselves at such a pass.  Realizing the promise of the Cloud has been just over the horizon for twenty years, and now, suddenly, it has come within our grasp. Moreover, technical opportunity has always beguiled us. We always want to have the candy first, and worry about the cavities later. Stated another way, profit motives will always bring innovation to the marketplace faster than prudent rules to protect us from any undesired but nonetheless real dangers that might come along for the ride. When real danger does become evident, lobbyists will weigh in to avoid new restrictions and costs, and legislators will temporize and delay. And the greater the investment is made in unprotected infrastructure, the greater will be the resistance to replacing it with more expensive facilities.

What we need to ask ourselves, like Scrooge, is which future do we want to live in? History tells us clearly that we have not seen the last of war. Europe especially should resonate to the possibility of the scenario that I have laid out in this series. 

But those in the United States should pay even greater heed, because after centuries of living safe behind our moat of oceans, we now live in an age where a handful of aging ships can, any morning now, truly bomb us back into the Stone Age. 


The above content was republished with the permission of Andrew Updegrove from his ConsortiumInfo blog. All content from ConsortiumInfo "(including, but not limited to the text, information, software, code, images, and any other content) owned by, or licensed to StandardsInfo LLC are also protected from unauthorized copying and dissemination by U.S. Copyright law, trademark law, international conventions, and other intellectual property laws. Subject to your full compliance with these Terms of Use and any applicable further restrictions contained in the materials in question, however, you are allowed to view, copy and print the materials hosted at this Website for your own personal, legal, non-commercial use, as long as you retain any copyright, trademark and other similar notices on the materials and do not modify them in any way." 

Document Actions