The story of WikiLeaks and Amazon.com Inc., with supporting characters PayPal Inc., MasterCard Inc. and so on, may be ending, but risk managers are just beginning to understand its repercussions for IT. By now we know the basics:
• WikiLeaks made hundreds of thousands of classified documents available to several newspapers and began publishing some itself.
• As the documents became available, public reaction was mixed, and WikiLeaks -- hosted at that point by a Swedish service provider -- became the target of denial-of-service, or DoS attacks from detractors, and unprecedented demand from both sides. So WikiLeaks moved its home page to Amazon.com's Elastic Compute Cloud while continuing to publish the documents on other servers (as did mirror sites).
• In a matter of days, Amazon.com cut off service to WikiLeaks, citing terms-of-service violations. PayPal, MasterCard and others soon followed, citing terms-of-service violations or government pressure.
• Organized but anonymous groups retaliated with attacks on the sites of service providers that had terminated their relationship with WikiLeaks, and boycotts were called against them but proved to be largely ineffective.
The WikiLeaks story should be a wake-up call for IT, compliance and risk management executives. Most enterprises face risks similar to those of WikiLeaks' service providers and their other customers, but we can take steps to mitigate those risks if we understand the critical failure points. Start by considering your enterprise as a set of supply chains, as shown in this graphic:
A typical enterprise takes resources from suppliers, creates some value as a function of added intellectual property or process, and delivers the resulting product or service to a waiting clientele. Today, third-party service providers, which offer economies of scale, expertise and levels of performance that may be difficult to duplicate in-house, perform many noncore functions. Services typically handled this way include payment functions, IT services (including cloud computing services), payroll and so forth. Using such services adds new risks that are beyond the control of the enterprise, unless specific mitigation strategies are used.
Relationships with service providers generally are governed by local law, a terms-of-service agreement that defines "acceptable use" of the service, and a service-level agreement (SLA) that specifies the provider's obligations to provide services and the consumer's remedies in the event of a service failure.
PayPal's terms of service, for example, prohibit activities that "violate any law, statute, ordinance or regulation" or "encourage, promote, facilitate or instruct others to engage in illegal activity.” Amazon.com's terms of service for Amazon Web Services includes a clause that has applicants attest that they will not use AWS "in a manner that infringes, violates or misappropriates any rights of us or any third party" or "in a way that is otherwise illegal or promotes illegal activities."
Without redundant suppliers for critical services, an enterprise might be crippled while it attempts to show compliance -- as Amazon.com, PayPal and others demonstrated in the WikiLeaks case.
In most cases, activities the provider perceives as terms-of-service violations may result in immediate termination of services, while failure under an SLA requires a more protracted set of activities. In continuity planning, compliance with terms of service is rarely treated as seriously as compliance with government regulations, but the interruption to business continuity can be more severe because the supplier can cut off services without warning. Without redundant suppliers for critical services, an enterprise might be crippled while it attempts to show compliance -- as Amazon.com, PayPal and others demonstrated in the WikiLeaks case.
Given the dangers of a loss of continuity while a service provider appeals a shutdown due to terms-of-service violations, or a loss of a supplier's services due to attacks by unregulated threats, it's important that an enterprise identify its vulnerabilities and build in redundancies. For example, if one of your critical service providers also provides services for a firm that poses a threat to a government or hostile entity, what types of disruption might you expect? Consider the graphic, where the red lines highlight common risks.
Sample triggers and risks, and a mitigating strategy
Triggers: A regulator or government entity determines that an unrelated enterprise or one of your suppliers is violating a rule that poses an immediate danger, and takes action against that entity directly or through pressure applied to that entity's external service providers, which also are part of your ecosystem.
An unregulated entity, from a foreign government to an anonymous group bent on revenge, targets your service providers in retaliation for perceived wrongdoing or an unjust action.
Risks: A third-party service provider in your ecosystem might become vulnerable to external threats for shutting down an entity outside your sphere of interest or control, and expose your enterprise to a loss of service.
Your supplier might be shut down or incapacitated by external forces, including loss of third-party services, regulatory action or retaliatory attack.
Strategy: No critical data or business process should be vulnerable to a single point of failure, so at a minimum, you should make provisions for failover continuity with another supplier or service provider.
Remember, in the WikiLeaks case, pressure was put on Amazon.com to stop providing services even though the most likely compliance breaches were committed at least one level away from both WikiLeaks and Amazon. (At this point, no charges have been filed against WikiLeaks for theft of the documents. Amazon.com apparently never hosted the documents but instead hosted a site that linked to sites containing the documents.)
One cannot be expected to know everything about the other clients served by one's service providers, but it is prudent to assume that any external entity in one's supply chain could suffer similar attacks for supporting an illegal or unpopular enterprise. No businesses reported serious service outages as a result of the attacks on Amazon.com this time -- which is a testament to the robustness of its infrastructure -- but it would be a mistake to miss the warning signs for the future.
Adrian Bowles has more than 25 years of experience as an analyst, practitioner and academic in IT with a focus on IT strategy and management. He is the founder of SIG411 LLC, an advisory services firm in Westport, Conn., and director of the Sustainability Leadership Council.