John Pescatore

Back in 2003 or so we started to have Gartner clients report targeted denial of service attacks. Back then it wasn’t uncommon for businesses that were highly dependent on Internet connectivity for revenue to get attacked as part of an extortion attempt – and it was also common for them to feel it was cheaper to pay off the extorters than it was to stop the attack. That’s changed – it is now not all that expensive to have your carrier or some other service provider (such as a hoster or content delivery network) provide you with DDoS-filtered bandwidth – which is the direction we advised Gartner clients to head in. If you are a hard core do-it-yourself’er, there are DDoS products that you can buy and put on your end of the Internet connection.

Pretty much anyone being impacted today by DDoS attacks has made a decision to self insure – attempting to avoid the cost of protection in a hope that it won’t happen to you, or that if it does the cost of dealing with the incident will be less than preventing the problem. Looks like Kyrgyzstan is the latest Eastern Europe country to realize this is not a good idea – they were knocked off the air by a DDoS attack. While every time this happens it gets hyped up as “Information Warfare” it is really just an example of an “attractive nuisance” being exploited. Preventing these types of attacks is not that difficult and not that expensive – and almost invariably cheaper than dealing with a successfull attack.

Now, the latest wave of piracy is a different story – the BBC has interesting piece on how often payoffs are made to the Somalian pirates taking over oil tankers. Something like $50M last year, which is probably a small percentage of the value of the oil carried, but the article notes that it often costs just as much to deliver the payoff as the actual payoff, so we are looking at more like $100M. But preventing physical piracy is a very expensive proposition – that $100M looks cheap compared to the costs of any individual oil company or shipping line having to protect itself.

There is a huge difference between physical security and information security. That’s why physical national security makes sense as a government function but information security really doesn’t.