Commentary by Bruce Schneier
If an avian flu pandemic broke out tomorrow, would your company be ready
Computerworld published a series of articles on that question last year,
prompted by a presentation analyst firm Gartner gave at a conference
last November. Among Gartner's recommendations: "Store 42 gallons of
water per data center employee -- enough for a six-week quarantine --
and don't forget about food, medical care, cooking facilities,
sanitation and electricity."
And Gartner's conclusion, over half a year later: Pretty much no
organizations are ready.
This doesn't surprise me at all. It's not that organizations don't spend
enough effort on disaster planning, although that's true; it's that this
really isn't the sort of disaster worth planning for.
Disaster planning is critically important for individuals, families,
organizations large and small, and governments. For the individual, it
can be as simple as spending a few minutes thinking about how he or she
would respond to a disaster. For example, I've spent a lot of time
thinking about what I would do if I lost the use of my computer, whether
by equipment failure, theft or government seizure. As I a result, I have
a pretty complex backup and encryption system, ensuring that 1) I'd
still have access to my data, and 2) no one else would. On the other
hand, I haven't given any serious thought to family disaster planning,
although others have.
For an organization, disaster planning can be much more complex. What
would it do in the case of fire, flood, earthquake and so on? How would
its business survive? The resultant disaster plan might include backup
data centers, temporary staffing contracts, planned degradation of
services and a host of other products and service -- and consultants to
tell you how to use it all.
And anyone who does this kind of thing knows that planning isn't enough:
Testing your disaster plan is critical. Far too often the backup
software fails when it has to do an actual restore, or the
diesel-powered emergency generator fails to kick in. That's also the
flaw with the emergency kit suggestions I linked to above; if you don't
know how to use a compass or first-aid kit, having one in your car won't
do you much good.
But testing isn't just valuable because it reveals practical problems
with a plan. It also has enormous ancillary benefits for your
organization in terms of communication and team building. There's
nothing like a good crisis to get people to rely on each other.
Sometimes I think companies should forget about those team building
exercises that involve climbing trees and building fires, and instead
pretend that a flood has taken out the primary data center.
It really doesn't matter what disaster scenario you're testing. The real
disaster won't be like the test, regardless of what you do, so just pick
one and go. Whether you're an individual trying to recover from a
simulated virus attack, or an organization testing its response to a
hypothetical shooter in the building, you'll learn a lot about
yourselves and your organization, as well as your plan.
There is a sweet spot, though, in disaster preparedness. Some disasters
are too small or too common to worry about. ("We're out of paper clips!?
Call the Crisis Response Team together. I'll get the Paper Clip Shortage
Readiness Program Directive Manual Plan.") And others are too large or
It makes no sense to plan for total annihilation of the continent,
whether by nuclear or meteor strike: That's obvious. But depending on
the size of the planner, many other disasters are also too large to plan
for. People can stockpile food and water to prepare for a hurricane that
knocks out services for a few days, but not for a Katrina-like flood
that knocks out services for months. Organizations can prepare for
losing a data center due to a flood, fire or hurricane, but not for a
Black-Death-scale epidemic that would wipe out a third of the
population. No one can fault bond trading firm Cantor Fitzgerald, which
lost two thirds of its employees in the 9/11 attack on the World Trade
Center, for not having a plan in place to deal with that possibility.
Another consideration is scope. If your corporate headquarters burns
down, it's actually a bigger problem for you than a citywide disaster
that does much more damage. If the whole San Francisco Bay Area were
taken out by an earthquake, customers of affected companies would be far
more likely to forgive lapses in service, or would go the extra mile to
help out. Think of the nationwide response to 9/11; the human "just deal
with it" social structures kicked in, and we all muddled through.
In general, you can only reasonably prepare for disasters that leave
your world largely intact. If a third of the country's population dies,
it's a different world. The economy is different, the laws are different
-- the world is different. You simply can't plan for it; there's no way
you can know enough about what the new world will look like. Disaster
planning only makes sense within the context of existing society.
What all of this means is that any bird flu pandemic will very likely
fall outside the corporate disaster-planning sweet spot. We're just
guessing on its infectiousness, of course, but (despite the alarmism
from two and three years ago), likely scenarios are either moderate to
severe absenteeism because people are staying home for a few weeks --
any organization ought to be able to deal with that -- or a major
disaster of proportions that dwarf the concerns of any organization.
There's not much in between.
Honestly, if you think you're heading toward a world where you need to
stash six weeks' worth of food and water in your company's closets, do
you really believe that it will be enough to see you through to the
A blogger commented on what I said in one article: Schneier is using
what I would call the nuclear war argument for doing nothing. If
there's a nuclear war nothing will be left anyway, so why waste your
time stockpiling food or building fallout shelters? It's entirely out
of your control. It's someone else's responsibility. Don't worry about
Almost. Bird flu, pandemics and disasters in general -- whether man-made
like 9/11, natural like bird flu or a combination like Katrina -- are
definitely things we should worry about. The proper place for bird flu
planning is at the government level. (These are also the people who
should worry about nuclear and meteor strikes.) But real disasters don't
exactly match our plans, and we are best served by a bunch of generic
disaster plans and a smart, flexible organization that can deal with
The key is preparedness. Much more important than planning, preparedness
is about setting up social structures so that people fall into doing
something sensible when things go wrong. Think of all the wasted effort
-- and even more wasted desire -- to do something after Katrina because
there was no way for most people to help. Preparedness is about getting
people to react when there's a crisis. It's something the military
trains its soldiers for.
This advice holds true for organizations, families and individuals as
well. And remember, despite what you read about nuclear accidents,
suicide terrorism, genetically engineered viruses and mutant man-eating
badgers, you live in the safest society in the history of mankind.
Bruce Schneier is the CTO of BT Counterpane and the author of Beyond
Fear: Thinking Sensibly About Security in an Uncertain World.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com