The Dilithium Crystals Might Be Melting
For those born after the mini-computer era (co-terminus with the original Star Trek), dilithium is the fuel used to power a warp core propulsion system needed for interstellar travel.
Dilithium is both naturally occurring and rare, and when it melts, from overuse of the warp core, the starship is basically kaput. This metaphor makes sense if you keep reading. I could have used “The Russians Are Coming,” from the same era but it might have seemed too on the nose. So Dilithium it is.
Russia recently stepped up the hacking operation that brought us SolarWinds and we seem to be sabotaging ourselves with insufficient employee focused software to run some of the largest tech companies (talking about you, Amazon). Neither of these trends/events are good and they can be prevented because there are products on the market if we’d only use them.
Two articles in the New York Times drive this piece. One is about Russia’s recent stepped-up hacking operation begun as SolarWinds. The other is about Amazon’s embarrassing (to the extent it can be embarrassed) inability to build the needed systems that help it manage personnel.
Spies Will Be Spies
First, according to Microsoft everything seems to link back to Russia. After laying low for a while, Microsoft said that the Russian security service has mounted yet another attack on America’s cyber-everything to steal data and disrupt business as well as government.
But you might not want to place all the blame on the Russians. John Hultquist the vice president for intelligence analysis at Mandiant, which detected the earlier SolarWinds hack noted simply that, “Spies are going to spy.”
According to Microsoft over the last three years it detected over 20,000 attempted attacks from the rest of the world, while it said it had recently notified more than 600 organizations of roughly 23,000 attempts on their systems from a small number of countries that includes Russia.
“Spies are going to spy” boils down to a tacit admission that corporate America might not have learned its lesson and beefed up its cybersecurity enough after the last several events of this kind.
It appears that in the headlong rush from the data center to the cloud, some companies might have been under the delusion that their security was now outsourced to the infrastructure providers. You might suppose that physical security is now someone else’s responsibility but there are other layers of security that may not be as bulletproof.
IT Must Participate
All the hacking is being done without physical assault. This should not be an ad for Oracle, but if you cover the industry, you can close your eyes and think back to the last few OpenWorld conferences where CTO Larry Ellison presented the benefits of his company’s Autonomous Database and Autonomous Linux.
Ellison’s schtick would always include the dire warning that the average IT department takes about 13 months to apply a patch once a vulnerability is detected and a remedy made available. You don’t need to be a weatherman to know which way the wind blows, and you don’t need to operate at warp speed to be able to disrupt systems that take better than a year to freeze you out.
Spies are gonna spy and wolves are gonna hunt, but sheep dogs must be on patrol too. IT must play its part and it seems that too many leaders might be taking their time or even rejecting Microsoft’s and others’ advice to harden their systems. (I almost wrote vaccinate their systems but, again, maybe too on the nose?)
For certain, the articles I read about this hacking say nary a word about penetrating Oracle cloud systems, but perhaps that’s just an oversight. Then again, why work hard to overcome Oracle’s security when there are other, easier targets?
Amazon’s HR Issues
Not to be outdone, it seems Amazon might be giving an unwitting assist to bad guys intent on disrupting business and the supply chain. It seems that Amazon’s internal systems, dedicated to managing employee time off, with or without pay, seem to be no match for the demands of a workforce numbering well over a million and growing fast.
In a way it’s the old story of the shoemaker’s kids going barefoot. There are numerous examples in the press of employees being underpaid or being erroneously cut off and, having exhausted reserves, going broke, losing cars, and hocking valuables, like their wedding rings, to keep roofs over their heads while they try to straighten things out.
With such a large workforce you can imagine that when systems like this break there aren’t nearly enough people in HR to handle the caseload which results in unnecessary hardship.
In one particularly damning situation, an Amazon worker in Washington state was terminated because Amazon’s unpaid leave policies didn’t correspond with the statutory requirements of its home state.
I’d like to be charitable and say something like everybody makes mistakes or to err is human, but those bromides seem grossly mismatched to the industry and the times we live in. According to the article, the company seems to have spent its attention on the user experience rather than the nuts and bolts of keeping the machine running.
If that’s true, Amazon is far from unique. The recent news also has plenty of pieces in the Wall Street Journal and elsewhere about Facebook working to preserve the status quo that best supports its business model rather than making substantive changes to its systems that can protect users.
We use metaphors like dilithium to explain difficult concepts and melting is a sure illustration that a system will fail, possibly catastrophically, unless we act.
System security and support for internal business processes don’t make money, not directly at least, but they are the necessary ingredients of the secret sauce. Not attending to those — and the consequent and preventable failures they cause — is a symptom of the times and the continuing immaturity of the industry.