(This blog was originally published in January 2013 – but it looks like the issues it highlighted, and particularly the vulnerability of the global banking system, is back in the headlines)
The New Year period is traditionally a time for lists and compilations, and in the security world this tends to be focused around the ‘Ten Biggest Threats of the Coming Year’. Climate problems are undoubtedly at the top of most people’s lists, and not only because of the stark reminders of the fragility of our constructed world in the face of the forces of nature as demonstrated by Hurricane Sandy hitting the east coast of the US, bush fires across Australia and New Zealand, or the memories of ten years ago brought back by ‘The Impossible’, the story of the 2004 Christmas Day Indian Ocean tsunami. There is no doubt that the impact of natural disasters is growing – the Annual Disaster Statistical Review 2011(1) notes that despite the drop in numbers of catastrophic events in 2011 compared to the previous year (from 386 to 332), the numbers of victims rose from 217 million to 245 million. There are a number of reasons for this, not least the growing concentration of ‘megatropolis’ conurbations on coastal areas, which leave them increasingly vulnerable to high-impact storms and flooding. 2007 was the first time in human history that over half the world’s population lived in urban centres, and it is estimated that the current number of 19 ‘mega cities’ (ie population of over 10m), will grow to 27 by 2020. Mega cities bring their own problems, including traffic congestion, pollution (air, water and natural environment), energy shortages, illegal development and creeping (and often rushing) expansion at the peripheries by what are often unplanned and unmanaged settlements. Across the world, the fastest growing trend in urbanisation is the growth in slums, leading to a self-fuelling cycle of social exclusion and increasing poverty, where lacks of basic facilities lead inevitably to ever growing likelihoods of catastrophic and fast-moving health hazards.
However, as well as these ‘landscape’ crises, as they were labelled by Professors Arnold Howitt and Herman Leonard of Harvard University (on the basis that if the crisis you are involved in changes the face of the planet, and can be seen from space, you are probably in trouble!), there are other, more infrastructural problems that are undoubtedly bubbling away under the surface, and which are regularly signalling their presence, much like the occasional eruptions of hot springs that give a clue as the vast pressures operating just under the surface. One is the issue of critical national infrastructure, which is becoming a major topic of discussion and research, both in terms of protection but also in terms of post-event operational sustainability. I have been invited to chair the second day of the Protecting National Infrastructure Conference at the Counter Terror Expo at Olympia in April (2), and if anyone reading this article would like to discuss matters associated with that area of interst, I would be happy to hear from you.
However, as challenging as all of the above problems are, they are also problems that come within the ‘We’ve thought about it and hopefully we can do something about it’ category. The scenario that I have been using as an example of the truly ‘Wicked Problem’ in my own work for the last couple of years is the breakdown of global banking IT systems, which at one stroke would leave vast areas of the population to survive purely on the money that they happened to be carrying at the time. Warnings that the underlying support systems behind global internet banking are reaching the functional limits of their operational complexity were seen when problems with RBS and NatWest computer systems left up to 12 million people without access to their money in June last year, and there were similar problems with Lloyds Banking Group (which includes Halifax and Bank of Scotland) in October. Similarly to the bank IT failure in South Korea that left 30 million customers affected for over a week in 2011, such stories seem to have a natural trajectory. Initial triggering, followed by a quick response by the company to say that they are working on it; the company then says that they have a solution which will be implemented and the problem will be fixed; it then seems that the problem is more complicated than first thought, and a range of interventions do not work, and it is then reported, either by news sources or by the bank themselves in an effort to deflect responsibility, that actually the cause of the meltdown was not within the system, but because of human error by an outsourcing company that had been tasked with managing the IT system (and who had undoubtedly won that contract on the basis of lowest cost….).
The reality of any ‘major crisis’ (as opposed to ‘normal emergencies’), is that the initial triggering event often becomes increasingly unimportant in the grand scheme of things. The original impact of Hurricane Katrina was soon superseded by the consequential problems that it caused, including the rescue of thousands of stranded citizens, the housing, feeding and caring of tens of thousands of homeless people, the restoration of a city, the preservation of public safety in light of the impact on critical infrastructure, the impact on adjacent jurisdictions and, on another level, the political implications of the perceived failures of the government, the emergency management community, the homeland security agencies and the President himself, who was seen to embody those failures on the public stage. However tragic (and, though that is another story, unnecessary) the suffering was in New Orleans, it could still, from a certain height, be seen in terms of an event that could be isolated and managed whilst maintaining the normal operational status of the rest of the country. A banking IT crisis would move into a completely different territory, reach a new level of complexity in terms of its impacts, and demand a new level of response and management capability from the government at every level of operation, from national policy down to local support.
The realities of the modern globally inter-connected world (the cause of the RBS IT meltdown was identified as a single IT operator in India), means that rather than developing over time – even if that is days or weeks – 21st century crises can manifest almost instantaneously, and the cascading nature of their effects can spread across the world before the even the most rudimentary of defences can be deployed. I am certainly not complacent about the threat from global warming, population growth, urbanisation , food shortages, water disputes, global pandemics, species-jumping viruses, volcanoes, earthquakes, tsunamis, drought, rising levels of greenhouse gas emissions, growing political instability, rogue nuclear states, lone-wolf terrorists or unforeseen consequences of innovative bio-technology… but the one that really keeps me awake in the small hours is what will be the pictures on the world news seventy-two hours after the crash of global IT systems means that every bank account in the world reads £00.00. Happy New Year!