On 12 December 2019, Chinese broadcaster CCTV announced that a new viral outbreak had started in the city of Wuhan. While the first confirmed case was on 17 November, it was not until more cases came to the attention of authorities – in a way that they could not ignore – that the Chinese government began to publicly acknowledge something new was underway. Following that 12 December announcement, the world began to transform. As output ground to a halt in much of China, factories depending on Chinese raw and intermediate goods had to slow or stop production. The lesson learned was both sharp and timely – “just in time” methods of production left firms vulnerable to disruptions in the supply chain. If firms kept a reserve of parts, those could have lasted through at least some of the lapse, if not all of it, and would have allowed for less economic dislocation.

Part of the “just in time” mentality of go, go, go all the time is the ideal of “five nines” or even “six nines” – 99.999% or more uptime for all systems. While, yes, this does mean the product always moves out the door, it also means that the things making those products go unpatched and unprotected for long stretches of time, making them prime targets for attackers. Those vulnerabilities leave the firm just one click on an email attachment away from utter ruin.

Just as there’s an argument to be made for adding some storage capacity to help weather supply chain shocks, we need to talk about “two nines” uptime as a way to avoid eventual “infinite zeroes” uptime conditions. If you give me 100 minutes each week, I can get a breathing space to apply needed patches on production servers and equipment. If I don’t need a week’s 100 minutes, let it roll up into next week – maybe I’ll need more time to apply the next patch, who knows? But let me have a reserve of time during the working year so I can do my job to patch and protect. Let me reboot gear that needs its queues cleared, let me stop and restart services on servers, let me keep things up to date so we can spend the other 99% of the time feeling more confident about the resiliency of the environment… just in case, ok?

I’m aware that executives in most nations have a fiduciary duty to maximize shareholder value. That’s a short term goal that is itself replete with abuses when it considers employees as expenses as opposed to capital or when it looks at wages as a race to the bottom. I’ll leave those criticisms of neoliberalism for another paper at another time. But here is where I criticize those fiduciary duties as regards security. Maximizing shareholder value means minimizing expenses in the short run, and security is seen as an expense, not as an investment. Current accounting structures blind the books to an ability to properly assess the value of a security system in its ability to provide long-term stability and constancy. I would love it if share prices for a firm jumped every time it announced it was undertaking a security project. Sadly, they’re more likely to drop as those expenditures for security are seen as short-term profits lost, not long-term profits gained.

In the meantime, I’m reading headlines about increases in ransomware and other attacks using email attachments with references to coronavirus, COVID-19, and even SARS-CoV-2 to successfully penetrate those PCs bridging traffic between the raw Internet and the corporate VPN, because it was cheaper to use a split-tunnel solution than to backhaul all the Internet traffic through the corporate networks – and also because it was seen as “nicer” than banning non-business related Internet usage for devices on the VPN. I know I’m getting into just one of the technical weedpatches of issues, there are others… and if firms could see their way towards working more for the long haul than the short-term gain, we’d likely have the right solutions instead of the cheapest and easiest, which are never the strongest.