Plan B is Plan A, with an element of panic. – John Clarke

Multinational corporations have sites around the world – that’s how they get to be mulitnationals, after all. These multinationals have to link up their sites around the world. Internet lines are cheaper than MPLS circuits, so how about setting up VPNs on local Internet lines for secure communications? Costs are cut, people are happier, and the VPNs keep things secure.

But then, an event happens in one of those nations that makes the leaders of that nation decide they are going to decrypt all traffic or, failing that, block encrypted traffic outbound or inbound. They set up rules on the routers that handle their nation’s connections to the global Internet and that’s that. Now that low-cost VPN simply will not come back up because the maintenance traffic required to set it up and keep it going is being blocked. After all, the terrorists / rebels / armed opposition / coup leaders / coup victims / journalists / other assorted enemies of the state use VPNs to get their information, and it’s not like there’s a special protocol for business-only VPNs.

And if there was one such, it would also be blocked, just in case an enemy of the state worked at a place with a B2B VPN.

So, the VPN is down. What are your options?

1. Plain text transmissions. OK, this is a joke, really. I mean, yes, technically, it is an option, but hardly a realistic one. Let’s look at the others.

2. Data transit via mail or courier. Erm, all right… but that’s going to be slow, and there’s no guarantee that it won’t be intercepted at the border and opened up there. At least it would only be a few border guards and any industries connected to the state security apparatus that sees that information instead of the whole world… but, my, is it ever slow. And costly.

3. Provision an MPLS circuit. Well, this is fast and secure, once it’s set up. But provisioning one of these takes time and planning. How much more time and more planning during a time of national emergency, I can only imagine…

Looks like that’s about it. This is not a case where engineers pull out reference materials and troubleshoot or rebuild things to solve the problem. This is a technical problem emergent from a political reality and, hold on… I have another option…

4. Political appeal. This might be the fastest, cheapest, and best solution. Have a contact person with the national government work out some sort of arrangement. Now, if this is a government that is willing to cut off all privacy in order to haul in enemies of the state, there may be some sort of content filtering and alerting required for your network to get that VPN back. Or, in other words, the government may well require that it be notified if any of your employees are doing things that would get them on the list of enemies of the state. Citizen employees will be arrested and foreign employees will be deported, so this option goes with some very strict reviews of what’s on that very recently updated acceptable use policy.