Let’s admit it, risks usually play a subordinate role in our daily thinking – they usually and hopefully don’t happen or only happen to others. If it does happen, there is nothing we could have done in advance anyway, and thinking about it only attracts misfortune. We are masters of this mental self-soothing. Surprisingly, this strategy of risk-ignorance leads to remarkable partial successes, even if they are not useful for predicting the future: Every year without household contents insurance, but also without damage, saves the annual premium, even if this is not necessarily set aside to cover damage that is nevertheless always possible. In infrastructurally, socially, politically and financially secure conditions, such as those that prevail in Switzerland, this way of thinking is often found in the private sphere. The Internet is almost always up and running, and power and other supply failures are rare. Since the reliable Swiss Federal Railways once had the misfortune of not running throughout Switzerland in June 2005, everyone who was traveling by public transport at the time has a funny story to tell about how they got home. However, most people still don’t have a really effective “Plan B” should something like this happen again.
Private: Low risk sensitivity
With an infrastructure that almost always works flawlessly or with few errors, it is not surprising that outages are now met with great incomprehension and are discussed at length and excitedly on social media. How can internet services such as Netflix have the audacity to go down on a weekend of all days? The more than 99% availability via an Internet infrastructure that is not guaranteed because it was not built for permanent availability is then quickly forgotten due to a lack of proper management of one’s own expectations. Few people at least mentally consider the question of how their own compulsory stockpile should be organized if important infrastructures should really fail for a longer period of time. Even the special “Blackout” produced by Swiss television SRF in mid-2017 met with surprisingly little lasting response in this respect.
High expectations of infrastructure and service providers
Fortunately, a rethink is taking place in the corporate environment in this regard – of course, here too, people do not like to spend more money than necessary on emergency plans and precautions that are hopefully only practiced and never needed in an emergency. Nevertheless, the law and regulation on basic concepts such as the duty of care and proper and non-delegable “corporate governance”, including responsibility for precautions to maintain company operations in the event of physical and logical (i.e. IT-induced) disruptions, require the development, practice and updating/improvement of corresponding concepts and plans. Woe betide the company that has to explain to disgruntled customers after an incident that has not been cushioned by appropriate measures that no appropriate precautions had been taken for reasons of cost, lack of know-how or sheer negligence. The harsh reactions to the denial of service attacks on web stores in Switzerland last year provide a foretaste – on the one hand, of the expected disruptions to normal operations and, on the other, of the lack of understanding (no longer) on the part of customers and the public for failures in a range of infrastructure and services that is now taken for granted.
Discrepancy in expectations
It seems clear that the problem of the discrepancy between the very implicit expectation of a basic supply with sufficient service availability and quality on the one hand, and the costs of maintaining these services in both normal and crisis situations due to the constantly growing threat situation on the other, will not resolve itself. The threat situation will not disappear – on the contrary, the report “The Global Risks Report 2016, 11th Edition” by the World Economic Forum lists cyber attacks and any resulting outages of critical supply infrastructures as one of the “top five” risks, especially for Switzerland, which has a secure infrastructure but is also attractive to attackers. Without further educational measures on the part of service providers as well as the responsible authorities in the area of national economic supply and civil protection, there will be no rethinking on the part of service users potentially affected by outages and thus the ever-widening gap between reality and expectations will close again somewhat.
Plan “B” for the indispensable
So does it now make sense to return to the Cold War réduit mentality and stockpile emergency supplies at home for weeks of supply infrastructure outages? Well, at least in part, the unsurprising answer here is: “yes”. In the private sector, it is certainly not wrong to take a critical look at the daily or projected one- to two-week requirement for physical or logical (i.e. mostly IT-related) supply goods and services to determine how “indispensable” the relevant elements really are and how to deal with unavailability. If the goods or services are really indispensable, a corresponding stock or (especially in the case of virtual goods) a usable replacement service must be provided, provided that this redundancy appears to be financially viable and affordable. If goods can be dispensed with or the provision of a replacement is too costly, this must be accepted. If this is still intuitively understandable for everyday necessities such as food, water, energy, etc., the same thinking must now be applied to virtual goods and services such as the availability of (now mostly IP-based) telephony, mobile telephony or the Internet with its large number of information, communication and entertainment services. It is therefore necessary to assess how critical such longer-term outages really are and what substitute services, including good old books or board games, are available and acceptable on an Internet- and TV-free evening or weekend. In any case, the author is happy to have his physical and virtual “emergency supplies” and hopes (like the rest of the population, I’m sure) that he will rarely or never have to touch them in an emergency. What is also crucial and reassuring, however, is the (deliberate) realization that IT infrastructure failures in the private sector are not as dramatic as initially perceived. In the sense of a “public-private partnership”, providers and authorities continue to have a great responsibility to harden our critical infrastructures against the expected instabilities and attacks, to identify possible failure scenarios and to keep both the probability of occurrence and the expected extent of damage at an acceptably low level by regularly practising and updating countermeasures. Although this may again encourage the “it can’t happen here” thinking described at the beginning, a physically and logically secure supply in Switzerland is always preferable to the unstable supply situation in other geographies, despite the additional effort involved.