Fair Warning: America’s Critical Internet Infrastructure is at Risk
Updated with my suggestions for the datacenter industry
In my twenties I raised millions of dollars from George Soros to build a new kind of datacenter company — one that offered ‘neutral colocation’ (i.e. not controlled by a telecom carrier or internet service provider) on a nationwide basis. Today the company we built is owned by Equinix and the neutral colocation market that we helped start is estimated to be worth more than $30 billion growing to over $100 billion by 2026. That’s the good news. The bad news is that the datacenter industry provides our nation’s enemies with a very soft target — one that could potentially trigger the demise of western civilisation as we know it. I’m writing this article as a warning to the industry and law enforcement — we’ve got a huge problem and we need to take immediate steps to prevent an “internet 911” from occurring.
If you’ve ever tried to get into a datacenter or colocation facility you may have been shocked by the extremely high level of scrutiny you were confronted with — security guards, mantraps, retina scanners, hand scanners, badges, non-disclosure agreements, ID checks, and armed escorts. Just the other day I was in a facility that required you to pass through five hand scanners before you reached the datacenter floor. In my opinion these measures are silly in the extreme and are merely designed to create the perception of security — not actual security. In reality this irrational level of scrutiny creates a false sense of security as the entire colocation market could be compromised very easily with very little imagination and even less capital.
In 2001 nineteen al Qaeda terrorists boarded three airplanes armed with $2 box cutters and killed 3000 people on American soil. The whole affair cost between $400,000 and $500,000 to execute but cost the United States more than $100 billion in property losses and more than $2 trillion in economic damages. For the same money one could easily paralyse global financial markets and cripple every industrialized nation by targeting as few as thirty-one datacenters here in the United States — reducing global GDP by $30 trillion in one fell swoop.
While it is a nightmare to get in the front door of a modern datacenter it is comparatively easy to get in the backdoor. Recently I was asked to work on a movie treatment that required me to research just how easy it would be to cripple global financial markets by destroying just a few datacenters. Based on my research it would be pretty damn easy. Without any trouble I was able to license one server rack in thirty one key data center facilities across the United States including:
- 4 Facilities in 111 8th Avenue (New York City)
- 5 Facilities in 60 Hudson Street (New York City)
- 5 Facilities in One Wilshire (Los Angeles)
- 1 Facility in 36NE 2nd Street (Miami)
- 2 Facilities in 50 NE 9th Street (Miami)
- 3 Facilities in 2323 Bryan Street (Dallas)
- 3 Facilities in the INFOMART (Dallas)
- 3 Facilities in 2001 Sixth Avenue (Seattle)
- 5 Facilities in Equinix (Ashburn)
By targeting these facilities one could easily cripple ALL cellular communication (connections, servers, internet, text, voicemail, 911, SS7 signaling), stoplights, scores of IOT services, email from most major providers, most supply chains, credit cards and ATMs, the stock market, the FBI and CIA communication and data capabilities, and the underlying functions of the internet including DNS and SSL. The distribution of our nation’s critical infrastructure in carrier neutral facilities IS the reason they are vulnerable.
In my treatment I explained how each of these facilities agreed to license me a rack and provide remote hands services to install my servers and connect them to the internet (without me ever leaving my home). These companies had no idea who I was or what business I was in. Their biggest concern was how much ping, power, and pipe I needed — and if I could pay. Little would they know that each my servers would contain high explosives simply waiting on a keystroke over the internet to detonate. I detailed how a standard 4U server could hold a significant amount of INFERNIT® 45 explosives made by Semtex (BTW the INFERNIT product does NOT include a marking substance for pre-explosive detection). Each rack can hold nine servers — basically enough to destroy 1620 cars or any modern datacenter. The total cost of assembling, shipping, and installing nine servers filled with explosives in thirty-one datacenters is approximately $450,000 — appalling inexpensive. The scariest part of this plan is that it can be executed by a single person, i.e. a lonewolf with very basic technical skills.
I won’t detail how to acquire the Semtex or how to connect the servers to the internet, but the world is filled with very smart people who could do both very easily. The truth is that the datacenter industry is focused on keeping bad actors from entering the front door when they should be more worried about bad actors from coming in from the back door. It didn’t take me very long to come up with this simple plan to cripple the Internet and it is my worry that our enemies are significantly smarter than I am — moments later I came up with a second plan (I suspect together we could come up with scores of ways to cripple our nation). In that vein, perhaps even more important than the back door of data centers are the roads that lead to these facilities.
The biggest and most important neutral datacenters are located in multi-tenant office buildings (think 60 Hudson, 1 Wilshire and the Westin Building) aka telecom hotels. Each of the datacenters in these buildings run on glass and that glass has to enter these buildings from public right of ways located just under the street outside the building. Most telecom hotels have two or more “entrance” facilities that allow telecom and internet providers to deliver their fiber optic cables inside — these manholes, by necessity are accessed by scores of telecom carriers with little or no oversight. Basically, anyone with a white van can park next to one, put out a few orange cones, and gain access to all of the fiber optic infrastructure serving these buildings and since these manholes are in the public right of way the building owner can’t stop them.
Depending on the building, you’d need two or three teams to simultaneously drop incendiary devices (glass melts at 2600°F) into each manhole and each datacenter in the telecom hotel would go dark. If the teams worked in unison, at night, carefully replaced the manhole covers, and quietly drove away it could take hours for the providers inside to figure out where the problem was —it is likely that much of the internet would be down for weeks (best case days). We spend so much time and effort screening shampoo and shoes we ignore the really big risks right in front of our noses. Our reliance on the internet cannot be overstated — we need to start thinking about protecting our critical infrastructure.
- Develop standard procedures for the screening of colocation customers (much like banking regulations that require financial institutions to “know your customer”).
- Develop standard procedures for inspecting equipment as it enters the building. Train datacenter staff on possible threats and arm them with technology to detect explosives and other risks.
- Develop standard procedures for access to entrance facilities. Require those parties who must access entrance facilities to receive background checks and obtain a permit to access manholes. Install alarms and cameras in and around each entrance facility and train building security to confront all parties attempting to access entrance facilities immediately.
- Get serious about protecting internet infrastructure — spend more time thinking about the risks and start implementing them before it is too late.
The good news, as some of you have mentioned in comments on Facebook, LinkedIn and Twitter, is that much of the internet has moved to the cloud (with Amazon being the largest cloud provider in the space). The bad news is that much of the cloud is actually located in carrier neutral datacenters — as many as 1,600 cloud providers aren’t located in Amazon, choosing instead, to be located in neutral facilities throughout the United States:
About The Author
Alexander Muse is a serial entrepreneur, author of the StartupMuse, contributor to Forbes and managing partner of Sumo. Check out his podcast on iTunes. You can connect with him on Twitter, Facebook, LinkedIn and Instagram.