Following the recent arrest of a man who was allegedly plotting to blow up an AWS data center, operators of computing facilities – and other digital infrastructure – are facing an important question. Was this a beginning of a trend, which would require a reaction on their part, or was it an isolated freak incident, in which case everybody can carry on as usual?
Several industry experts DCK has talked to believe that carrying on as usual isn’t an option. At a minimum, operators should review their security posture, emergency action plans, and disaster recovery plans. Beyond those basics, the foiled data center bombing plot can be used as impetus for investing in things like vehicle access control or monitoring corners of the internet where the conspiracy-minded congregate.
Earlier this month, the US Department of Justice arrested and charged Seth Aaron Pendley of Texas with malicious attempt to destroy a building with an explosive. According to authorities, he was planning to blow up an AWS data center in Virginia with C-4 in an attempt (in his words) to "kill off about 70 percent of the internet" and bring down "the oligarchy."
Pendley had previously boasted online about being at the US Capitol on January 6, when an angry mob of Donald Trump’s supporters broke into and vandalized the Capitol Building – a riot that led to multiple deaths. Congress later impeached the former president for “incitement of insurrection.”
Following the riot, AWS discontinued services to Parler, for months shutting down the social network that was said to have been a primary platform used to plan the riot. When its decision became public, a comment by a Parler user suggesting “someone with explosives training” could “pay a visit to some AWS data centers,” prompting Amazon management to put its data center staff on high alert and postpone big changes or updates to services for several days.
It’s unclear whether Pendley’s actions were at all inspired by AWS pulling the plug on Parler.
AWS Data Center One of Many Potential Targets
This wasn’t the first time a company was caught up in a politics-spurred conspiracy with a potentially violent outcome of course. In 2016 an armed man was arrested when he tried to "self-investigate" the "pizzagate" conspiracy theory by shooting off his gun inside the Comet Ping Pong pizzeria in Washington, D.C. after a fake news story alleged that the restaurant was a site of a child sex ring.
But targeting data centers is a new development. And since these attackers aren't rational, their attacks can be hard to guard against.
Anyone is a potential target, and there’s no shortage of reasons tech giants like Amazon can be targeted for.
"Every digital giant is a target… Amazon, Apple, Facebook, Google, Microsoft, and Twitter," Ray Wang, principal analyst and founder at Constellation Research, told DCK.
Any of the big corporations that have been publicly coming out against voter-suppression laws in Georgia could be a target. Anyone else who shares a data center with one of the targeted companies or gets caught up in the latest conspiracy theory could also be targeted.
This is a good time for data center managers to examine physical security of their data centers, or their colocation or hosting provider, as well as their disaster recovery plans.
For companies that already monitor the dark web for potentially threatening chatter, it might be time to add conspiracy sites to the lists of sites they keep an eye on.
Not Everybody Can Have a Moat
Most data centers already have some degree of physical security in place, such as access control. But that won’t stop a bomb being placed against an exterior wall.
"Some data centers have a walled campus," said Vladimir Galabov, head of the cloud and data center research practice at Omdia. "For example, I've been to a Tencent data center in Asia that has a big campus with a wall. It's constructed like a fortress."
But there are plenty of data centers that are more accessible. "There's nothing physical to stop you from getting close" to those facilities, he said. "You do have security at the door, fingerprint technology, passcodes. But if a bomb explodes, that data center is gone."
Traditionally, data center managers haven't had to think about bomb threats, he said. "There's been a bit of a trusting attitude towards the environment in some locations globally."
It's often not obvious that a particular facility is a data center serving a particular company, and “that's probably a good practice,” Galabov said. "Don't advertise your data center, in case people have issues with your clients or your brand because of something in the news."
Some conspiracy sites specialize in doing research to uncover just that kind of information, so security by obscurity offers no guarantee in the physical world, just as it does in the digital one.
It's not always practical to build walls or moats around data centers. Such things are out of the question in a densely populated city, for example.
But there are some physical defenses that could be added, however, like safety bollards that are a standard practice for keeping vehicles from driving up close to buildings and perimeter cameras.
Beyond that, data center managers have to plan for what happens if there is a physical attack. A good disaster recovery plan goes a long way, with or without bomb threats.
Solid DR Should Be the Default, But It Still Isn't
Cloud providers like AWS offer customers the option of distributing workloads across multiple availability zones. If there’s an outage in one location, the workloads can continue running somewhere else.
"Historically, critical systems have not been significantly impacted by cloud outages because of their business continuity planning," Jim Reavis, CEO at Cloud Security Alliance.
Pendley's failed bomb plot would not have taken down 70 percent of the internet, Reavis said – not unless Pendley had an army of co-conspirators (who would take out other locations at the same time).
But applications in the targeted data center that didn’t have redundant infrastructure elsewhere – a situation that’s still far too common – would go dark.
Enterprises may also need to consider having their backups with a different provider. That can be logistically challenging, though vendors that support multi-cloud deployment models have been popping up.
Companies that have on-premises data centers might consider using cloud services for emergency backups, even if they're not ready to go all-in on cloud.
"In 2021 [multi-cloud] should be every enterprise’s strategy," said Omdia's Galabov. "I’m not saying you should move all the workloads to the cloud, but figure out how to use the availability of technology today for your benefit. For backup it's particularly easy. Cloud storage is not costly to set up."
Conspiracy Theory Monitoring
Some companies already employ threat hunters to scour the dark web for concerning chatter. Their customers’ data being sold could indicate a breach.
Security company FireEye, which discovered the massive SolarWinds breach, came to the discovery after learning that its own Red Team hacking tools were being sold on the dark web.
For companies that don't have teams of threat hunters on staff, there are third-party services that will monitor the dark web on your behalf. They typically monitor for mentions of the company name, employee credentials, customer credentials, offers to sell stolen credentials, or requests for customized exploit kits targeting the company's industry sector.
It might be time to add conspiracy sites and data center addresses to the watch lists. Providers who serve multiple customers, such as colocation companies, can also watch for chatter about their customers.
"Lone-wolf attacks are the hardest to predict," said Shawn Fitzgerald, a research director at IDC. "Think of the Unabomber (Ted Kaczynski), back in the day." But today these fringe groups have an online presence. "Like in the AWS story, they often leave digital fingerprints and a trail of communication exchanges."
Pendley started out with postings on MyMilitia.com, where he said he was planning to "conduct a little experiment" that could "draw a lot of heat" and could be "dangerous." When another user asked what outcome he wanted to see, he said, "death," according to the DOJ report.
"The FBI recently stated US-based and home-grown terror groups are the single biggest threat on US soil," said Fitzgerald.
Data center security managers should also establish connections with local law enforcement and other first responders, said Dirk Schrader, global VP for security research at New Net Technologies, a cybersecurity vendor.
"Any reason can serve as motivation to violently attack a data center," he told DCK. "The fact is, being a potential target for violent attacks needs to be factored into any organization’s risk management program."
The FBI did a great job stopping Pendley before he could do any damage, but an incident like this can trigger copycat plots, Fred Burton, executive director of the Ontic Center for Protective Intelligence, warned.
"So, out of an overabundance of caution, I would certainly encourage security managers to take advantage of the incident to reassess their own threat posture, update emergency action plans, rethink physical security measures to include access control for vehicles," Burton said. This threat was stopped in time. "The next one may be different."