return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Systematic 'terrorism tax' to be levied against Indian BPO and data outsourcing assets ]

Systematic 'terrorism tax' to be levied against Indian BPO and data outsourcing assets

  #

[India has] become a magnet for terrorists both within its borders and all across Asia, and these terrorists have easy access to state money and resources (unlike, say, "entrepreneur" terrorists in Iraq)... [Pakistani] state (ISI) and non-state interests within Pakistan are interested in destabilizing India in any way possible. Meanwhile, in India's Kashmir province, local militants have been waging a war against the state for decades. India's population of 200 million Muslims and many millions of Sikhs provides a large, ineradicable, and discontent population base for terrorists… India is [a] target for pro-Chinese interests in the region [now that New Delhi has formed an informal defense alliance with the US]…

In Indian Pipedreams, January 2006, we said, Political attacks have turned economic in India. The Mumbai bombing will be the first of many more. After the initial obligatory apologist comments in the wake of the 2006 Mumbai attack that nothing was amiss (which mirrored those after the 2005 Bangalore attack), offshore outsourcers wanted to know about their Indian vendors' disaster recovery and business continuity planning, their state of operational readiness and just possibly how those plans meshed with those of the clients. Many such questions will be raised with increasing frequency in India.

John Robb has rightfully made a cottage industry out of the heretofore too often overlooked concept of systems disruption in which "a nation-state's economic and societal infrastructure" becomes a far more attractive and achievable target that its "conventional armies":

[Our] large urbanized population centers are reliant on a complex set of relatively automated infrastructures. The operational objective of the global guerrilla warfare will be to separate a large urban population from its infrastructure and take advantage of the collapse and chaos that results.

It is essential to understand that outsourcing infrastructures mirror the advantages and risks of virtually all commercial systems and their supporting IT systems:

Vulnerability of commercial supply chains:

  • Designed for economic & production efficiency
  • Not designed for security
  • Backward re-integration of security can be disruptive and costly, invariably leaves exploitable holes

Commercial versus terrorist supply chains:

  • Commercial: Economic efficiency & Production efficiency
  • Terrorist: Attack success at acceptable risk - where "acceptable" risk can be the attackers' death
  • Different goals, different way of thinking - defenders have no asymmetrical mindset, guard the wrong things, lull themselves into a false sense of security

Substitute IT streams to/from Indian BPO services and data facilities serving finance, banking and operations for the gas flowing through Gazprom pipelines in Georgia and outsourcing will soon experience the same kind of outages which Robb described as:

  • Even entire nations are vulnerable to systems disruption.
  • Systems attacks can provide amazing leverage. An afternoon's work knocked out a country for more than five days.
  • It can be repeated again and again. The attack was simple, the vulnerability is vast, and the attackers weren't caught (nor are they likely to be).

I might add that multiple attacks can be stacked in a manner that attacks different parts of, and locations within, the system. Net net, the system could be substantially or frequently down without executing the same attack twice.

Speaking like true defenders, an otherwise very thoughtful finance colleague's comment that "The Arabs can't drink the oil" matches Putin's comment that "Killing the [fuel and energy sector golden] goose would be insane, stupid and unacceptable." Some Arabs would be happy to keep the oil in the ground or interdict its transfer and there doesn't have to be many of them to interrupt supply. The same applies to Indian outsourcing; sad to say that acknowledged outsourcing advisors like Forrester and Gartner appear immune to terrorist and Intellectual Property (IP) threats. See:

Both Robb and ourselves were impressed by Demir Barlas' The Indian Supply Chain that applied Harrigan and Martin's terrorism tax to the Indian condition. Add our "twofer" concept (direct damage to the Indian state and its ability for economic gain, and indirect damage to US and European firms, succeeding in India where an attack on US/EU soil would be prohibitive in terms of placing surveillance and strike teams on the ground) to Barlas' analysis and the conditions are ripe for US/EU outsourcers to revalidate their risk appetite, reconsider their outsourcing strategy, and institute realistic and appropriate protection measures.

In assessing the viability of cities "in the face of catastrophes such as terrorist attacks," Harrigan and Martin analyzed why cities form and prosper, concluding that "the same forces thought to lead to the formation of cities - namely, the economic gains derived from the proximity of firms to markets, suppliers, and a large labor pool - help to preserve cities at risk of terrorism and other catastrophic events." Whereas a "onetime terrorist attack on a major city [that] does not increase the ongoing costs of doing business in the city [will have] no long-run economic effect," a terror tax rises from a continuing threat that "imposes ongoing costs" [that] exceeds a critical level [so as to] disrupt a city’s agglomeration forces."

The terror tax "reflects the costs associated with such hardships as fear, higher insurance rates, and security-related delaysdetracts from firm profits or worker income without funding improvements in infrastructure or services, as a typical tax might." Workers are driven away in the absence of a wage premium that the city can no longer pay. Harrigan and Martin state that the "future viability of urban life would be threatened only if all of several conditions existed":

  • firms were unable to obtain any private insurance,
  • the nation offered no financial assistance in the event of an attack,
  • an incident of the destructiveness of September 11 was expected to occur every year, and
  • the balance of forces that sustains agglomeration is even more fragile than the model simulations suggest.
  • India's cities no not need to dissolve but only attrite in the face of rising costs

While these assumptions may be necessary and sufficient to collapse a city, an asymmetrical attacker need only incrementally degrade India's cost, availability and response advantages. Back to Barlas:

India's entire IT/BPO industry, which is worth tens of billions of dollars, is motivated by the relative cheapness of doing business in India. When terrorism disrupts this dynamic and forces India to raise prices, internally and externally, margins will be sacrificed and some business will go elsewhere…

The argument can be made that India's role in the information industries is exempt from disruption. After all, while the delivery of energy is something that can easily be physically sabotaged, disrupting the delivery of services is more complicated (there isn't a single node through which most or even many Indian BPO workers travel, for instance).

However, this disruption can be achieved indirectly through the levying of a terrorism tax that will raise the cost of doing business in India to an unacceptable level for Western companies. With margins shrinking all over the globe, a terrorism tax of 10 percent may be sufficient to drive a large amount of business elsewhere. Terrorists don't have to topple the Indian economy; they only have to shrink it.

To some extent, we have already seen how the Indian IT/BPO machine is vulnerable to system disruption. The HSBC fraud case, for example, impacted only a handful of customers directly, but has reached millions of people via the media, and may be responsible for some high-profile pullbacks from India.

Along those lines, terrorist attacks that degrade India's service delivery capacity even marginally will cascade across the entire Indian supply chain. The Mumbai attacks demonstrate that local guerrillas have begun adopting the "best practices" of the global marketplace of terrorism, and there is no reason to think that they will stop.

If Barlas excites you 'as is', your concern will rise when you understand the quantum leap in skills and organization involved in the Mumbai bombing and the pressure on an unprepared, understaffed local Hindu police force attempting to operate against large, poor Muslim neighborhoods:

  • The attack: "[T]error attacks as sophisticated as the train bombings were unprecedented in India… "It was a brilliant piece of precise, military organization, which required the involvement of six or seven different terrorist cells, able to coordinate attacks within minutes of each other. I think this indicates a group connected with Al Qaeda, probably Lashkar-e-Toiba... We have never seen anything like this in India before."... "This was an attack on India’s economy, designed to dissipate foreign investment. It was also an attack on the country’s middle classes.""
    • Combination of RDX, ammonium nitrate, and fuel oil
    • RDX most likely used as a booster charge for blasting agent
    • Devices contained nails and iron filings
    • Explosives placed on elevated mesh luggage racks
    • Detonated as trains were on or at railway stations
    • Small delayed ignition devices found at 3 blast sites
  • Local police response: "The bombers could not have gone after a more unprepared, overcrowded, inept target. The police in India are pathetic. Their resources scarce. Their capability to counter and foil plots like these is almost non-existent… The rate of change from utterly useless to somewhat meaningful presence in the police force in Bombay has been staggering. As if overnight, the police and other domestic security forces in India have started to cooperate, burning the midnight oil, getting things done."
  • Looking forward:
    • Mumbai has Muslim community of 6 million
    • Large portion unemployed males, 18-30 years old
    • Valuable economic center
    • History of attacks
    • Mumbai attractive, symbolic target

Firms outsourcing to India need to rethink supply chains from a terrorist viewpoint:

  • Current systems can be abused without alerting their managers and key upstream and downstream stakeholders
  • Current systems create false negatives & positives
  • Capture risk management objectives that balance commercial and security objectives
  • Develop measurable and testable process to provide evaluation of threats over time and decision support options

Mumbai Railway Blasts (Updated July 18)
Blair Johannessen, South/Central Asia Regional Coordinator
Overseas Security Advisory Council (OSAC)
13 Jul 2006 (Updated July 18)
PPT Attachment

The Indian Supply Chain
A global network is only as strong as it weakest link; the implications of relying on Indian nodes in an age of economic terrorism
by Demir Barlas
Line56
July 14, 2006

Indian Intelligence Takes Closer Look at Al Qaeda
By SOMINI SENGUPTA
New York Times
July 13, 2006

Train Bombers Focused on Mumbai Business Class
By SOMINI SENGUPTA
New York Times
July 13, 2006

 

Mumbai Bombings Shake Outsourcing Community
By Stan Gibson
eWeek
July 13, 2006

Bombay Bombing and Antibodies
posted by Federalist X at 9:41 PM
Amendment Nine
July 13, 2006

Mumbai blasts should not affect investment to India
Investors said to have already factored in risks
By John Ribeiro
IDG News Service
July 12, 2006

Mumbai Inquiry Focuses on Militants
By AMELIA GENTLEMAN
New York Times
July 12, 2006

THE EXAMPLE OF GEORGIA
Posted by John Robb
Global Guerrillas
January 26, 2006 at 07:22 PM

THE NEW BLITZKRIEG
Posted by John Robb
Global Guerrillas

Terrorism and the Resilience of Cities
James Harrigan and Philippe Martin
Federal Reserve Bank of New York
FRBNY Economic Policy Review / November 2002

Gordon Housworth



InfoT Public  Risk Containment and Pricing Public  Strategic Risk Public  Terrorism Public  

discussion

  discuss this article


<<  |  June 2019  |  >>
SunMonTueWedThuFriSat
2627282930311
2345678
9101112131415
16171819202122
23242526272829
30123456
view our rss feed