BACKSTOP.TXT The Case for a Public Domain Operating System in Disaster Recovery Planning Prepared by: Paul Edwards Location: Ligao, Albay, Philippines Date: April 2026 Status: Recommendation for inclusion in business continuity standards, including ISO 22301. Contact: mutazilah@gmail.com https://pdos.org THE FAILURE MODE CURRENT STANDARDS DO NOT ADDRESS ================================================== On September 29, 2025, Asahi Group Holdings - Japan's largest brewery, maker of Asahi Super Dry and owner of Peroni, Grolsch and Pilsner Urquell - was hit by a ransomware attack by the Russia-based group Qilin. Within hours, all 30 of its Japanese factories shut down. A month later the company was still operating at 10% capacity, processing orders by hand, fax, and pen and paper. 1.5 million customer records were potentially leaked. Financial results were delayed. Source: BBC News, October 2025. https://www.bbc.com/news/articles/cly64g5y744o Critically, Qilin specifically targeted Asahi's backups. The recovery infrastructure was part of the attack surface - because it was reachable via the same network as the primary systems. This is standard practice for ransomware groups: destroying recovery capability maximises pressure to pay. This is not an isolated incident. Ransomware attacks on operational infrastructure are now routine, and backup systems are a primary target. The standard disaster recovery response - a geographically separate DR site - does not address this failure mode. A DR site running the same proprietary operating system as the primary site, connected to the same network infrastructure, is vulnerable to the same ransomware, the same backup destruction, the same license revocation, the same vendor compromise, and the same end-of-life decisions made by corporations whose interests do not align with the organisations depending on them. Geographic redundancy solves geographic failure. It does not solve software dependency failure, and it does not protect backup systems that share a network attack surface with primary systems. Current business continuity standards, including ISO 22301, do not require organisations to maintain any system that is both free of proprietary software dependencies and isolated from network attack surfaces. This is a gap. THREE PROBLEMS WITH MODERN OPERATING SYSTEMS ============================================= Modern operating systems have three properties that make them unsuitable as backstop systems. PROBLEM 1: PROPRIETARY DEPENDENCIES ------------------------------------- Every organisation running proprietary software depends on the following chain remaining intact: - The vendor remains solvent and operational - The vendor chooses to continue supporting the product - The license is not revoked - The vendor's own systems are not compromised - The ransomware attacker has not targeted the OS layer If any of these fail, the organisation's DR site fails with it, because the DR site runs the same software under the same dependencies. PROBLEM 2: NETWORK ATTACK SURFACE ----------------------------------- Modern operating systems are designed for network connectivity. This is their primary feature in normal operation. In a crisis it is their primary vulnerability. A system connected to a network can be reached by a network-borne attack. Qilin reached Asahi's backups because they were on the network. Ransomware groups understand this. They target backup systems specifically because backup systems are on the network. A system with no network connection cannot be reached by a network-borne attack. This is not a limitation. In the context of a backstop, it is the architecturally relevant property. PROBLEM 3: COMPLEXITY BEYOND AUDIT ------------------------------------ Windows contains approximately 50 million lines of code. The Linux kernel contains approximately 30 million. No individual and no team fully understands these systems. Security vulnerabilities hide in complexity that cannot be completely audited. This complexity is not just a security vulnerability - it is a dependency on specialist expertise that may not be available in a crisis. When Asahi's systems went down, rebuilding them required specialist contractors, vendor support, and weeks of work. A system that no competent programmer can fully understand is a system that cannot be understood, verified, or fixed under pressure without that same specialist infrastructure - which may itself be unavailable or compromised. The solution to all three problems is not a better DR site. It is a system that sits behind the DR site - a backstop - that has no proprietary dependencies, no network attack surface, and no complexity beyond audit. PDOS: THE TECHNICAL BACKSTOP ============================= PDOS (Public Domain Operating System) is a complete operating system built from scratch in C90. It has been developed over 30 years and given to the world for free. Against Problem 1: PDOS is public domain. Not open source. Not GPL. Public domain. This distinction matters. Open source software is protected by a license. A license can be contested, ignored, or weaponised. Public domain has no license to revoke. No vendor can withdraw it. No ransomware attacker can render it inaccessible by compromising a vendor. No end-of-life decision can make it unavailable. PDOS cannot be held hostage. That is its primary feature as a backstop. Against Problem 2: PDOS has no networking. This is its relevant property as a backstop system. A PDOS machine with critical data stored on it is not reachable via a network-borne attack. Qilin could not have reached it. No ransomware group can reach it. It is outside the attack surface entirely. Against Problem 3: PDOS is built in C90 from scratch. It is small enough that a competent programmer can read it and understand what it does. It is auditable in a way that no modern operating system is. There is no complexity in which vulnerabilities can hide. There is no cover story. The code is the system, and the system is small enough to verify. In a crisis, a competent programmer can understand, maintain, and if necessary fix it - without vendor support, without specialist contractors, without a network connection. A minimal PDOS installation includes: - MicroEmacs: a fullscreen text editor - A C90 compiler The correct comparison is not with a modern operating system. It is with pen and paper - which is what organisations are currently falling back to when their primary and DR systems both fail. MicroEmacs beats pen and paper. A C90 compiler means PDOS is not merely a survival tool - it is a platform that technical staff can build on if required. PDOS runs on x86, ARM, mainframes, and Android. It is distributed as VHD files that can be burned to a USB stick. THE RECOMMENDATION ================== Business continuity standards should require organisations to assess their exposure to software dependency failure and network attack surface as distinct risk categories from geographic failure. For organisations where operational continuity is critical, the recommendation is a third tier in the recovery architecture: TIER 1: Primary system TIER 2: DR site (geographic redundancy) TIER 3: PDOS backstop machine with critical data stored locally The PDOS backstop machine: - Requires no network connection to function - Requires no license renewal - Requires no vendor relationship - Cannot be compromised via the same attack vector as Tier 1 and Tier 2 systems, because it shares no software dependencies and no network attack surface with them - Can be understood, verified, and maintained by any competent programmer without external support Critical data - accounting records, operational procedures, customer records in plain text format - stored on the PDOS machine remains accessible when Tiers 1 and 2 are both unavailable and when specialist IT support is unavailable. This is not a replacement for a DR site. It is what sits behind the DR site. The backstop. IMPLEMENTATION ============== PDOS is available at https://pdos.org VHD files can be burned to a USB stick. Implementation in an organisational context may require technical assistance depending on the organisation's existing IT capability. Contact: mutazilah@gmail.com THE POLICY GAP ============== ISO 22301 (Business Continuity Management Systems) addresses recovery time objectives, recovery point objectives, and geographic redundancy. It does not address: - Software dependency risk as a distinct failure mode - Network attack surface shared between primary and recovery systems - The auditability and comprehensibility of recovery systems under crisis conditions NIST SP 800-34 (Contingency Planning Guide for Federal Information Systems) similarly does not require contingency systems to be free of proprietary software dependencies or isolated from shared network attack surfaces. This document is submitted as a formal recommendation that these standards be updated to address the gap. Asahi had a DR plan. The DR plan did not save it, because the recovery infrastructure shared the attack surface of the primary systems. A PDOS backstop machine - no proprietary dependencies, no network connection, auditable by any competent programmer - would have kept operations running while the primary systems were rebuilt. The pen and paper Asahi fell back on had these properties by accident. PDOS has them by design. - Paul Edwards Ligao, Albay, Philippines April 2026 mutazilah@gmail.com https://pdos.org