It is well-known in both the security market, and the political arena, that sometimes the way to motivate people is to use ‘scare tactics’. That is, discussing what might happen if we don’t take threats or security measures seriously.
Having been in the security business for a while, I often refer to security management as ‘selling earthquake insurance’. It is very difficult to measure the importance of something like insurance or security without painting worst-case scenarios.
There has been a lot of disaster speculation in the news recently with respect to product reverse engineering, data security, and protection of national infrastructure and cyber security. The latest is from a White Paper issued from the Cyber Secure Institute (CSI), authored by Retired General Eugene Habiger and released on Monday. A summary of the report and its criticism of policy inaction was summarized in an interview with General Habiger by SC Magazine. In his White Paper, General Habiger does not shy away from disaster speculation or its most common metaphors, stating explicitly right in the introduction:
“Our failure to proactively address this threat risks a digital Pearl Harbor or 9‐11.”
This style of prognostication, arguably borrowed from religious prophets, has a number of probable outcomes: successful advocacy and prevention, “I told you so”, or nothing happens but for a general rise in the background noise as a thousand Chicken Littles decry impending disaster.
US Intelligence Agencies issue similar warnings as well, the latest being a statement by Director of National Intelligence Dennis Blair on Tuesday, who stated (paraphrasing by Fox News):
“Attacks against networks that control the critical infrastructure in this country … could wreak havoc,” Blair said. “Cyber defenders right now, it’s simply the facts of the matter, have to spend more and work harder than the attackers do, and our efforts frankly are not strong enough to recognize, deal with that reality.”
Politics aside, sometimes it takes both alarmist statements, as well as a convergence of worry and opinion, to make the required changes in US policy.
There is another factor involved in this dialogue: the sensitivity of information surrounding the actual threat from cyber attacks and the loss of corporate and national IP. Presumably the threats are very real and our economy is already suffering economic damage from these attacks and losses (see Wired article on recent report from the CSIS on Attacks on National Infrastructure), but is difficult to quantify without revealing the technical vulnerabilities, the victims (people and corporations), and damaging consumer confidence in financial systems. This creates an ominous collective whisper of “If only you knew…” from intelligence agencies and policy-makers about our actual network infrastructure and national security.
In the end, this is why traditional Risk Management may not be the right approach to security. It is difficult to assess and measure risks in computer security, and most of your data sources for risk either over-hype the threats or are completely quiet because of sensitivity issues.