Home » Security Bloggers Network » Pretending about Cybersecurity Risks

Pretending about Cybersecurity Risks

by C. Warren Axelrod on October 7, 2019

I have written a couple
of columns comparing cybersecurity risk management to managing climate
change—one with the title “Cybersecurity Climate Change” (December 10, 2018),
and the other “The Cybersecurity Paradox” (June 19, 2019)—and here’s another column
on the topic. It was prompted by Jonathan Franzen’s article, “What If We
Stopped Pretending? The climate apocalypse is coming. To prepare for it, we
need to admit that we can’t prevent it.” The article appeared in The New
Yorker of September 8, 2019.

While climate change
belongs to the physical world and cybersecurity to the virtual world, they both
present immense existential problems that are inexorably growing in their
potential to damage or even destroy the world that we know it. “Hold it,” you
might say, “There is no comparing the two.” You could be right. There is some
chance that, if enough money were thrown at it, cybersecurity risks could be
reduced to a more acceptable level. Only it’s going the other direction right
now.

Franzen ends his article
on a somewhat upbeat note. If we engage in traditional local farming and build
strong communities, perhaps we can create a better future than the “apocalypse”
he describes. By the way, you might find the recent movie “The Biggest Little
Farm” to be reassuring along these lines, but the return to traditional ways,
as expounded by Franzen and the movie, doesn’t apply to cybersecurity. The
cyber world doesn’t have a comfortable tradition to return to, and, even if it
did, there’s no going back.

In their new book, “The
Fifth Domain,” Richard A. Clarke and Robert K. Knake wrestle with the issues
confronting cybersecurity professionals. They admit that old methods are not
working, and they present newer approaches, such as the Cybersecurity Kill
Chain and the Cyber Defense Matrix, as more promising. But, in the end, they
basically make the case for resiliency. That is, we have to assume that
organizations will be attacked and that some of those attacks will be
successful, and we need to spin up our capabilities for detection, recovery and
reconstitution.

As someone who has spent
a fair amount of his career in the disaster-recovery and business-continuity
space, I most definitely subscribe to the DR/BC planning approach. In fact, my
first publication on the subject was almost 30 years ago, when my article
“Security during Recovery and Repair” appeared in the Handbook of IS Management 1992-93 Yearbook that was edited
by Robert E. Umbaugh and published by Auerbach Publications (Boston).

Many of us sharpened our DR/BC
skills during the Y2K era, since we had to plan for all manner of contingencies
relating to the malfunctioning and failure of systems due to their inability to
process the millennium date change properly. Certainly, contingency planning is
a very good way to prepare for prospective catastrophes, especially when you
are not sure what form they might take. It is interesting to note that recovery
from the 9/11 destruction of the World Trade Center was facilitated by
companies already having gone through the Y2K exercise. They were able to
invoke those contingency plans as they were still relatively fresh.

I have also written a
couple of articles on catastrophe contingency planning, as follows:

“Responsibilities and
Liabilities with Respect to Catastrophes,” Cyber
Crime: Concepts, Methodology, Tools and Applications,edited by IRMA (Information Resources
Management Association), IGI Global, 2011,

“The Impact of Major Catastrophes on the Global Supply
Chain,” Proceedings of the
2012 IEEE LISAT (Long Island Systems,
Applications and Technology) Conference, Farmingdale, NY, May 2012.

When prevention isn’t successful, then you need to
“hope for the best, and prepare for the worst.” While Clarke and Knake advocate
becoming more resilient and being more prepared to recover from devastating
cyberattacks, they really don’t address what you need to do to prepare for
catastrophic events, when the very resources you had set up for recovery are
also destroyed. Catastrophe contingency planning is a field unto itself,
requiring out-of-the-box thinking and preparatory projects that presume that
much of the infrastructure upon which you would normally depend has been
rendered useless. It’s difficult to contemplate such situations, but, if they were
to occur, you will at least be grateful for having put together a plan that has
a chance of surviving despite catastrophes.