I remember buying my first home (the one I still live in today) back in 2003. I remember the mortgage broker cajoling me to take advantage of the no money down loans that were being handed out like candy, and watching a world where everyone I knew was jumping on the gravy train. I took on a primary and secondary loan. One at a crazy high interest rate, and the other was interest only. Everyone was doing it, and there seemed to be no risk involved. Homes were skyrocketing in value (mine rose a WHOPPING 60% in value before the crash of 2008), and everyone was making money.
It made no fianancial sense whatsoever to me, and it certainly did not make financial sense to Peter Schiff. He was the guy that people laughed at on FOX News interviews for claiming that the market was going to collapse. Nassim Nicholas Taleb also felt it was all going to end in a bad way, and said so in his book "The Black Swan". I would recommend everyone alive today read this book.
So, this morning I read an article on Infosecurity.com titled "Cybersecurity threat rhetoric not supported by evidence, researchers argue", which references a paper written by Jerry Britto and Tate Watkins of George Mason University. It is a well written paper. It is well cited and referenced, and I am sure Britto and Watkins are a couple of smart guys. The paper refers to another paper "Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency", which was a product of a project directed by James A. Lewis, who is the senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS). Britto and Watkins are critical of some of the assertions in the CSIS paper, and I can certainly follow their logic. For example, here is a quote from the Britto and Watkins paper:
"Nevertheless, the Commission report and the cybersecurity bills it inspired prescribe regulation of the Internet. The report asserts plainly: “It is undeniable that an appropriate level of cybersecurity cannot be achieved without regulation, as market forces alone will never provide the level of security necessary to achieve national security objectives.”52 But without any verifiable evidence of a threat, how is one to know what exactly is the “appropriate level of cybersecurity” and whether market forces are providing it? How is one to judge whether the recommendations that make up the bulk of the Commission’s report are necessary or appropriate?"
I cannot argue against the point that without empirical evidence, one cannot determine what is an appropriate level of security, IF an appropriate level of security is predicated by empirical evidence bound by a narrowly defined context.
So what the heck am I trying to say here? Let's go back to the financial collapse of 2008. Despite the assertions made by Schiff and Taleb that the financial situation was headed for disaster (and they were not the only ones predicting this), the "geniuses" in the high towers and in the hallowed halls of our government sponsored institutions decided that there simply was not enough evidence to get them to change their ways. This was despite the fact that we had lived through a Great Depression, and despite the fact that financial analysts interviewed after the collapse claimed that they had indeed told those in charge the that things were not going to end well (and in some cases were terminated for saying so). This was a new way of doing business, as some claimed, and the old rules did not apply. Everyone is making money, so shut up and don't rock the boat.
So the market did collapse after all. We now have LOTS of empirical evidence that our privately run financial system gave us the shaft, and yet some of the very instruments that led to the financial demise of millions of people worldwide remain unregulated.
So this leads me to the conclusion of the Britto and Watkins paper:
"Cybersecurity is an important policy issue, but the alarmist rhetoric coming out of Washington that focuses on worst-case scenarios is unhelpful and dangerous. Aspects of current cyber policy discourse parallel the run-up to the Iraq War and pose the same dangers. Pre-war threat inflation and conflation of threats led us into war on shaky evidence. By focusing on doomsday scenarios and conflating cyber threats, government officials threaten to legislate, regulate, or spend in the name of cybersecurity based largely on fear, misplaced rhetoric, conflated threats, and credulous reporting. The public should have access to classified evidence of cyber threats, and further examination of the risks posed by those threats, before sound policies can be proposed, let alone enacted.
Furthermore, we cannot ignore parallels between the military-industrial complex and the burgeoning cybersecurity industry. As President Eisenhower noted, we must have checks and balances on the close relationships between parties in government, defense, and industry. Relationships between these parties and their potential conflicts of interest must be considered when weighing cybersecurity policy recommendations and proposals.
Before enacting policy in response to cyber threats, policymakers should consider a few things. First, they should end the cyber rhetoric. The alarmist rhetoric currently dominating the policy discourse is unhelpful and potentially dangerous. Next, they should declassify evidence relating to cyber threats. Overclassification is a widely acknowledged problem, and declassification would allow the public to verify before trusting blindly. They must also disentangle the disparate cyber threats so that they can determine who is best suited to address which threats. In cases of cyber crime and cyber espionage, for instance, private network owners may be best suited and may have the best incentive to protect their own valuable data, information, and reputations. After disentangling threats, policymakers can then assess whether a market failure or systemic problem exists when it comes to addressing each threat. Finally, they can estimate the costs and benefits of regulation and its alternatives and determine the most effective and efficient way to address disparate cyber threats.
No one wants a “cyber Katrina” or a “digital Pearl Harbor.” But honestly assessing cyber threats and appropriate responses does not mean that we have to learn to stop worrying and love the cyber bomb."
While I have to agree that being alarmist tends to turn some people off, I cannot help but think of the tongue-in-cheek saying "Just because I'm paranoid doesn't mean they're not watching me." I wholeheartedly agree that our government is not good at spending our money in a reasonable manner, and I feel they do not spend our money wisely even when given correct and verifiable information. In fact, I currently have very little evidence to support that our government does anything based on a well thought out assessment of facts. While Mason and Britto point out a plausible and seemingly correct way to go about this, perhaps they should consider that Mr. Lewis does indeed live in a world where he faces policy makers regularly, and there seems to be no hurry to address the issues at hand. Furthermore, in January of 2011 (this year) CSIS published a followup to the previous paper titled "Cybersecurity Two Years Later" where some specific significant attacks are cited:
"2010 should have been the year of cybersecurity. It began with a major penetration of Google and other Fortune 500 companies, saw the Department of Defense describe how its classified networks had been compromised, watched the Stuxnet worm cut through industrial control systems, and ended with annoying denial of service attacks over Wikileaks. These public incidents were accompanied by many other exploits against government agencies, companies, and consumers. They show how the United States is reliant on, but cannot secure, the networks of digital devices that make up cyberspace. As a nation, we must do more to reduce risk, and we must do it soon."
The report also points to a document titled "Significant Cyber Incidents Since 2006", which (as of the date this blog was posted) list 70 significant incidents (not only in the US).
So how do we solve this problem? Making claims that "the sky is falling" tends to lead to public ridicule (Schiff and Taleb know that well). Theoretical attacks tend to become marginalized ignored due to a critical flaw in risk based formulas that tends to zero out risk for attacks that have never occurred (which is what I am presenting on at the ICSJWG conference on May 3rd, 2011 in Dallas). Finally, empirical evidence only seems to lead to some policy changes as long as it is accompanied by an alarmist outcry (e.g. Congress made some minor changes to our financial system while the world was screaming about the collapse of our economy, but seemed to wind down when the crying stopped, and the risks still exist despite plenty of empirical evidence).
The reality is this: We are not going to do much about cybersecurity until we all feel it in a major way, and then maybe we will get better at dealing with the issues, but maybe not.
One thing is certain, however, Mr. Lewis and the CSIS team will suddenly seemed a lot smarter.
By the way, I got into a less risky loan a year after buying my house. The alarmist rhetoric hit home with me.
2 comments:
This report is symptomatic of the communications gap that is the central issue to wrestle with. Despite having a good understanding of the threats and remediations, as a group we consistently fail at enunciating them clearly to each other. It is therefore no great surprise that those outside the group are not able to fix on definitive actions to take.
We should start from the outside and work in:
"Will the current state of affairs be acceptable in twenty years? Ten? By what time will we have had to already addressed this adequately, and what will it take to get there?"
Ten years ago the odds of having a cyber attack against an industrial system were negligible. Today that threat is credible. In my opinion, ten years from now it will be inevitable. If this evolutionary curve is about right then the general shape of our response is fairly obvious and should not be terribly contentious.
Addressing the security of all industrial control systems adequately is not reasonably possible in much less than ten years - and less so if the period to "inevitable" threat of attack is shorter. While it may be possible to argue (I would not) that there is too much emphasis on the threat today or this quarter or even this year, on the timescale that we have available it would be hard to argue that any effort addressing it today will not have to be made shortly, regardless.
It's possible (and many claim it to be true) that it was regulations that created the bubble and pushed the financial markets over the edge. Well meaning regulations encouraging home ownership ended up making it too easy to get a home loan and enabled lenders to socialize their risk into government backed mortgage pools that created a mirage of saftey and thereby creating huge systemic risks that were hard to see until it was too late.
My personal experience and my understanding of history makes me think that regulation rarely achieves what is desired because the regulations are ALWAYS written with political consideration as the primary factor. There is simply no other way for regulations to be written no matter how nice and well-meaning those that write the regulations seem to be.
I strongly believe that there is much that should be done that isn't being done to improve the security of our critical infrastructure. But I have nearly zero confidence in the ability of any political process to address this shortcoming.
I don't know if this most recent report is more valid than those that claim the end is near. But if the regulators get involved I think the cure could well be worse than the disease which leads me to being cautious about supporting regulation.
Post a Comment