.gif)
Ralph Langner’s paired with Perry Pederson for his first major paper at the Brookings Institution – Bound To Fail: Why Cyber Risk Cannot Be “Managed” Away. The authors write “The sober reality is that in respect to the cyber security of critical infrastructure, there is no empirical evidence that a risk-based approach, despite its near decade of practice, has had any success.” And then they back that up with a very logical argument and detailed examples. It also does not bode well for the likely results from the Executive Order.
After arguing their point that a risk-based approach will continue to fail, Ralph and Perry turn to a different approach that they believe will succeed. This is based on three points:
- Politics – Or not business reasons, should drive the need for security … “the notion of saving private corporations money has rarely been a factor in matters of true national security, and critical infrastructure protection certainly is a national security issue.”
- Practicality
- Pervasiveness – The authors argue trying to separate systems into critical and non-critical, like done in NERC CIP, is a mistake.
While I bought in completely to their argument against continuing a risk-based approach to government efforts, the way forward was less compelling for me. It may be these concepts need to be defined in more detail than was possible in this initial paper. For example, the concept of pervasiveness may be inefficient and result in a lot of work that does not improve the security posture. Or it may be how pervasiveness is applied. If a government defined the top 100 CI ICS and said all components of those systems must be secured, it might eliminate all the wasted effort placed on determining if a system is in or out of regulatory scope.
I’m all in for trying something different since throwing more time and money at what has failed the last decade is futile and unwise.
A few other noteworthy points from the paper:
- They clearly, and accurately in my opinion, note that the US efforts on offensive cyber security have been the success of the last decade in contrast to defense. Pull quote “that his (Obama) first term was marked by the incredibly quick – yet mostly silent – buildup of the world’s largest cyber firepower, including an actual “bits on the ground” operation in a hostile country (Iran).” Important in the context of the recent furor over APT1 and China. I was pleasantly surprised to see George Will hit this two times on the ABC Sunday News show.
- My favorite line is “Nonetheless, using insecure products to control a nation’s most critical systems is at the least intolerably negligent.”
This paper is worth reading, and I hope it gets some attention from policy makers in the US and other governments.
Image by loop_oh
“Risk Management” is another word for “Prioritization of limited resources, whether time or materials based to achieve desired outcomes”.
From the summary:
“The authors suggest a policy-based approach that instead sets clear guidelines for asset owners, starting with regulations for new critical infrastructure facilities” – how are those guidelines determined? Should we secure everything infinitely with infinite resources? No? If only there was some concept that would help us look at the things we care about most and address those in a way that assured they would be protected. Maybe we’ll call it risk management…and it will lead to…clear guidelines.
and here:
” a distinction between critical and non-critical systems is a bad idea that contradicts pervasiveness and sustainability of any effort to arrive at robust and well-protected systems.” This makes sense in a FISMA kind of way. But what if criticality were more nuanced and based on a combination of business/national objectives and high level attack trees…that accounted for interdependencies and such? Well, that probably *helps* quite a bit with sustainably identifying resource targets in a way that will assure robust and well-protected systems.
Have past efforts arrived here? Nope. Was that “risk management”‘s fault as a discipline? No. There is more blame to go around for where we are now than there are fingers to point, but they are more along the lines of collective maturity, politics, willingness to lead, etc. than basic conceptual frameworks like risk management.
“Nonetheless, using insecure products to control a nation’s most critical systems is at the least intolerably negligent”
Which, of course, is a statement of risk management.
Slight semantic machinations cannot deny the fact that we can and always will be doing “risk management.” The only question is “how well.”
I would be quick to add that it *is* very well known that probabilistic risk models for cyber & eFraud work very well for many in finserv environs. Just because the utility and .gov sectors are naive or immature doesn’t mean the concept isn’t very, very valid.
What makes the SCADA/ICS insecure, Ralph? Dale? Perry?
This idea is just too good to ignore:
“For example, when the European Union decided that traditional light bulbs are bad because of their poor energy efficiency, the verdict was not to replace all the billions of light bulbs in use but rather to place a ban on selling legacy light bulbs. A similar approach with respect to existing insecure-by-design industrial control and safety systems would be a positive first step toward rectifying the problem.”
Forget a new risk based framework (plenty of those already) … let’s draw a line in the sand and move forward with technology.
“let’s draw a line in the sand and move forward with technology.” <– risk management informs the application , implementation, and resourcing of technology.
Agree, informed decisions about what to move forward first makes sense. Critical unit for your first deployment? Probably not.