6 Theories of Probability

It may come as a surprise to some that there actually a variety of interpretations or theories of probability. All of the theories about probability can be divided into two groups: objective and non-objective.

Objective Theories of Probability

Objective theories of probability define probability values in a way that makes them independent of opinion. For example, consider what it means to talk about the probability of a compromise of a web server. According to objective theories of probability, there is only correct probability value (or range of values), period, and it doesn’t matter what you or I or anyone else thinks. There are many different types of objective probability, including the frequency theory, the logical theory, and the propensity theory.

The classical theory of probability is the oldest and probably best-known theory of probability. It treats all possible outcomes as equally probable. Thus, given a fair, standard six-sided die, the probability that any one side will land is 1/6.

The aleatory or frequency theory of probability is arguably the best-known theory of probability; it is also an empirical theory that views probability as a feature of the natural world. Anyone who has taken a mathematics course on statistics or probability theory has learned frequency probability. The frequency theory of probability defines probability as the frequency with which an outcome appears in a long series of similar events (Gillies 2000, p. 1).  Note that what the mathematician calls “frequency,” the information security professional has traditionally called the “rate of occurrence.” (For example, the auto insurance industry computes the “rate of occurrence” of theft for your vehicle, based on historical data about thefts in your location, the number of thefts involving your type of car, your claim history, and so forth.) In order to apply the frequency interpretation of probability, one must have sufficient data in order to arrive at a statistically valid conclusion about the frequency of the event in question.

© BlogInfoSec.com, 2010. | Permalink | One comment | Add to del.icio.us
Post tags: aleatory, epistemic, featured, intersubjective, logical, non-objective, objective, personal, probability, probability calculus, propensity, Risk Analysis, subjective

Feed enhanced by Better Feed from Ozh

One possible response to my first argument is to define the variables “Threat” and “Vulnerability” as probabilities. For example, a U.S. Department of Energy (DOE)-commissioned report adopted the following definitions.

Threat: the probability that a person or group attempts an adversary action

Vulnerability: the probability that the adversary is not interrupted (by safeguards)

While this approach is to be commended for its clarity, I believe it is mathematically incoherent because it violates one of the axioms of the probability calculus. In this post, I will explain why.

The Probability Calculus

Probabilities obey certain rules or axioms that collectively are known as the probability calculus. The axioms of the probability calculus may be defined as follows.

(1)    If a statement X is a tautology, then its probability, Pr(X), is equal to 1.

(2)    If X and Y are mutually exclusive, then Pr(X & Y) = Pr(X) + Pr(Y).

(3)    Pr(X) >= 0.

(4)    Pr(X & Y) = Pr(Y) x Pr(X | Y), where the notation Pr(X | Y) means “The probability of X conditional upon Y.”

This last axiom is especially important since it introduces the concept of conditional probability. Conditional probabilities are useful because they provide a way to capture the impact of one statement, Y, on the probability of another statement, X. For example, let Y be the statement, “The next vehicle to drive by my house will be a blue or green car.” Let X be the statement, “The next vehicle to drive by my house will be a car.” If we know Y to be true, then we will know X to be true. In this case, Pr(X | Y) =1.

Conditional Probability and Independence

Using the fourth axiom of the probability calculus, it follows that conditional probability may be defined as follows.

(5)    Pr(X | Y ) = Pr(X & Y) / Pr(Y)

Using this definition, we can now define independence. X and Y are independent if and only if Pr(X | Y) = Pr(X).

An example should make this clear. Let X again be the statement, “The next vehicle to drive by my house will be a car.” Let Z be the statement, “A triangle has three sides.” The truth of Z is irrelevant to Pr(X); X and Z are independent events. In symbols, Pr(X | Z) = Pr(X).

Probability of Conjunctions

A conjunction may be loosely thought of as the union of two statements (or events), such as X & Y. The fourth axiom of the probability calculus defines the probability of conjunctions.

(4)    Pr(X & Y) = Pr(Y) x Pr(X | Y)

If and only if X and Y are independent, then it is possible to simplify this formula to Pr(X & Y) = Pr(X) x Pr(Y).

The R=TVC Formula Incorrectly Assumes Threat and Vulnerability Are Independent

We are now in a position to see why the R=TVC formula violates the fourth axiom of the probability calculus. Here are the DOE definitions of threat and vulnerability again.

Threat: the probability that a person or group attempts an adversary action

Vulnerability: the probability that the adversary is not interrupted (by safeguards)

Let us begin by, in each of these definitions, distinguishing the events from their probabilities.

Threat (T): a person attempts an adversary action

Pr(T): the probability of T

Vulnerability (V): the event that the adversary’s attempted attack is not interrupted (by safeguards)

Pr(V): the probability of V

Thus, the R= TVC formula may be rewritten as follows.

(6)    Risk = Pr(T) x Pr(V) x Consequence

By multiplying Pr(T) and Pr(V), it follows that the R=TVC formula implies that T and V are independent. Thus, (6) may be rewritten as

(7)    Risk = Pr(T & V) x Consequence

As should be clear from my earlier discussion, however, T and V are not independent. According to the fourth axiom of the probability calculus,

(8)   Pr(T & V) = Pr(V) x Pr(T | V)

T is necessary for V; event V can never happen without event T also happening. In plain English, if an adversary does not attempt an attack, there is no attack for safeguards to interrupt. It follows, then, that Pr(T | V) = 1. Substitute 1 for Pr(T | V) to get

(9)    Pr(T & V) = Pr(V)

This result will be of no surprise to philosophers, since it is an example of what is sometimes called the logical consequence rule: when Y entails X, Y is logically equivalent to X & Y.  Using this result, we may simplify (7) as follows.

(10) Risk = Pr(V) x Consequence

But if we substitute the right-hand side of (6) with the left-hand side of (10), we get

(11) Pr(T) x Pr(V) x Consequence = Pr(v) x Consequence

That equation would be correct if and only if Pr(T) were equal to 1. But that is absurd; Pr(T) does not (necessarily) equal 1. It follows, then, that the  R=TVC formula leads to self-contradictory results.

© BlogInfoSec.com, 2010. | Permalink | One comment | Add to del.icio.us
Post tags: conditional probability, expected utility, expected value, impact, independence, inductive logic, probability calculus, r=tvc, risk, Risk Analysis, threat, vulnerability

Feed enhanced by Better Feed from Ozh

I have come up with quite a few examples of failed applications or combination of applications that would have benefited greatly from such testing. One example, which I mentioned in my May 25, 2010 Bloginfosec column “Bungee Jumps, Stock Markets and Negative Testing,” is the domino effect of missing controls in exchange and program trading systems, such as those that resulted in the “flash crash” of May 6, 2010. I also discussed the benefits that the auto industry would have derived from FST, in terms of the avoidance of failures, in my February 16 and 22, 2010 Bloginfosec columns “Negative Testing Revisited – Vehicle Control Systems,” Parts 1 and 2 respectively.

Finally, I have seen in print an example of someone who actually makes it his business to perform functional security testing, although he does not call it that. In a June 11, 2010 article in The Wall Street Journal, with the title “Web Watchdogs Dig for Flaws,” reporter Ben Worthen describes the activities of Assistant Professor Ben Edelman at the Harvard Business School “who takes it upon himself to make sure that the social-networking sites … follow their stated policies.”

The article describes Professor Edelman’s approach as follows:

“… he starts by asking himself ‘wouldn’t it be amazing if’—with the ‘if’ being things that are unlikely to occur—and then tests the ideas on several computers in his home office. [He] says he typically can test five scenarios in an hour.

In January [2010], he discovered that Google’s toolbar software, which allows users to conduct searches without visiting Google’s home page, recorded what Web pages a person viewed in some cases even after the user disabled that feature.”

Google claims that the problem, which they assured us “only affected a small number of people,” has been fixed.

It appears that the Google example could be due to data persistence in a buffer, which should have been initialized, or emptied, as soon as the feature was disabled. I personally have seen a similar problem where a customer was able to view the “administrative messages” of other customers when he accessed his own messages via a certain path. That was due to data persistence, which made me think that the Google case could be similar.

As we enter this particular space, we get into the issue of first-order, second-order, third-order FST and so on. Because the magnitude of exhaustive FST is so enormous, because of the huge number of combinations and permutations that are possible with modern complex computer systems, it becomes necessary to whittle down the scenarios in some fashion or other. I have advocated only addressing first-order FST, where the directly negative examples are listed (such as, this user should not be able to access that account). Even at this level, the number of use (or misuse) cases can be overwhelming, so I suggest a statistical sampling approach.

When it comes to second and greater order scenarios – i.e., do this, then that, then the other – the number of cases or scripts grows exponentially and only a very few such cases, on a percentage basis, can be tested cost-effectively. But, as shown in Professor Edelman’s example, such compromises can have a serious impact.

What Professor Edelman’s approach suggests to me is that human intuition may be the answer to teasing out obscure, but extremely damaging, needles from the misuse-case and abuse-case haystacks. I have written earlier about the ace tester, with whom I worked some twenty years ago, who had an uncanny sense of where misuse cases might crop up. Such a facility is worth its weight in gold (even at today’s inflated prices). But in lieu of such a person, it is well worth formalizing Professor Edelman’s approach by gathering a group of creative and knowledgeable individuals, familiar with the systems to be tested, for the purpose of brainstorming the “what if” misuse and abuse cases and letting members of the group go at it for a time determined by the criticality, dependencies, value and complexity of the applications being tested.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: Ben Edelman, FST, functional security testing, Google, spotlight

Feed enhanced by Better Feed from Ozh

Risks = Threats x Vulnerabilities x Impact

In some versions of this formula, the word “Consequence” is sometimes substituted for “Impact,” but the concept appears to be the same.

I want to argue that this equation, when taken literally as a mathematical formula, is nonsense and should be discarded.

As I argued in my last post, risk analysis, including ISRA,  has its roots in decision theory, especially expected value (or utility) theory. The expected value or utility of an action may be thought of as a weighted average. It can be calculated by defining a set of mutually exclusive and jointly exhaustive possible outcomes from a particular course of action, and then multiplying the probability of each possible outcome by its utility. The formula is very clear and mathematically rigorous. In contrast, the “Risk = Threats x Vulnerabilities x Impacts” formula is unclear at best and possibly mathematically incoherent at worst.
 
First, while the concepts of “threats” and “vulnerabilities” are clearly relevant to determining the probability of a possible outcome of an event, they are not equivalent to the probability of a possible outcome of an event. For example, I understand what it means to say that the threat is “unauthorized access to a company information system” and the vulnerability is “an unpatched vulnerability in an Internet-facing web server.” It is far from clear, however, how to literally plug in those concepts into a mathematical formula.  What are the units of measurement for threats and vulnerabilities? What would it mean, mathematically, to plug a number in for the “Threats” variable? If I say that a threat is 0.8, what does that mean? What is the range of possible values for “Threats”? Likewise, what is the range of possible values for “Vulnerabilities”? 

Second, the “Risk = Threats x Vulnerabilities x Impact” formula may actually violate the axioms of probability theory and the canons of inductive logic. In order to be inductively correct, a formal analysis of a risky action needs to take into account ALL of the potential outcomes of an action. The “Risk = Threats x Vulnerabilities x Impact” formula fails to do this by focusing solely on security threats. Indeed, the way the formula is presented, it appears to focus solely on a single security threat. In contrast, the logically correct expected value approach takes into account all of the possible outcomes of an action. For example, if the relevant action is “delay in patching a vulnerability in an Internet-facing web server,” one possible outcome is that the vulnerability is not exploited. The utility of that outcome would then be measured by whatever savings or efficiencies may be achieved by not patching, such as the value of the employee time that would have been spent patching the machine but wasn’t, or the value of advertising revenue generated by the web server that would have been lost due to downtime (for a server reboot) or wasn’t.

One reply to my argument is that the formula is not literally intended to be used as a mathematical formula; rather, the formula is just an informal way of stating that security risk is a function of threats, vulnerabilities, and potential impact. Fair enough, but why use a bogus formula? (I do believe risk can be modeled mathematically, but not using the “Risk = Threats x Vulnerabilities x Impacts” formula.) As an alternative, why not use “Risk = Function(Threats, Vulnerabilities, Impacts)” or something similar?  I’m willing to bet that anyone who can understand the first formula can also understand the second.

© BlogInfoSec.com, 2010. | Permalink | 6 comments | Add to del.icio.us
Post tags: decision theory, expected utility, expected value, featured, Risk Analysis

Feed enhanced by Better Feed from Ozh

The more I read the writings of various information security professionals about information security risk analysis (ISRA), the more I’m struck by the following observation: decision theory provides the foundation for risk management (which, in turn, is arguably the foundation for information security) and yet the vast majority of sources of information and professional training on information security are silent on the topic. Consider the following examples of statements an information security professional may make in their career.

1. A firewall administrator argues there is a significant risk that passwords will be compromised if transmitted as cleartext over the Internet, since the passwords will go through untrusted computer systems and an eavesdropper could learn the password.

2. An auditor proposes implementing a security awareness training program, since security awareness training decreases the risk of a variety of security incidents.

3. A security manager recommends patching old software, since there are security vulnerabilities in the old software and since exploit code for those vulnerabilities is publicly available.

In each example, there is clearly an appeal to probability. In the first example, the firewall administrator argues there is a non-negligible probability that an unencrypted password sent over the Internet could be compromised. In the second example, the auditor argues there is a high probability that a security awareness training program would decrease the probability of security incidents. And in the third example, the security manager argues there is a significant probability the system will be compromised.

While probably no one would deny that information security risk analysis is shot through with appeals to probability, virtually no one has attempted to analyze the concept of probability in such appeals in any sort of precise or rigorous way. Moreover, there is virtually no discussion of probability or inductive logic in training for information security professionals. It is little surprise, then, that there is so much confusion and misinformation among information security professionals regarding the role of probability and inductive
logic in information security.

© BlogInfoSec.com, 2010. | Permalink | 2 comments | Add to del.icio.us
Post tags: decision theory, featured, inductive logic, probability, Risk Analysis

Feed enhanced by Better Feed from Ozh

The name of the symposium was “Toward a Federal Cybersecurity Research Agenda: The Game-Changing Themes,” and the particular topic covered by Dr. Muoio in the “Government Overview” session had to do with “moving target” approaches. The underlying proposition is that, in order to outwit the bad guys, one should be agile and stay one step ahead of the attackers by making security systems so complex that those with evil intentions will not be able to keep up. Currently, it would appear that the shoe is on the other foot, with the attackers keeping victims on the defensive by being state-of-the-art and staying ahead of the owners’ efforts to protect information assets.

More than a decade ago, Bruce Schneier wrote a piece in his Crypto-Gram Newsletter of March 15, 2000, with the title “Software Complexity and Security,” available at http://www.schneier.com/crypto-gram-0003.html. The opening sentence of the article is: “The future of digital systems is complexity, and complexity is the worst enemy of security.” He ends the article with the words: “Secure systems should be cut to the bone and made as simple as possible. There is no substitute for simplicity. Unfortunately, simplicity goes against everything our digital future stands for.”

While Bruce was referring to the underlying software that infosec professionals are trying to protect, I believe that the same goes for security systems. If we embark on a complexity race with the bad guys, we may end up the losers. The real, though likely impossible-to-do answer, is to simplify underlying software, platforms and infrastructure and have correspondingly simple security systems. However, even if we are not able to roll back complexity, we need to do something in terms of the designs and structures of systems. The subprime mortgage fiasco, the “flash crash” of May 6, 2010, and the Gulf oil gush catastrophe are all recent examples of complexity resulting in disaster and making for much more complicated recoveries.

I bemoaned the increasing complexity in a column “The Death of K.I.S.S.” in Securities Information Magazine, in 1994. I pointed out that systems had become so complex that it was no longer possible for an individual or a group of individuals to know and understand every aspect of the systems that they are responsible for supporting.

A real-life example of the detrimental impact of complexity is the April 27, 2010 New York Times front-page article by Elisabeth Bumilller with the title “We Have Met the Enemy and He Is PowerPoint,” with due deference to Pogo. The article is accompanied by a very complicated “… PowerPoint diagram meant to portray the complexity of American strategy in Afghanistan…” According to Gen. Stanley A. McChrystal, then leader of the American and NATO forces in Afghanistan, “When we understand that slide, we’ll have won the war.” As for the war in Afghanistan, so it is for computer systems and their protection. We are continuing to build ever more complex systems, so how can we hope to protect them?

I believe that hope lies in decoupling system components … that is, introducing the computer system equivalent of circuit breakers. If a module is overheating, there should be some way of disconnecting it from the rest of the system in order to avoid a ripple effect. This is similar to isolating sections of the electricity grid so that a failure of one segment does not bring down others.

In my opinion, the answer lies in simplifying systems and minimizing their attack surfaces. Perhaps we’ll have to give up some functionality, perhaps not. Perhaps it will cost more, perhaps not, especially when you include the cost of system compromises and failures due to attacks. In any event, it is worth a try since the greater-complexity approach does not appear to be working.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: Bruce Schneier, Dr. Patricia Muoio, NITRD, ODNI, software complexity, spotlight

Feed enhanced by Better Feed from Ozh

Apparently, from the comments on the article, there are many (IT folks) who have been aware of this phenomenon for years. I am not one of those. Sure, I realized that modern copiers scan original documents and print from an electronic image on to the paper, since copies are printed well after the last page has been scanned. I just assumed that the pages were stored in memory and discarded once the pages had been printed. But saving the images to disk! Why would anyone even want to do that?  I can only imagine that the same folks who delight in scanning telephone logs so that they can charge employees for “personal calls” might be scanning the contents of the disks for “personal copies” so that they can charge back the cost to the employees. I have always believed that the cost of monitoring personal use of phone calls, copies, and the like often exceeds any monies retrieved and that the lowering of morale of such oversight only adds to the cost of such surveillance.

On the other hand, a high security establishment, such as a government research institute, might want to check that no copies were made of highly secret documents. But by the time such unauthorized copying were caught, the copies would probably have been sent on their way to their designated recipients, although nowadays electronic copies are more likely to be shared, as with WikiLeaks, say.

And of course, there have been privacy and security issues relating to the newer network-attached scanner-copier-printer devices, where one can scan and send documents without having to print them. These are really of greater concern, since scanned documents can be sent off-site in a heartbeat.

I have to believe that for many, the fact that images are being stored on copier storage devices came as a revelation. Seemingly Congress and the FTC were not aware. This falls into a category of unknown-unknowns similar to those that I covered in my May 10, 2010 column “Insider Threat – Not Knowing That You Don’t Know What You Don’t Know.” Clearly it is in the interest of those bent on theft and fraud (as well as perhaps blackmail and other crimes) not to have the knowledge of such data-leak mechanisms made public. So much data are regularly discarded on electromagnetic media residing in discarded PCs, cell phones, and the like. Increasingly, electronic copies of data flow uncontrolled throughout the cloud.

Making the public aware that copies of personal information and intellectual property might be so compromised could have some deterrent effect and make people more circumspect. However, it is unlikely that such awareness will have much impact. If the need or reward is great enough, and the chances of getting caught are thought to be small, then the convenience of making those unpermitted copies will most likely prevail, whether or not the person doing the copying is aware that the content is being stored within the machine.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: data breaches, data leak, MFD, multi-function devices, photocopiers, spotlight

Feed enhanced by Better Feed from Ozh

It is, of course, very necessary to fix deficiencies that caused or contributed to previous catastrophes. However, there is, in my opinion, an even more important, though frequently missed, lesson which has to do with preventing the next disaster from happening. One of the most serious problems with the practice of information security is that we always seem to be trying to ensure that past successful attacks will not succeed in the future. While there is clearly value in patching known vulnerabilities, this approach only encourages the bad guys to come up with new and more effective ways to attack. It’s a big mistake to be constantly looking through the rear-view mirror for direction going forward. What is needed is a forward-looking approach. Let’s try to anticipate what will be attacked and work to protect against future threats. It really shouldn’t be that hard to do. There are some basic rules to follow, as I will describe.

The coolest new features are the most vulnerable. This paraphrases the old joke about the earliest slaves getting the hungriest lions in the Roman arenas. It is when some new capability or technology is introduced, often without adequate testing and without much thought given to how it might be misused, that the bad guys launch their successful attacks. Perhaps there needs to be a “cooling off period” before a major new device or piece of software goes mainstream.

The fraudsters go to where the money is. Again a paraphrase, this time of Willie Sutton’s response to being asked why he robbed banks. It doesn’t take much thought to realize that the bad guys will seek out the weak spots in financial and commercial systems. And often the weakest links are the small to midsize entities. Maybe we should be investing more time, effort and money in coming up with ways to protect the smallest entities and individuals, rather than the large institutions, which generally are already investing in security, albeit solving yesterday’s problems.

Here’s a coincidence … while I was writing this column, The Wall Street Journal of July 22, 2010 published an article by Sarah E. Needleman in the Small Business section with the title: “Lights Out Means Lost Sales: Business Owners Take Precautions Against Power Outages; ‘It’s Insurance.” The article describes situations in which significant business was lost for want of a backup power supply or generator. Small businesses often have not implemented even the most rudimentary security precautions.

Take heed of warnings. Most catastrophic events, from financial meltdowns to major oil spills, have already been anticipated.

Another coincidence … Quite by chance, as I was writing this, Ian Urbina wrote an article for The New York Times, dated July 22, 2010, about the Gulf oil spill with the title “Workers on doomed rig voiced safety concerns: ‘Run it, break it, fix it. That’s how they work,’ said one.” It tells that “… many of [the workers who had been surveyed, prior to the fire on the oil rig] were concerned about safety practices and feared reprisals if they reported mistakes or other problems.”

While it is financially and practically impossible to address every concern, management and policy makers should at least be more realistic about the likelihood of something bad happening. There are clearly segments of the critical infrastructure that will eventually fail or be brought down and perhaps we should be designing electrical power grids, highways, railroad tracks and the like to have greater redundancy and resiliency through multiple diverse paths, and alternatives that do not depend on the various grids. The collapse of a single bridge can have major economic impact on a region. Why not have a fleet of ferries that can be deployed to many areas? Should we encourage more local electricity generators for communities and individual buildings? Should there be several ways of achieving the same goal?

We in security talk about defense in depth, and that makes a lot of sense. However, one must be aware of common points of failure and recognize that practically everything fails eventually, whether communications, power, transportation, etc. The main difference is that information security is more subject to active attempts to break-ins or compromises. As circumstances change, other threats emerge and the less valuable become the lessons learned from previous disasters.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: defense in depth, disaster planning, disaster recovery, risk assessment, spotlight

Feed enhanced by Better Feed from Ozh

For that reason, I propose that to find the answer we take an interdisciplinary approach and look outside the field of information security. Let us begin with a foundational term, “hazard.” A hazard is an outcome that constitutes a source of danger. A risk is a situation in which more than one outcome is possible (and hence not certain), and at least one outcome involves a hazard.

Jack states that, if asked to provide a list of key risks within their scope of responsibilities, many infosec professionals would answer with a list of issues. I think this is probably correct. The problem, he says, is that such lists make it difficult to measure, compare, and/or prioritize issues. Again, I agree. The only point I would add is that it is sometimes difficult to measure, compare, and/or prioritize ‘real’ risks (i.e., items that are a function of both probability and impact) . Different risks may have qualitatively different types of impacts (e.g., monetary loss, inconvenience, loss of life, etc.).  And, as Nicholas Rescher pointed out long ago, it’s far from obvious that there is a common unit of measurement we can use to compare such risks.  We may have to measure the risks of different hazard types using different units of measurement, just as we use different units of measurement for lengths, temperatures, and weights (Rescher, Risk, pp. 20-21).

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: hazard, jack jones, nicholas rescher, risk

Feed enhanced by Better Feed from Ozh

• The Big One (Pacific Earthquake) – Almost certain
• Synthetic Life – Almost certain
• Self-Aware Machines – Likely
• Extra Dimensions – 50-50
• Alien Intelligence – Unlikely
• Human Cloning – Likely
• Nuclear War – Unlikely
• Fusion Energy – Very unlikely
• Everyday (Room-Temperature) Superconductors – 50-50
• Asteroid Collision – Unlikely
• Deadly Pandemic – 50-50
• Polar Meltdown – Likely

The three events that would be catastrophic and also have a 50-50 or greater chance of occurring, are: the Pacific earthquake, a deadly pandemic and Polar meltdown. There is no disastrous oil spill on the list, possibly because the lead time of the magazine was too long to capture the breaking news. Also, it has already happened so has no place in a forward-looking piece, although prediction of the potential impact of the oil spill might be a worthwhile topic.

What struck me most about the list is that the threat of a devastating cyber attack or cyber war is blaringly absent. It is frustrating to see that cybersecurity is either relegated to minor consideration when discussing threats to our lives and livelihoods or ignored altogether, as it was in the above Scientific American article.

If I were to write a piece on the “thirteenth event,” it would be about the degree to which the World’s critical cyber infrastructure is at risk and that there is “almost certainty” that there will be a major cyber event, brought about intentionally or possibly accidentally, within the next decade. If the response to such a cyber event follows the pattern of the Gulf of Mexico oil spill, government will defer the elimination the source of the problem to the private sector and will take on some responsibility for helping people put their lives back together. Like the oil spill, a cyber event will likely be long and debilitating with the failure of numerous attempts to stem the source by Internet service providers, backbone telecommunications companies, and a host of vendors and industry experts from various sectors.

It is still too early to know what the outcome of the oil spill will be in terms of laws, regulations, liabilities and responsibilities. It is likely that government will play a much more active role in reducing risks and in preparing for responses to events, if not banning deep-water drilling altogether.

If one were to derive the cyber event analogy, government will introduce laws, regulations, restrictions, guidelines, penalties, etc. but not until after a major cyber event. There are those, such as Vice Admiral Michael McConnell (USN, Ret.), who believe nothing will happen until after a major cyber catastrophe, as I describe in my March 29, 2010 Bloginfosec column “Cybergeddon – Ho Hum.” Why not learn the lessons of the oil spill disaster and put in place parallel measures for cyber, as with oil drilling, before a cyber catastrophe occurs, rather than after the fact?

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: cyber attack, disaster planning, Gulf oil disaster, Scientific American, spotlight

Feed enhanced by Better Feed from Ozh