This is part of a continuing series of blog posts about the
latest DHS-IdeaScale project to open a public dialog about homeland security
topics. This dialog
addresses the DHS Integrated Task Force project to help advance the DHS
implementation of the President’s Cybersecurity Framework outlined in EO 13636.
The earlier post in this series was:
Yesterday there was an interesting comment left on my latest
contribution to the IdeaScale Cybersecurity Project by Richard Bennett. While
the question was left on my proposal of an information
sharing program it would apply to just about anything to do with the
cybersecurity project. Richard asked:
“DHS and industry may be talking
past each other when speaking of "actionable intelligence" since the
question is not "can you do something?" but rather "should we do
something?". When the level of service for water, electricity, waste
disposal or such is deemed acceptible when natural disasters can cause
weeks-long outages, it is difficult to say that marginal improvements in
preventing a man-made outage are worth the effort.”
Similarities to
Regional Storm Damage
While the question would certainly have a different response
for a commercial production facility, it is apparent that the shutting down of
a public utility on a regional level is something that we have come to tolerate
with a modicum of discomfort. As long as a utility production facility is not
catastrophically destroyed, wouldn’t the damage from a cyber-attack be ‘as easy’
to repair as say an outage caused by a large hurricane, flood or snowstorm?
Actually, cyber-damage should be easier to repair because it
would not be taking place spread over a wide geographic area like the damage to
power lines after a major storm. Additionally the crews would not have to be
working on the proximate cause of the damage (downed tree limbs for example)
before they could repair the actual system damage.
Differences
There is one significant difference that might make cyber-attack
damage more of an issue than say utility damage from a hurricane. Large-scale
damaging weather events are usually forecast a couple of days in advance.
People have a chance to fine-tune their emergency response plan before the damage
occurs. Individuals have a chance to go to the store to stock-up on emergency
supplies before the incident and utilities have a chance to stage response-personnel
near the to-be-damaged area before the damage occurs.
Another, harder to quantify difference would be the
psychological and sociological aspects of the response. With a storm there is a
chance to mentally prepare oneself for the potential effects of the storm
damage. In a terrorist attack, that does not occur. Additionally, in a properly
conducted terror attack, there is the additional unknown factor about what else
might also be about to be attacked. Panic brought about by the fear of the unknown
is something that would be expected to be more of a problem with a terror
attack than with storm damage.
Issues Discussion
Richard’s response to my suggestion is a perfect example of
the benefit we can derive from these IdeaScale projects. Ideas can get
discussed in a public venue with input from a wide variety of personnel with
different backgrounds and experiences. Anyone can put forward an idea, and
everyone can respond to that idea in a public venue that can engender further
input.
Once again, I would like to take the opportunity to urge
everyone to visit this IdeaScale site and put in your two cents worth. If you
have no more time available than to read a couple of the ideas that catch your
fancy, please vote on whether or not you thing the idea has merit. If you have
more time available, contribute a comment like Richard did; it will add to the
discussion. But better yet, put one of your ideas down on paper and then post
it to the site for others to read, vote upon and discuss. Be a real contributor
to the development of national policy.
Posts
No comments:
Post a Comment