Wednesday, June 26, 2013

DHS ITF IdeaScale Cybersecurity Project – Risk Benefit Analysis

This is part of a continuing series of blog posts about the latest DHS-IdeaScale project to open a public dialog about homeland security topics. This dialog addresses the DHS Integrated Task Force project to help advance the DHS implementation of the President’s Cybersecurity Framework outlined in EO 13636. The earlier post in this series was:

Yesterday there was an interesting comment left on my latest contribution to the IdeaScale Cybersecurity Project by Richard Bennett. While the question was left on my proposal of an information sharing program it would apply to just about anything to do with the cybersecurity project. Richard asked:

“DHS and industry may be talking past each other when speaking of "actionable intelligence" since the question is not "can you do something?" but rather "should we do something?". When the level of service for water, electricity, waste disposal or such is deemed acceptible when natural disasters can cause weeks-long outages, it is difficult to say that marginal improvements in preventing a man-made outage are worth the effort.”

Similarities to Regional Storm Damage

While the question would certainly have a different response for a commercial production facility, it is apparent that the shutting down of a public utility on a regional level is something that we have come to tolerate with a modicum of discomfort. As long as a utility production facility is not catastrophically destroyed, wouldn’t the damage from a cyber-attack be ‘as easy’ to repair as say an outage caused by a large hurricane, flood or snowstorm?

Actually, cyber-damage should be easier to repair because it would not be taking place spread over a wide geographic area like the damage to power lines after a major storm. Additionally the crews would not have to be working on the proximate cause of the damage (downed tree limbs for example) before they could repair the actual system damage.


There is one significant difference that might make cyber-attack damage more of an issue than say utility damage from a hurricane. Large-scale damaging weather events are usually forecast a couple of days in advance. People have a chance to fine-tune their emergency response plan before the damage occurs. Individuals have a chance to go to the store to stock-up on emergency supplies before the incident and utilities have a chance to stage response-personnel near the to-be-damaged area before the damage occurs.

Another, harder to quantify difference would be the psychological and sociological aspects of the response. With a storm there is a chance to mentally prepare oneself for the potential effects of the storm damage. In a terrorist attack, that does not occur. Additionally, in a properly conducted terror attack, there is the additional unknown factor about what else might also be about to be attacked. Panic brought about by the fear of the unknown is something that would be expected to be more of a problem with a terror attack than with storm damage.

Issues Discussion

Richard’s response to my suggestion is a perfect example of the benefit we can derive from these IdeaScale projects. Ideas can get discussed in a public venue with input from a wide variety of personnel with different backgrounds and experiences. Anyone can put forward an idea, and everyone can respond to that idea in a public venue that can engender further input.

Once again, I would like to take the opportunity to urge everyone to visit this IdeaScale site and put in your two cents worth. If you have no more time available than to read a couple of the ideas that catch your fancy, please vote on whether or not you thing the idea has merit. If you have more time available, contribute a comment like Richard did; it will add to the discussion. But better yet, put one of your ideas down on paper and then post it to the site for others to read, vote upon and discuss. Be a real contributor to the development of national policy.

No comments:

/* Use this with templates/template-twocol.html */