Ralph Langner’s paired with Perry Pederson for his first major paper at the Brookings Institution – Bound To Fail: Why Cyber Risk Cannot Be “Managed” Away. The authors write “The sober reality is that in respect to the cyber security of critical infrastructure, there is no empirical evidence that a risk-based approach, despite its near decade of practice, has had any success.” And then they back that up with a very logical argument and detailed examples. It also does not bode well for the likely results from the Executive Order.
After arguing their point that a risk-based approach will continue to fail, Ralph and Perry turn to a different approach that they believe will succeed. This is based on three points:
- Politics – Or not business reasons, should drive the need for security … “the notion of saving private corporations money has rarely been a factor in matters of true national security, and critical infrastructure protection certainly is a national security issue.”
- Practicality
- Pervasiveness – The authors argue trying to separate systems into critical and non-critical, like done in NERC CIP, is a mistake.
While I bought in completely to their argument against continuing a risk-based approach to government efforts, the way forward was less compelling for me. It may be these concepts need to be defined in more detail than was possible in this initial paper. For example, the concept of pervasiveness may be inefficient and result in a lot of work that does not improve the security posture. Or it may be how pervasiveness is applied. If a government defined the top 100 CI ICS and said all components of those systems must be secured, it might eliminate all the wasted effort placed on determining if a system is in or out of regulatory scope.
I’m all in for trying something different since throwing more time and money at what has failed the last decade is futile and unwise.
A few other noteworthy points from the paper:
- They clearly, and accurately in my opinion, note that the US efforts on offensive cyber security have been the success of the last decade in contrast to defense. Pull quote “that his (Obama) first term was marked by the incredibly quick – yet mostly silent – buildup of the world’s largest cyber firepower, including an actual “bits on the ground” operation in a hostile country (Iran).” Important in the context of the recent furor over APT1 and China. I was pleasantly surprised to see George Will hit this two times on the ABC Sunday News show.
- My favorite line is “Nonetheless, using insecure products to control a nation’s most critical systems is at the least intolerably negligent.”
This paper is worth reading, and I hope it gets some attention from policy makers in the US and other governments.
Image by loop_oh