C. Warren Axelrod

Black Swans … or Oil Victims?

There is an article in The New York Times Magazine of June 6, 2010 by David Leonhardt with the title “Underestimating Risk: What the oil spill and the financial crisis have in common.” It is in a section called “The Way We Live Now,” and next to the section heading there is a drawing of a black swan. The author or editor wanted to illustrate the black breed of swan, which originated in Australia and was made famous in Nassim Nicholas Taleb’s book of the same name (although Leonhardt doesn’t credit Taleb with originating the phrase’s application to low-probability, high-cost events … perhaps because it is now mainstream). Fellow columnist Sam DeKay tells me he is now reading Taleb’s book, so my recommendation is clearly meeting with some success. But I couldn’t help thinking, having seen so many heart-wrenching photographs of dead and dying seabirds covered in black oil, that perhaps a really tragic version of a black swan is a white swan, covered in oil.

Leonhard draws a parallel between the oil spill and the financial crisis in terms of faulty risk assessment and unanticipated catastrophic events. He also describes how limiting the liability of oil companies to $75 million creates a moral hazard situation where oil company decision makers are prepared to increase their risk knowing that their downside is limited, much as financial executives took on greater risks when they were effectively indemnified against losses.

What about cybersecurity? Are cyber decision makers avoiding meaningful risk-reduction efforts because, if a cybergeddon were to occur, they would not be held personally responsible for stopping the flow or cleaning up the mess? Is it because no one considers him or herself personally liable or responsible? Would we see another “tragedy of the commons” play out as we are with the oil cleanup in the Gulf of Mexico.

It is expected that government emergency services and national security services would be rushed to help with the consequences of a cyber attack or the accidental taking down of the Internet. These consequences might be the loss of communications, transportation, financial services, health services, and other critical sectors.

For a mind-blowing description of the horrifying consequences of a black-swan electromagnetic pulse (EMP) attack, read William R, Forstchen’s book One Second After, which I referenced in my March 22, 2010 Bloginfosec column “EMP-athy for Toyota.” For an authoritative analysis of the risks and remedies for EMP and other black swans, see the newly-published (June 2010) 120-page report High-Impact, Low-Frequency Event Risk to the North American Bulk Power System, published by NERC (North American Electric Reliability Corporation, available at www.nerc.com/files/HILF.pdf.  The report lumps together in one section both EMP and GMD (geomagnetic disturbances). GMD are generally natural events (cf. the Icelandic volcano), whereas EMP can be natural or manmade, either accidentally (cf. the Gulf oil spill) or intentionally (such as the detonation of a nuclear test or a terrorist attack). As an example of GMD, a geomagnetic storm took out the Canadian Hydro Quebec system in March 1989 and 6 million people lost power for 9 hours or more. However, the report is low key when it comes to the impact of EMP on control centers’ networks and computer systems, stating on page 108 that:

“… a program of measurement of shielding effectiveness should be done … the geometry of cables with power and communications entering the facilities should be analyzed. After this information is obtained, assessments of the vulnerability and need for hardening will be completed.”

The above are “shoulds,” not “musts,” indicating that the authors believe that the probability of a major EMP is very small.

While many, including NERC, think that a particular large-scale EMP attack is not likely, some of the resulting consequences, such as those described in Forstchen’s book, could be the result of any of a number of causes, including a large-scale Internet collapse. What is clear is that our catastrophic contingency plans are woefully inadequate, in large part because cyber risks are not properly quantified and assigned, as well as being downplayed by authorities. The government agencies, which might be called upon to resolve a catastrophic cyber disaster do not appear to have either the expertise or the tools to control a massive attack that overwhelms our in-place cyber blowout protectors, which have not been tested under extreme conditions, not previously experienced (sound familiar?). Those in the private sector, such as the big telecommunications companies, which might have the resources, do not see securing the Internet as their responsibility. And the private sector will not become accountable until government insists that they do so, and Congress puts teeth into such insistence.

One Comment

  1. Alex Jun 29, 2010 at 10:29 am | Permalink

    Nassim Taleb is the Glenn Beck of economics.

Post a Comment

Your email is never published nor shared. Required fields are marked *