Are Risk Models or Data to Blame? Yes!

On the front page of the June 24, 2010 issue of The Wall Street Journal there is an article by Neil King Jr. and Keith Johnson with the title “BP Relied on Faulty U.S. Data.” When you turn the page (note that I’m reading the actual physical newspaper, not an electronic version, so I actually turned the page), the title becomes “BP Based Spill Plans on Faulty U.S. Government Models.” (Note that the online version of the article doesn’t have two titles, different or not.)Which is it … models or data? Or is it both? Data and models are clearly different, at least to my mind, so one must delve into the article to determine what is meant.

Let’s ignore for the moment whether or not the U.S. Government, in the form of the much-maligned (apparently deservedly so) Mineral Management Service (MMS), the Department of the Interior’s regulatory body, actually misled BP. We’ll first take a look what it is claimed caused the errors in the predicted outcome of a catastrophic spill.

The basic assumption described in the article, which proved to be wrong, was that “most of the oil would rapidly evaporate or get broken up by waves or weather.” However, the head of the MMS environmental division in 2001 warned that “the oil spill trajectory models [known as OSRA or “oil spill risk analysis”] currently used by the oil industry for the preparation of oil spill response plans may not be adequate [emphasis added] for deep water.” According to the model “[t]he bulk of the Gulf Coast … would not see oil reach shore even with a catastrophic offshore spill.” Well, at least one thing is clear(er), the OSRA model was exercised for catastrophic spills, which suggests that the models, rather than the input data, were at fault.

How does this measure up with respect to cybersecurity? Well, for one thing, you wouldn’t be able to blame the models … we don’t have any. As for data, we don’t have much of them either, so bad data couldn’t be faulted. It reminds me of a lawyer’s position on publishing one’s company’s privacy policy on the Web, namely, that if you don’t comply with the published policy, you’ll be in more trouble than if you didn’t have a formal privacy policy. Noncompliance is viewed as more serious than omission, I was told. However, to be fair, the lawyer advised that one should publish the policy, but needs to make very sure that it is being followed.

This is exactly my position on cybersecurity. We should have good data and accurate models for cyber attacks and their consequences, so that were a catastrophic cyber event to occur, we would know how to deal with it because we will have run the model, noted the effects, and worked to mitigate the potential impact. I am proud to be working on both the development of simulation models and on the collection of accurate and meaningful cybersecurity data. Both efforts are “in progress” and moving more slowly than I would have hoped, but at least the train has left the station.

And now back to the question as to whether BP implemented riskier technologies because the U.S. government’s models understated the impact of a major spill. This is the perennial “moral hazard” issue … if you believe that the risk to you or your company is lower, do you take greater risks, knowing that you can blame someone else and/or offset the impact on another party? That would perhaps have been valid, had not the CEOs from other oil companies testified before Congress that their companies would have taken a more conservative approach than did BP. And presumably they had access to the same risk models as BP (much as they had the same contingency plans … walruses and all).

Unfortunately we see the same in the cyber world. Since public and private organizations all are on the same page when it comes to protecting cyberspace (the “it’s not my responsibility” page), it is unlikely that meaningful protective measures will be taken. And were something really bad to happen, they can all claim that it is because the government didn’t provide them with a CSRA, or “cyber spill risk analysis.”

Post a Comment

Your email is never published nor shared. Required fields are marked *