C. Warren Axelrod

The Cyber Tipping Point—Are We There Yet?

As known cyberattacks are being reported as increasing in number, frequency and severity, you have to ask whether we are reaching, or have already reached, a tipping point where everyone gets so disgusted or frightened with the incessant and egregious barrage of attacks that they tune out. On January 9, 2017, I posted a Bloginfosec column with the title “Alleged Russian Hacks … Is This Cybersecurity’s Tipping Point?”

Each time that I raise the question about reaching society’s cybersecurity-risk breaking point, I am astonished at the apparent level of tolerance of the population at large. You would think that everyone would be up in arms about the constant drumbeat of successful attacks on personal data and, more recently, seemingly foolproof ransomware attacks. How could this be happening?

In part, I think that the reason for this attitude is an unwarranted faith in technology to solve all the problems. Much the same holds for climate change. Many whom I talk to on global warming are convinced that there will be a “silver bullet” to resolve the buildup of carbon dioxide in the atmosphere. I hope that they are right. However, what such thinking generally does, in these and other cases, is to delay any mitigation efforts. People look to other warnings from the past, such as the Malthusian idea that the world population will grow beyond its ability to feed itself, and Y2K, which many believe was a non-event (it wasn’t), and extrapolate them to current problems, believing that somehow we will overcome the adversity and then move on.

Are we actually beyond the point of no return for climate change and cybersecurity risk? In my opinion, we really are. Why do I think this? The main reason is that I am seeing experts in both fields beginning to deemphasize preventative approaches and take on resiliency, continuity, recovery and reconstruction challenges. For example, the NIST Cyber Security Framework (CSF) (available at https://www.nist.gov/cyberframework) lists the following five areas: identify, protect, detect, respond, and recover, where protection is outnumbered by activities during and following a successful attack. Perhaps that is a bit of a stretch, but we are definitely seeing a swing of emphasis towards resiliency, which, to my mind, suggests that we have given up somewhat on trying to defend against all attacks.

Not that I don’t think that resiliency should receive more attention—I think that it should. As a practitioner with extensive business continuity and disaster recovery experience, prior to focusing on information security, I am perhaps more sensitive to signs of a gradually growing switch away from prevention and towards recovery among cybersecurity risk articles and books. Indeed, my most read article on ResearchGate, by far, is “Investing in Software Resiliency,” which was published in the U.S. Department of Defense’s Crosstalk Magazine in September/October 2009. Indeed, one of my earliest publications on the topic was an article, “Security during Recovery and Repair” first published in 1989 in Auerbach’s Data Security Management series and later in the Handbook of IS Management 1992-93 Yearbook, which was edited by Robert E. Umbaugh and also published by Auerbach. At that time, I was concerned about reducing the increased vulnerability that systems encounter during a disaster recovery operation. I was also interested in the backup and resiliency of security tools and personnel.

While it is prudent to consider resiliency at the best of times, the recent interest in recovery versus prevention suggests that successful attacks are considered to be all but inevitable, so we had better accept that fact and move on with resolving the resulting problems. That is a defeatist attitude, in my opinion, which should have no place in the minds of those charged with defending us against both cyberattacks and climate change, but it is gaining credence as the fight against these dangers faulters.

We need to determine whether to spend the trillions of dollars to try to halt the progress of cybersecurity threats or to spend possibly many more trillions on responding to the consequences. Either way is a very expensive proposition, but one that has to be addressed if we are to survive in both the virtual and physical worlds. Addressing these cyber and climate issues really is a Hobson’s choice, but experience has demonstrated that it is most often cheaper to spend the preventative dollars up front than to pay for the cleanup after disaster hits.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*