The approving response of an IT security professional last week pointed me to a story about cybersecurity in which I'm featured. The story and accompanying video are called: "Is Cyberwar Hype Fuelling a Cybersecurity-Industrial Complex?" It's a really good look at how government contractors, many former government officials, are working Washington to generate an issue.
How rare is it that a cybersecurity news report includes even a word of doubt about the nature and scope of the threat? How rare is it that any news report includes a word of doubt about the nature and scope of threats?
My correspondent, who works at a public utility in IT security, said some things that are fascinating and important.
We are being asked to do things that have no practical risk reduction value purely for the perceived benefit. It takes no effort to say that the cyber world is about to end yet it takes tremendous effort to continually demonstrate that we are prepared for anything.
In other words, operators of so-called "critical infrastructure" are already wasting effort on things that look like improved security because they're in the position of proving that nothing could ever go wrong. This is because cybersecurity fear-mongerers are spinning apocalyptic tales. Imagine what it will be like when varied government bureaucracies are calling on the private sector to prove they are implementing endlessly varying, imagination-based federal cybersecurity dictates.
Now, a few caveats are in order: Cybersecurity is a real problem, and there are many challenges presented to all organs of society in securing computers, networks, and data. I'm quoted in the story saying there is "no chance whatsoever" that nuclear power plants and electric infrastructure would be hacked and taken down for any significant period of time. The more accurate phrasing would have been that the chance is "exceedingly small." The point remains that these problems have nothing of the scale or significance of the war or terrorism (except to the extent that terrorism is also an important but entirely manageable problem).
In the event of some future, modest-consequence event, I fully expect to be called out as having been a Panglossian cybersecurity naysayer. (It's a tactic one would expect from advocates who misstate basic math to hype threats.) Not so. I expect some bad things to occur. I don't believe that centralizing our country's cybersecurity efforts with the federal government would position us better to prevent them or respond to them.