Waiting for a Disaster

By Phil Reitinger

For the latest installment of Cyber Throwback Thursday (CTBT #3), I took a look back at the first really significant examination of critical infrastructure protection in the United States, Critical Foundations; Protecting America’s Infrastructures, produced by the President’s Commission on Critical Infrastructure Protection in October, 1997.  This report is the foundation for everything that came afterward, including leading directly to PDD-63 in 1998.  Critical Foundations is indeed THE critical foundation.

Like the National Strategy to Secure Cyberspace, which was produced six years later in 2003, it is almost shocking how much of Critical Foundations could be written today. The description of the level of risk, the degree of interdependency, and the pace of change are all still relevant.  The document announces themes that continue to underlie US policies today, especially shared responsibility for protection, the need for public-private partnership, and the paramount requirement of information sharing for success. I bet I could cut-and-paste from this document and produce a reasonable speech on the cyber threat for a US Cabinet secretary today.

The authors of this document understood the challenge.  The Executive Summary specifically and presciently states: “We should attend to our critical foundations before we are confronted with a crisis, not after.  Waiting for a disaster would prove as expensive as it would be irresponsible.”  And the country, government and the private sector, did not thereafter act irresponsibly.  The endless stream of policy and organizational developments show that, from PDD-63 through the National Strategy to the PPD-41, the United States (as part of a global community) has been attempting to take steps.  But what it has never done, and what the global community has never done, is to fully understand and accept the scope of the challenge and respond accordingly.  We have addressed a problem of exponentially growing scope with linearly growing effort.

Missing from Critical Foundations, and likely unknowable at the time, is a sense of the degree to which information technology would explode in use and networks rocket in size and complexity, permeating every aspect of our lives.  To be sure, the report notes the increasing value and spread of technology, but smartphones, the “cloud,” and the Internet of Things were perhaps not imagined.  For example, citing other sources, and looking five years ahead, the Critical Foundations predicted that in 2002 there would be “tens of thousands” of viruses, “500 million” personal computers, and “300 million…Internet Devices accessing the World-Wide Web.”  By 2016, according to PandaLabs there were 20 million new malware samples identified in only the first three months of 2016, and according to Gartner,  6.4 billion Internet-connected things would be in use in 2016, with the number expected to reach 20.8 billion by 2020.  These orders of magnitude differences in scale result in a difference of kind, not like, in the cybersecurity challenge.

More resources have to be devoted to cybersecurity, both by governments and the private sector.  As I said a few weeks ago, if a program from a large industrialized government doesn’t have a “billion” associated with it, perhaps we should wonder why. More people have to be trained; the number of cybersecurity job openings is projected to rise into the millions.

But these are bandages.  Dollars, euros, pounds, and yen don’t scale, and neither do people.  To solve cybersecurity at scale, our actions must include much more reliance on automation, like the DHS Automated Indicator Sharing program, because technology can scale with technology risk.  We must implement new business models, including greater use of the right cloud services and more community efforts like the Global Cyber Alliance that aggregate capability to more effectively mitigate risk.  And we must have a focus on systemic risks, implementing solutions that reduce the risk by orders of magnitude more than they cost.

Nineteen years ago the authors of Critical Foundations told us all that “waiting for a disaster” was foolish.  It still is.  In the last 19 years, we have seen at least the precursors of disaster, and we will face more significant near-disasters in the future.  In a sense, we are not waiting for disasters any more but living with them every day. Unless we match greater resources with different approaches, however, waiting for a real disaster in inevitable.

The author, Phil Reitinger, is the President and CEO of the Global Cyber Alliance

You can follow him on Twitter @CarpeDiemCyber.