Steve Kelman considers what the Sony hack means for agencies and critical infrastructure.
In the middle of a fairly lighthearted, jovial holiday party in Boston, I got into a much more serious discussion with a young academic who specializes in North Korea (not so many of those in the U.S.) and who sees himself as quite knowledgeable about cybersecurity issues. I asked him how worried he was about possible North Korean attacks on U.S. infrastructure more critical than Sony Entertainment’s salacious email secrets. His two-pronged answer was interesting.
First, he told me that he had worked in investment banking before becoming an academic. The attitude he observed in industry – I have no idea whether his observation, assuming it was correct a few years ago, would still be correct today – was that it was cheaper to buy insurance coverage against cyberattacks than to take the measures that would be needed to effectively deter them. If the risk goes up, he argued, firms could simply up their coverage.
Following up, I asked him whether this suggested that U.S. government agencies might actually protect themselves more aggressively against cyberattacks than private companies that would rather insure than fight. Did he, for example, think the Commerce Department was better protected against attack than Goldman Sachs? (I wanted to pick a mainstream agency rather than the National Security Agency or Central Intelligence Agency.)
His response: “A chain is as strong as its weakest link. The weakest link for government agencies is all the contractors who have data access. They are the government’s biggest problem.”
Finally, in response to a last question, he said he thought there was a 70 percent probability there would be a successful cyberattack in the next 10 years on the New York Stock Exchange that would cause damage he would define as “significant.” (He also noted there had been some anomalous “flash crashes” on Wall Street in recent years that may well be attributable to program trading, but that some experts believe were actually due to successful cyberattacks.)
I should stress here that repeating these statements I was told over the weekend does not constitute endorsement. I repeat them here for two reasons.
The first is the very fact that I initiated a conversation about cybersecurity at this holiday party. In terms of my interest in cybersecurity questions, I guess I would rate myself as an average intelligent layperson. For a very long time, I read about these issues regularly in, say, FCW, but frankly not with an especially high attention level. Not the least in the aftermath of the Sony attack, this topic now has a much larger mindshare for me than even a year ago. (Leon Panetta once said when he was Defense Secretary that it would take a successful attack on the electric grid or other critical infrastructure to make Americans aware of this issue. We now see that Hollywood can have a similar effect on popular consciousness.)
The second reason is that I would like to solicit the reactions of blog readers to these observations by my articulate and intelligent party companion. Is corporate America still inclined to just buy insurance rather than take effective countermeasures? Are contractors the government’s weakest link? Thanks in advance for your comments and reactions!
Meanwhile, I will take off the rest of the week from posting, and be back after Christmas. Happy holidays to everyone.