We live in ‘smart world’ with the deployment of cyber technology all around us, and yet as a society and as governments there is a huge amount of denial of what this might mean in terms of risk. Are we really being so smart? We have a collective fear of the effects of climate change on human society, because we can relate that to events we have seen before, such as floods, storms, droughts and extremes of temperature. There is a sense of reality around climate change and its possible outcomes, even though there is uncertainty and diversity of opinion. Do we have the same sense of reality around cyber risk? The Attributer will argue that we do not.
Let’s first remember the definition of risk in SABSA terms, based on and wholly aligned with ISO 31000. Risk is the uncertainty of outcomes. There is likelihood of beneficial outcomes and damaging outcomes. The ‘smart cyber world’ opens up many opportunities, but what about the threats?
Since we always have incomplete information, we can never predict with a high level of confidence what the future will bring, unless we can be sure that it will look like the past. Experience shows that the future holds many surprises. We don’t know what we don’t know (Black Swan theory). The traditional statistical way to model risk is to develop a mathematical probability distribution and use the mean and standard deviation as predictors of extreme events, to a level of confidence that we find acceptable, and then prepare risk mitigation within that confidence interval. The data points for fitting a suitable distribution are things we have seen before – previous observations and current trends. Climate modelling follows this methodology.
Now consider the smart cyber world. The pace of development is fast and accelerating. We have almost no history of cyber events of significant scale on which to build a probability distribution. Worse than that, we have a history of how the world works in a non-cyber environment and we are using those event histories to model the future. Does anyone else see danger in this?
Take one thing on which the modern world depends: electricity. We have plenty of experience of localised power outages and how to deal with them. Weather events, seismic events, breakdowns of industrial relations, technology failure and many more are within our experience. However, smart cyber technology suggests that power outages on an altogether different scale are possible (even probable?). We are deploying smart grids, smart metering and other smart control systems to govern electricity supply and consumption. What would be the outcome of a widespread cyber attack on these systems? Consider an attack that would bring down the national electricity grids of several countries. Previous recovery strategies will not work. There will be no water or oil pumping, no telecommunications, no functional medical equipment, no road traffic control, no street lighting, no industrial production, just to mention a few of the impacts. Try to imagine a world without electrical power. Law and order would be at risk.
It is clear that enemies of the democratic world will use any means of attack at their disposal. The modern terrorist is smart, educated and cyber-competent. We must dispel the image of men with long beards and rifles living in caves in the mountains. Today’s terrorists hide in plain sight, living amongst us and plotting sophisticated attacks that will do maximum damage to the democratic states they oppose. In the opinion of the Attributer, they are plotting and planning cyber attacks on a scale we have never before witnessed – data points that do not appear in our statistical models.
We need to shift into a different gear in our thinking and planning. The current approach of treating cyber-security as a technical problem with local technical solutions will not serve us if (when) this future unfolds. We need end-to-end, wall-to-wall thinking – the type of thinking that SABSA practitioners use in developing business and technology architectures.
The Attributer