Also in the recent report from Congress about homeland cybersecurity there is this passage, citing a research report:

The insurance industry has the ability to contribute to the development of a cost methodology through its customer base but is currently limited in the number of specialized cyber risk policies available. CRS found that the "growth of cyber risk insurance is hindered primarily by a lack of reliable actuarial data related to the incidence and costs of information security breaches; enhanced collection of such figures would probably be the most important contribution that policy can make."

Missing data?  Very interesting!

If information gathering has the potential to reduce costs and risks, why does the data shortfall persist? According to the CRS report, "[T]here are two chief obstacles. First, there are strong incentives that discourage the reporting of breaches of information security. Second, organizations are often unable to quantify the risks of cyber attacks they face, or even to set a dollar value on the cost of attacks that have already taken place. Thus, even if all the confidential and proprietary information that victims have about cyber attacks were disclosed and collected in a central database, measurement of the economic impact would still be problematical."

This summary of another report doesn’t say what the strong disincentives are that discourage reporting information security breaches, but one can guess they may have to do with fear of customers worrying about their information being insecure, fear of resulting lawsuits (see Negligence or Risk?) and fear of further targeted attacks. A program like InfraGard may help with such corporate hesitance by permitting information sharing about breaches without public disclosure. Or the other direction might work: disclose all breaches, thus giving all enterprises incentive to do something about them.

The report makes a very important point that a centralized database of all breaches still wouldn’t address the economic issues, because the breached companies don’t know themselves. For that matter, they often don’t even know they’ve been breached; witness the burgeoning blackmarket in botnets. And they know even less about slowdowns and interruptions outside the firewall that cause customers not to be able to transact business.

In other words, required reporting such as the FCC requires of telecommunications companies won’t solve the problem. The popular suggestion of determining the security state of the Internet by having ISPs or even enterprises report on it would be inadequate.

Regrettably, many people continue to use metrics and methodologies from the physical environment when thinking about cyberspace. As CRS determined, "There is a fundamental difference between a cyber attack and a conventional physical attack in that a cyber attack generally disables — rather than destroys — the target of the attack. Because of that difference, direct comparison with previous large-scale disasters may be of limited use."

This last is all true, although there has been at least one case involving an electric utility in which temporary loss of electrical service was counted as physical damage with corresponding legal liability, even though everything worked correctly once power was restored. The lost business did not automatically come back. Damage to reputation does not autmatically come back. Increased expense does not necessarily go away.

There are some other differences about cyberspace.

1. Damage doesn’t have to be the result of a targeted attack. This is is different from physical attacks on physical plant. This is more like acts of God such as hurricanes, earthquakes, and floods, which can damage multiple enterprises simultaneously without any human targetting. Even some human attacks aren’t targeted at a particular enterprise; for example, botnet collectors don’t really care who owns the affected computers; they just want a lot of them. We’re not talking Ocean’s 11 here, where a gang of thieves spends a lot of effort cracking a specific casino. That sort of thing does happen in cyberspace, but cyberspace isn’t limited to it.
2. Such aggregation can be even more widespread than for natural disasters, since the average flood is restricted to a riverbed, the average earthquake to a fault, and the average hurricane to an ocean and its environs. The Internet is worldwide, and as we have seen repeatedly, worms, viruses, and general bug exploits are also worldwide. A given enterprise’s customers may be worldwide, and nonredundant routes, congestion, or cable cuts anywhere in the world can interfere with its business.
3. There are three major electrical grids in the United States, but there is by its nature only one Internet, which also extends worldwide. The Internet is the one infrastructure all enterprises increasingly depend upon.

-jsq

iIt seems that part of Congress has a clue about what needs to be done in cybersecurity for U.S. homeland security, starting with creating an Assistant Secretary for Homeland Security for Cybersecurity. The recent report from the  Subcommittee on Cybersecurity, Science, and Research & Development of the U.S. House of Representatives Select Committee on Homeland Security sums up the matter pithily in two sentences:

The information infrastructure is unique among the critical infrastructures because it is owned primarily by the private sector, it changes at the rapid pace of the information technology market, and it is the backbone for many other infrastructures. Therefore, protection of this infrastructure must be given the proper attention throughout government.

The Internet isn’t just another infrastructure: it’s the one that connects all the others.

The report spells this point out in more detail, as well:

Information technology and American ingenuity have revolutionized almost every facet of our lives. From education to recreation and from business to banking, the nation is dependent on telephones, cellular phones, personal digital assistants, computers, and the physical and virtual infrastructure that ties them all together. Almost all data and voice communications now touch the Internet — the global electronic network of computers (including the World Wide Web ) that connects people, ideas, and information around the globe.

Technology provides the nation with immeasurable opportunities, giving citizens global access and making daily transactions more affordable, efficient, and interactive. Unfortunately, the same characteristics that make information technology so valuable also make those technologies attractive to criminals, terrorists, and others who would use the same tools to harm society and the economy.

Despite the growing threat, security and efforts to protect information often remain an afterthought frequently delegated to a Chief Information Officer or a Chief Technology Officer. Cybersecurity should be treated as a cost of doing business by the highest levels of an enterprise’s leadership because the ability to conduct business and assure delivery of services to consumers — whether it is banking, electrical, or manufacturing-depends on ensuring the availability of information and related infrastructure.

– CYBERSECURITY FOR THE HOMELAND
December 2004
Report of the Activities and Findings
by the Chairman and Ranking Member
Subcommittee on Cybersecurity, Science, and Research & Development
of the
U.S. House of Representatives Select Committee on Homeland Security

This sounds quite like what Lord Levene, Chairman of Lloyds, said last spring: Internet business risk management should be at the top of the priority list for chief officers and board members.

-jsq 

The former CIA Director, George J. Tenet, has said what he thinks needs to be done to improve Internet security:

The way the Internet was built might be part of the problem, he said. Its open architecture allows Web surfing, but that openness makes the system vulnerable, Mr. Tenet said.
   
Access to networks like the World Wide Web might need to be limited to those who can show they take security seriously, he said.

—Tenet calls for Internet security By Shaun Waterman UNITED PRESS INTERNATIONAL Published December 2, 2004

Well, that would exclude most governments from using the web.

He also says the Internet is a potential Achilles heel, and warns that

… al Qaeda remains a sophisticated group, even though its first-tier leadership largely has been destroyed.

It is "undoubtedly mapping vulnerabilities and weaknesses in our telecommunications networks," he said.

This makes me wonder several things.

1. Is this "undoubtedly" the same sort as that Saddam undoubtedly had WMD? Some evidence would be useful here.
2. Suppose there is actually evidence for OBL mapping Internet vulns. How exactly is destroying it before he can a solution?
3. Wouldn’t it make more sense to map them ourselves first, and fix them? Sure, it would be expensive to add redundancy in certain cases, but compared to what?

He also said:

"I know that these actions will be controversial in this age when we still think the Internet is a free and open society with no control or accountability," he told an information-technology security conference in Washington, "but ultimately the Wild West must give way to governance and control."

He said this at an event from which he excluded the press, which makes one wonder whether it is the Internet he is worried about or is it a free and open society that is worrisome to him.

Meanwhile, several people have told me that it’s a common mantra inside Microsoft to say that the Internet is the terrorist’s best friend.  I don’t think that’s right, unless you want to extend the same argument to anything else that has free and anonymous communications, such as the Interstate Highway System.

What I think is the terrorist’s and criminal’s best friend is software that ships out of the box with vulnerabilities turned on and that has design flaws that prevent fixing easily exploited bugs.  Mr. Tenet seems to agree on that subject:

Mr. Tenet called for industry to lead the way by "establishing and enforcing" security standards. Products need to be delivered to government and private-sector customers "with a new level of security and risk management already built in."

Maybe that’s what his whole talk was about.  It’s too bad we’ll never know, due to his exclusion of the press.

-jsq