"Two things are infinite: the universe and human stupidity; and I'm not sure about the universe." -Albert Einstein
The subtitle for this piece could easily be "a whole lotta stupid goin' on." Is it something about summertime, or have we really gotten to a place in our civilization where we just can't progress any farther? It really seems like regression is the only option to which most people will avail themselves today. Attack the science, attack that which isn't understood, and let's just rely on supposition (or, so it seems).
I've been mulling this piece over for more than a week now as all the drama has played out in Congress around building up a better "cyberwar" capability (as if that's something well-defined and understood). At the same time there has been an up-tick in mindless rhetoric railing against risk assessment, analysis, and management. Quite frankly, it all belies woeful ignorance and a wanton disregard for the sane. In both cases we see people making wild claims about things they clearly do not understand. Risk management is more than qualitative risk assessment, and "cyberwar" is a delusion perpetrated by those who desire to FUD us into ceding yet more power to the Executive Branch.
"Contradictions do not exist. Whenever you think that you are facing a contradiction, check your premises. You will find that one of them is wrong." -Ayn Rand
"I have no data yet. It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories instead of theories to suit facts." -Sir Arthur Conan Doyle in Sherlock Holmes
Attacks Against Risk Assessment
"If you look at the history of big obstacles in understanding our world, there's usually an intuitive assumption underlying them that's wrong."-Jeff Hawkins
It seems that much of the criticism and confusion around risk assessment is based in a false belief that you can take the failings of qualitative analysis and apply it to quantitative analysis. Unfortunately, much of those doing the criticizing are living in a vacuum, oblivious to the advances made in the last couple years, particular around FAIR.
I've written about this topic a couple times recently (see here and here), so won't belabor the point. Instead, allow me to point to one of Alex Hutton's recent pieces over on the Verizon Business Security Blog, "Risk Appetite: Counting Risk Calories is All You Can Do."
Rushing to (Cyber)War
"A self-fulfilling prophecy is an assumption or prediction that, purely as a result of having been made, cause the expected or predicted event to occur and thus confirms its own 'accuracy.'"-Paul Watzlawick
"The possibility of saying anything about a thing rests on the assumption that it preserves its identity, or continues to be the same thing in the respect described, that it will behave in future situations as it has in past."-Frank Knight
I take great umbrage with all the recent/renewed talk of "cyberwar" as of late. As I've noted in the past, this topic comes up in Federal lobbying circles on a routine basis (annually, really - shockingly in sync with budget cycles...). The problem with all of this is multi-fold, and fodder for another, more lengthy post. For a little background on some of the noise generating interest in this area, check out these posts by BT's Jim Tiller (
* "Cyberwar: A reality, but what exactly is it?"
* "Weaponization of Cyberspace: It’s not science fiction, it’s war"
There are three things I find terribly frustrating about these types of posts, along with all the inflammatory, FUD-driven rhetoric around the topic:
1) It's FUD! The vast majority of innuendo used in arguments in favor of "cyberwar" and the associated build-up of resources is just that: innuendo. There's very little in the way of fact behind it, and the facts that do exist have been so twisted and skewed as to have no resemblance to reality. Consider, for instance, that most of the "evidence" of "cyberwar" is really of criminal behavior (cyber crime, espionage, etc.). Leading me to...
2) It's poorly defined! What exactly is "cyberwar" anyway? "War" is generally regarded as nation-state vs nation-state activity, oftentimes in the sense of armed conflict. Espionage (aka "spying") - and especially corporate espionage - is rarely, if ever, regarded as military action, but rather it is treated as criminal activity. The vast majority of "stuff" we see out there seems to be oriented toward economic objectives. Some of those objectives may overlap with national interests, or touch "critical infrastructure" (depending on your definitions, which vary widely), but the simple fact is that most references to "cyberwar" are way too broad. Not to mention...
3) "War" should not be used loosely! I blame Bush Sr. for the watering down of the term "war." I'm sure it happened well before his "War on Drugs," but it's the oldest example I know of. Now we have a "War on Terrorism" and a "War on Obesity" and other "wars" on who knows what. Guess what? These aren't wars! So, let's be very clear about something before we let this genie get too far out of the bottle: "war" is a very, very, very serious matter that must be approached with much caution. True war not only can, but likely will, result in armed conflict. We need to stop using this word to describe every little initiative that we want to take seriously, because it has the effect of making us far too comfortable with "war" (the real article).
Lastly, let's also bear in mind the applicability of the two subjects here. Risk assessment and analysis is being abused, degraded, and improperly applied, and then it's not even being used in the right contexts, such as in evaluating the realism of "cyberwar." Quantitative risk assessment and evidence-based risk management are evolving and improving rapidly. The next few years, I think, will see a positive evolutionary jump in this area. At the same time, we need to make sure that we apply these lessons learned to other emerging areas, such as "cyberwar" so that we can properly evaluate the relative importance of such threat vectors. Rather than running around like scared Chicken Littles who think the Executive Branch should be given some sort of broad, mindless pseudo-authority for private networks, let's instead look at creating some sort of sane legislation that instead seeks to foster public-private collaboration. A good starting point would be transparency and data sharing. If the Secret Service can provide data breach investigation reports to Verizon Business for the annual DBIR report, then why can't US-CERT or similar do the same? Anyway...
Be wary of the frenzied pitch of FUD-based rhetoric, whether it pertain to "cyberwar" or risk assessment or something else altogether.
