Q: Given the range of possible devas-
tating cyber disasters, what security
measures would you recommend?
A: It depends very much on the nature of the organization. A business
should focus on protecting the business; a government agency should focus on protecting the country.
Massive cyber attacks are certainly
a threat. But it seems fairly well established that they can only be launched
by sophisticated, well-resourced adversaries who have ample time to prepare.
That basically means nation-states and
possibly terrorist and criminal organizations. Such adversaries must be dealt
with by national military and intelligence agencies and by international
collaborative efforts. Just as we never
expected most citizens to build personal fallout shelters, we should not expect
them to acquire and manage information systems that would resist attacks
by a determined large agency.
Governments rely also on strategic doctrines such as the balance between offense and defense and their
ability to deter aggressive acts. Those
actions obviously influence the probabilities of massive attacks.
More than anything, government
agencies must concentrate on gen-
eral resilience. Note that resilience is
desirable in general, not just against
hostile attacks. Protection against
What if we spent more time develop-
ing our ability to be resilient rather
than to provide absolute security?
cryptographer, author, and information technology analyst—has been
asking these questions and has provided a thorough analysis. His contrarian
ideas have provoked controversy.
I talked to him about this.
Q: Military tensions among major
powers have been escalating in the
past few years. Government leaders
are openly worried that a military-grade preemptive cyber attack could
devastate a nation. What do you think
A: As we increase our reliance on
digital technologies, attackers will
find networks of computers increasingly attractive targets. So yes, there
will surely be a “Cyber Pearl Harbor.”
We know not the day nor the hour.
What we have to remember is that a
The Profession of IT
devastating cyber event can result not
only from hostile attacks but also from
natural events such as solar coronal
ejections that fry electronics on Earth.
We are also subject to devastations
from other events such as convention-
al wars, terror attacks, earthquakes,
tsunamis, or superstorms. Some di-
sasters are caused by innocent human
mistakes, too, simple coding or opera-
tional errors, or unanticipated interac-
tions of complex systems. Any of these
events can lay waste to a region or
country. It is impossible to prevent all
these disasters. So the question must
be: How do we prepare with maximum
resiliency to recover rapidly? And how
much of that effort should be devoted
to security in the cyber realm?
An Interview with
on Cyber Security
Is a “Cyber Pearl Harbor” any greater a risk than a natural disaster?
How shall we prioritize our preparations for a cyber disaster?