Slashdot Mirror
Nobody Is Sure What Should Count As a Cyber Incident
chicksdaddy writes: Despite a lot of attention to the problem of cyber attacks against the nation's critical infrastructure, The Christian Science Monitor notes that there is still a lot of confusion about what, exactly, constitutes a "cyber incident" in critical infrastructure circles. The result: many incidents in which software failures affect critical infrastructure may go unreported.
Passcode speaks to security experts like Joe Weiss, who claims to have a list of around 400 incidents in which failures in software and electronic communications lead to a failure of confidentiality, integrity or availability (CIA) — the official definition of a cyber incident. Few of them are considered cyber incidents within critical infrastructure circles, however. His list includes some of the most deadly and destructive public sector accidents of the last two decades. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.
While official reports like this one about the San Bruno pipeline explosion (PDF) duly note the role software failure played in each incident, they fail to characterize them as 'cyber incidents' or note the cyber-physical aspects of the adverse event. Weiss says he has found many other, similar omissions that continue even today. He argues that applying an IT mindset to critical infrastructure results in operators overlooking weaknesses in their systems. "San Bruno wasn't malicious, but it easily could have been," Weiss notes. "It's a nonmalicious event that killed 8 people and destroyed a neighborhood."
Passcode speaks to security experts like Joe Weiss, who claims to have a list of around 400 incidents in which failures in software and electronic communications lead to a failure of confidentiality, integrity or availability (CIA) — the official definition of a cyber incident. Few of them are considered cyber incidents within critical infrastructure circles, however. His list includes some of the most deadly and destructive public sector accidents of the last two decades. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.
While official reports like this one about the San Bruno pipeline explosion (PDF) duly note the role software failure played in each incident, they fail to characterize them as 'cyber incidents' or note the cyber-physical aspects of the adverse event. Weiss says he has found many other, similar omissions that continue even today. He argues that applying an IT mindset to critical infrastructure results in operators overlooking weaknesses in their systems. "San Bruno wasn't malicious, but it easily could have been," Weiss notes. "It's a nonmalicious event that killed 8 people and destroyed a neighborhood."
According to modern convention a 'cyber event' is any event where government or private industry is exposed to extended and unwarranted yet catastrophically revealing scrutiny that serves to radically alter a citizen or consumers outlook on the state or the product respectively. These incidents are generally prosecuted rigorously in a kangaroo court, and involve numerous fisa submissions and foia redactions.
by contrast if a substantial subset of consumers experience the unauthorized release of their personal credit card, social security numbers, addresses, and bank information then this is just an 'incident' or a 'breech.' it involves 'data security' and 'unintentional disclosure' and is in no way a cyber event, although the FBI will be invoked just as predictably as a benediction at sunday mass in order to maintain the illusion the company affected has some purchase in the matter.
the ultimate difference being "cyber events" are ginned up to sell wars and products. data incidents and breeches are to be forgotten as fast as the public can, and covered quite minimally by the news media.
Good people go to bed earlier.
Isn't 'cyber-incident' the sort of bullshit term that is more or less designed to be slippery, and thus useful for both alarmism and obfuscation as the situation requires?
It's vague enough that the most harmless script-kiddie probing for easy targets could theoretically be totted up as a 'cyber incident', regardless of harm, if you were attempting to make the world out to be a place so dangerous that your budget definitely needs to increase; but also allows some classes of security failure to not be 'cyber'(if, say, social engineering was employed at some point); and also leaves considerable flexibility over what qualifies as an 'incident'(potentially pulling tens or hundreds of individual occurrences under one 'incident' if you are trying to look more competent, or breaking out every record spilled in one DB breach if you are attempting to look more embattled).
Why try to define it if we can just set it on fire, salt the ashes, and pretend it was never coined?