Slashdot Mirror
Nobody Is Sure What Should Count As a Cyber Incident
chicksdaddy writes: Despite a lot of attention to the problem of cyber attacks against the nation's critical infrastructure, The Christian Science Monitor notes that there is still a lot of confusion about what, exactly, constitutes a "cyber incident" in critical infrastructure circles. The result: many incidents in which software failures affect critical infrastructure may go unreported.
Passcode speaks to security experts like Joe Weiss, who claims to have a list of around 400 incidents in which failures in software and electronic communications lead to a failure of confidentiality, integrity or availability (CIA) — the official definition of a cyber incident. Few of them are considered cyber incidents within critical infrastructure circles, however. His list includes some of the most deadly and destructive public sector accidents of the last two decades. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.
While official reports like this one about the San Bruno pipeline explosion (PDF) duly note the role software failure played in each incident, they fail to characterize them as 'cyber incidents' or note the cyber-physical aspects of the adverse event. Weiss says he has found many other, similar omissions that continue even today. He argues that applying an IT mindset to critical infrastructure results in operators overlooking weaknesses in their systems. "San Bruno wasn't malicious, but it easily could have been," Weiss notes. "It's a nonmalicious event that killed 8 people and destroyed a neighborhood."
Passcode speaks to security experts like Joe Weiss, who claims to have a list of around 400 incidents in which failures in software and electronic communications lead to a failure of confidentiality, integrity or availability (CIA) — the official definition of a cyber incident. Few of them are considered cyber incidents within critical infrastructure circles, however. His list includes some of the most deadly and destructive public sector accidents of the last two decades. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.
While official reports like this one about the San Bruno pipeline explosion (PDF) duly note the role software failure played in each incident, they fail to characterize them as 'cyber incidents' or note the cyber-physical aspects of the adverse event. Weiss says he has found many other, similar omissions that continue even today. He argues that applying an IT mindset to critical infrastructure results in operators overlooking weaknesses in their systems. "San Bruno wasn't malicious, but it easily could have been," Weiss notes. "It's a nonmalicious event that killed 8 people and destroyed a neighborhood."
it is a cyber incident. That is all.
Probably the first hurdle to pass in defining "cyber incidents" (and setting aside the overuse of the cyber- prefix in the present day and age) is the fact that non-technical, and in some cases even non-IT Security people really don't have a good basis for discerning what is or isn't significant. I'm reminded of one news article where the NYPD (or some similar state/local agency) announced that they suffered something like 500,000 "cyber attacks" from Chinese and other IP addresses in the span of several months. The nature of those attacks?
Port Scans.
Further complicating this is the fact that there's a lot of money involved. "There are lots of attacks, so you should buy my services" or "My agency gets attacked, so I need funding for security" are common themes. That's not to say there isn't a threat, or that attacks don't occur; just that some people have an incentive to turn up the threat meter, which makes establishing a clear answer more difficult. It's very easy to play with the definitions to turn out numbers of "incidents" without sufficient context. I easily see untold numbers of bad things in any given day; but most of those are automatically handled by the existing systems. Should those be counted, or are we only concerned with things that actually cause noticeable impact beyond my monitoring screen?
Lastly, when we say "incident", are we talking about operator/programmer/etc error, or are we talking about deliberate malicious action? By Weiss's definition, we're including the former, but that's quite a stretch to equate them to "attacks." Even if those incidents should probably be of concern, though, do they fall under Security's purview, or should they have been handled by some other business unit? As an IT Security professional, my job is to protect the network - it's not to make sure that everyone in the company is doing their jobs correctly.
According to modern convention a 'cyber event' is any event where government or private industry is exposed to extended and unwarranted yet catastrophically revealing scrutiny that serves to radically alter a citizen or consumers outlook on the state or the product respectively. These incidents are generally prosecuted rigorously in a kangaroo court, and involve numerous fisa submissions and foia redactions.
by contrast if a substantial subset of consumers experience the unauthorized release of their personal credit card, social security numbers, addresses, and bank information then this is just an 'incident' or a 'breech.' it involves 'data security' and 'unintentional disclosure' and is in no way a cyber event, although the FBI will be invoked just as predictably as a benediction at sunday mass in order to maintain the illusion the company affected has some purchase in the matter.
the ultimate difference being "cyber events" are ginned up to sell wars and products. data incidents and breeches are to be forgotten as fast as the public can, and covered quite minimally by the news media.
Good people go to bed earlier.
Isn't 'cyber-incident' the sort of bullshit term that is more or less designed to be slippery, and thus useful for both alarmism and obfuscation as the situation requires?
It's vague enough that the most harmless script-kiddie probing for easy targets could theoretically be totted up as a 'cyber incident', regardless of harm, if you were attempting to make the world out to be a place so dangerous that your budget definitely needs to increase; but also allows some classes of security failure to not be 'cyber'(if, say, social engineering was employed at some point); and also leaves considerable flexibility over what qualifies as an 'incident'(potentially pulling tens or hundreds of individual occurrences under one 'incident' if you are trying to look more competent, or breaking out every record spilled in one DB breach if you are attempting to look more embattled).
Why try to define it if we can just set it on fire, salt the ashes, and pretend it was never coined?
Wow, to classify the 1999 Bellingham Pipeline Explosion a "Cyber Incident" is a BIG stretch. That was an industrial accident, with mechanical failure as a significant component. Just because there was computer monitoring equipment, does not mean it was a "Cyber Incident".