Reassessing Risk AssessmentAccounting for Societal as well as Shareholder Interests
Let's assume executives at the banks reportedly victimized by recent distributed denial of service attacks performed information risk assessments that accounted for the possibility of their customer-facing online services being knocked off the Internet [see Attacks Put Bank on Alert].
Disruptions happen, the thinking goes, whether because of internal problems or by hackers, and the potential cost of loss of business, reputation and/or customers would not equate the additional investments in servers and other technologies needed to keep their systems functioning during a DDoS attack. That's the fundamental principle of information risk assessment: Corporate leaders weigh the risks to their organizations, and make sound IT investment decisions. That's a very legitimate approach for most organizations to take when assessing risk.
Honest men cannot differ over the need for standards; we have got to agree on certain levels of security.
Of course, the victimized banks could have assessed the risks of DDoS attacks and fortified their systems against them, and those defenses might have failed. We don't know, and the banks aren't saying.
Regardless of the risk assessments the banks may have conducted, they and other critical infrastructure owners when making their assessments must be held to a higher standard because our society relies on them to function. And, that raises the possibility of the need for government intervention to help define acceptable risk.
Critical infrastructure owners assessing risk must take into account more than an institution's shareholders; their risk appraisals must consider the national interest as well. If they don't, a call for regulation - which, at the moment, doesn't have much support on Capitol Hill - could intensify.
Blinded by Corporate Walls
DDoS attacks on banks disrupt the flow of business and if sustained could have an adverse effect on the nation's financial well-being. And, that will attract the attention of those in the administration charged with securing vital IT and lawmakers.
Michael Hayden, as the onetime director of the National Security Agency and CIA, knows first hand how attacks on critical infrastructure can be damaging to the nation. Hayden doesn't endorse regulation, but he recognizes a need for government and businesses to at least collaborate on establishing IT security best practices those infrastructure owners could adopt voluntarily.
"Honest men cannot differ over the need for standards; we have got to agree on certain levels of security," Hayden said in an interview broadcast Sept. 30 with Peter Cook on Bloomberg TV's Capitol Gain. "Because, Peter, here's the issue: Each industry makes these decisions based upon a very logical cost benefit analysis for that industry. But there are some industries, when they are penetrated and punished in a cyberattack, the cost is not confined to those industries. It's a much broader cost. It's spread across the broader society."
Establishing such standards, even voluntary ones, will serve as strong reminders to infrastructure owners that when they assess risk, they must account for the national welfare.
Hayden, in the interview, raised a valid point about the shortcomings of regulations: "The problem with mandatory standards in this domain is, number one, it changes so quickly. How do standards keep up?" That's a problem that goes beyond regulation, but in other areas, too, such as patent law: The law fails to keep pace with rapid changes in technology.
Yet, that shouldn't be an obstacle for the government, working with industry, to develop IT standards that critical infrastructure owners could voluntarily adopt. That's the goal of the Cybersecurity Act of 2012, which the Senate has blocked [see Senate Votes to Block Cybersecurity Act Action], and of an expected executive order coming from the White House [see WH Moves Closer to Issuing Infosec Executive Order]."That's a real close call, and I really mean that because we do need some momentum," Hayden responded to a question whether President Obama should issue an executive order on cybersecurity. "And there are those of us who are watching the activity on the Hill and even suggesting, 'Come on, there's some things in which there is common ground. Let's at least move forward on those so that we can generate some momentum for the future, for the next Congress.'"
Still, one would hope that owners of the critical infrastructure would recognize that the well-being of the nation's citizenry must trump the fiduciary responsibilities of corporate leaders to their shareholders when assessing risk. The reported DDoS attacks on major American banks have served as a warning to its leaders that if they don't take account for a broader constituency in their risk assessment, resistance to regulation may ebb. Besides, that would be good for business in the long run, and that's good citizenship, too.