Economist.com:
Cyber-risk, sure. But what kind?
Jul 15th 2010, 17:26 by B.G. | WASHINGTON
We're at the point where people clearly know they need to wear a seatbelt. I'm not sure if they've gotten to the side airbags yet.
LOU HUGHES is the chief executive of InZero, a startup that's built a little black box to put between your computer and the internet. The box opens incoming files and programmes before your computer does, leaving hackers stuck in the black box and not in your computer, where they want to be. InZero has launched an open invitation to hackers, who have thus far failed to breach the box. And Mr Hughes is taking it on tour to corporate and government information officers.
"Cyber-security" and "cyberwar" are broad words. Like "weapons of mass destruction", they describe several different distinct threats, and are often used with imprecision. Insurance companies speak of risks in terms of severity and frequency: a death from a car crash is a high-severity, low-frequency event. A fender-bender is a low-severity, high-frequency event. All efforts to reduce and insure against risk weigh severity against frequency. We buy life-insurance policies and demand side air-bags to manage the risk of a fatal accident; states enforce speed limits in part to keep first-responder costs down. (And in part to raise revenue. I'm looking at you, Delaware.)
But we also make rational choices to accept certain low-severity, high-frequency risks. Financial managers advise, unless you have money to throw around, that you keep car insurance deductibles high. It's very difficult to guarantee that you won't ding your fender in a minor accident, and cheaper to pay for the event than to hedge against it. Hedges, insurance and risk mitigation, remember, are inconvenient and expensive. Absolute security, even were such a thing possible, would mean unacceptable operating costs.
I'm thinking about car accidents because when I spoke to him yesterday Mr Hughes, a former auto executive, pointed to car safety to help me understand corporate choices about cyber security. Cars, he said, had offered unprecedented mobility, but new risks. The auto industry, recognising the risks, eventually added seat belts and made structural changes to car frames (after, he neglected to say, several decades of vigorous prodding by consumer groups). States developed driver-education programmes. Consumers demanded new features to lessen their own risk.
We are at a point, according to Mr Hughes, where corporations are beginning to see cyber-espionage as an existential risk: one of severity so high that it is unacceptable at any frequency. And he is seeing, since intrusions in 2008 at America's Central Command (and, allegedly, at Lockheed Martin) new co-operation among companies to come up with better solutions. Before 2008 corporations had been reluctant to admit weaknesses; now they're desperate to fix them any way they can. The risk profile of cyber-espionage has changed: Frequency has risen, as has the perception of severity. [Read more]
posted by: gqjournal
Comments