Security breaches create headlines.
By themselves those headlines capture attention. It creates the condition where good people call for action. In an effort to create urgency, they often rely on emotional appeals that use
FUD — Fear, Uncertainty, and Doubt — to get the support to “do something.”
But does it work?
Patrick Dennis, president and CEO of Guidance Software, suggests a better approach is to focus on preparation.
Patrick Dennis has held various high-level positions in the tech industry during his career. Prior to joining Guidance, he was senior vice president and chief operating officer of products and marketing at EMC Corp., responsible for the strategy and operations of EMC's Cloud Management Division. Before that, he was the group vice president of North American storage sales at Oracle Corp., where he provided leadership, strategy and development of the company's North American commercial business.
And now for his slap shot…
Fight the FUD: Don’t overreact to cyber attacks on critical infrastructure
Recent reports of cyber attacks on U.S. power plants and other energy and manufacturing facilities have caused significant FUD in headlines and the minds of the public. It’s important to discuss some key facts that put the actual risks of these attacks in perspective.
First, after assessing the situation from an outside perspective, these attacks were restricted to corporate networks and did not come close to gaining control over the actual operations of the plants, which are not easily accessed by hackers. The Department of Homeland Security and the FBI have even stated in their joint report on the matter that there was “no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks."
Now, make no mistake, industrial control systems do operate vital infrastructure in our daily lives and are indeed many times outdated and can be difficult to protect. However, because they are so important, these systems are very closely monitored by trained, experienced professionals who prioritize not only smooth day-to-day operations, but safety and security as well. These systems are also subject to strict governmental oversight to enforce best practices, processes and standards.
As with these natural security issues, it’s possible to prepare for cybersecurity risks to prevent major issues. Instead of shaming and tearing down security teams in the wake of an attack, the media and the public should applaud what is done right. Was the threat quickly identified and met with the appropriate response to prevent further damage or data loss? Did the breached companies engage the right authorities and notify the public? If the answers to these questions are “yes,” security teams are effectively doing their jobs—keeping us and our systems safe.
When dealing (and reporting on) cyber attacks, we need less fear and more preparation.
My analysis (color commentary)
I love the connection between breaches and other low-likelihood, high-impact natural events. They happen. It’s not a defeatist attitude to accept, anticipate and prepare. Moreover, resorting to FUD to raise awareness and get support is a tactic with short appeal and significant downsides. Most of us have experienced enough of those downsides to recoil at the use of FUD.
More on critical infrastructure protection
- Critical infrastructure: Off the web, out of danger?
- Cybersecurity, critical infrastructure, and the federal government
- U.S. critical infrastructure under Cyber-Attack
- How much at risk is the U.S.'s critical infrastructure?
- Critical infrastructure risks still high
- Energy sector a prime target for cyber attacks