Bound to Fail: Why Cyber Security Risk Cannot Simply Be “Managed” Away

* executive order for improving critical infrastructure cyber security is a recipe for continued failure 
* establishing a framework for risk managementBoth approaches have been attempted for more than a decade without measurable success. A fundamental reason for this failure is the reliance on the concept of risk management, which frames the whole problem in business logic. Business logic ultimately gives the private sector every reason to argue the always hypothetical risk away, rather than solving the factual problem of insanely vulnerable cyber systems that control the nation’s most critical installations.

The authors suggest a policy-based approach that instead sets clear guidelines for asset owners, starting with regulations for new critical infrastructure facilities, and thereby avoids perpetuating the problem in systems and architectures that will be around for decades to come.Finally, they argue that a distinction between critical and non-critical systems is a bad idea that contradicts pervasiveness and sustainability of any effort to arrive at robust and well-protected systems.

Unfortunately, this new order is set up to fail. Bypromoting voluntary action by the private sectorsupported by information sharing on cyberthreats and risk-based standards, the executive orderdoesn’t deliver on a fresh approach.

Quelle: vom 20.03.13

Can risk be effectively managed? The sober realityis that in respect to the cyber security ofcritical infrastructure, there is no empirical evidencethat a risk-based approach, despite itsnear decade of practice, has had any success.

Anm: In der Medizin hielt sich der Aderlass auch über viele Jahrhunderte, obwohl es keinerlei Evidenz für einen Erfolg gab - viele Menschen bezahlten für diesen Irrtum mit ihrem Leben.

Several decades ago, IT security experts realizedthat it had become practically impossible to fullysecure their systems—largely due to growing systemcomplexity. Itwas believed possibleto predict accurately the future, and to allow for acalculation of mitigation cost versus cost of consequence,in which decision makers would ultimatelybe able to derive whether specific risks should bemitigated or simply “accepted” in a spreadsheetexercise.

The concept of risk is predictive, since itarrives at assumptions about future events andtheir cost. Risk management is an attempt tocontrol the future based on predictions of whatthe future will look like. Therefore, any determinationof risk implicitly assumes a predictivetimeframe. Unfortunately, cyber security expertsrarely specify if their timeframe under considerationis a month, a year, a decade, or the lifetimeof the target of evaluation. Failing to be specificon timeframe alone makes any risk assessmentnon-verifiable—usually without explicitly sayingso.



The three principles, which together form the critical infrastructure cyber protection triad, are:

* one, the primacy of politics over economics (Critical infrastructure protection is a political issue, itdoesn’t necessarily generate profit.);

* two, a focus on practical efforts to fix design vulnerabilities (Fix the design vulnerabilities rather than hypothesize about threats); and

* three, pervasiveness rather than restricting cyber security efforts to “critical” systems. In short, it’s politics, practicality, pervasiveness, or PPP. 


Froma technical perspective, solid protection of cybersystems in critical infrastructure is indeed possible. It just needs us to reframe our understandingof the problem. 


 Ein sehr empfehlenswertes Dokument mit interessanten Denkanstößen.