Mismatch: Risk assessment and cybersecurity

of protective measure: emergency response. Such a measure would be necessary in any case, since New Orleans, like any other American city, is a potential target of a terrorist attack that could cause massive human and economic damage without precipitating a flood. A biological, chemical, nuclear, or dirty-bomb attack could well require evacuation of the city with little or even no warning,” Posner concludes.

The combination of risk-based and cost-benefit analyses Posner applies to the question of hardening levees in New Orleans may or may not be appropriate to the issue of protecting a city, but cybersecurity experts say taking a strictly risk-based approach to computer defenses — as suggested in the draft National Infrastructure Protection Plan (NIPP) — is definitely inappropriate, as it may ignore important differences in the electronic world, which could leave critical assets vulnerable. Risk-based analysis has become the gold standard for decision making at DHS, and Alan Paller, research director at the SANS Institute, says risk-based defenses for physical assets may make sense because identifying critical pieces of infrastructure, such as a nuclear plant, and securing the plant by bolstering perimeter security is relatively straightforward. Using the same methodology in the computer world may prove more difficult. Security experts who specialize in penetration testing of computer systems have no problem breaking into networks that have set up tiered security systems. The reason: Those networks tend to leave less vital systems unprotected. These networks are less protected because they are deemed to be facing fewer risks. Hackers may infiltrate a network by looking for unprotected access points, which are often part of networks considered non-vital to network security. After penetrating a system through a non-critical device such as a printer port, an attacker may “hop” onto the wider network and compromise essential data, Paller said. “The difference between cyber and physical security is the wires underground.” Paller said that while networks are busy doing risk assessments, the network remains unprotected. “If they’re still in the middle of the risks assessment, then they’re automatically vulnerable,” Paller said. “The NIPP says we’ve known about these problems for six years and mostly they haven’t done anything.”

-read more in Richard Posner’s New Republic article; and see Benton Ives-Halperin’s CQ report (sub. req.)