It helps to remember that "cyber security gurus" make their jobs seem more important, and increase what they can charge, by highlighting every potential risk, and every possible way such a thing might potentially cause damage or disruption.
If they can get enough people to demand the authorities 'do something', even when the actual risk is small and the options for 'doing something' are, given our unwillingness to shake thing up, highly unlikely to provide any significant protection, we might see the creation of an entire department within DHS to handle it. Cost: several billion dollars worth of security theater.
The irony is that the same people getting all worked up are exactly the same people who complain about the size and cost of government. But the blow-back really comes when, after spending billions, a cyber attack that no amount of spending could stop does damage. That's when the people who demanded that the department be created, despite warnings that it can't do much, point out how government failed them once again.
Stuxnet is pretty much a spent force. The word is out, the security holes exploited by it patched, the anti-virus programs have incorporated its signature and know what to look for.
The answer is dead simple but it is something that the corporations and utilities will always resist: strict regulation and operational standards for utilities and major infrastructure system operators. There are ways to design in security and protection into the machinery, networks, and software. There are established security protocols that could be, but isn't, incorporated into every step of infrastructure design and operation.
Business is driven to make money. Security, safety, and any societal good is secondary. Until we the people get it through our collective thick skulls that the free market doesn't deal effectively with societal costs, that regulation is vital, that industry will not and cannot regulate itself, we will never deal with the issue. It will take a catastrophic failure that allows a strict regulatory regime to be implemented. Until then industry will mostly pay lip service to network security and infrastructure hardening. For people who run corporations the risk seems remote. The potential for damage and loss of life and property doesn't worry them. They are insured.
The major stockholders and executive officers will be protected. They don't live in places where they, or theirs, are likely to be affected. Worse case, they load their trophy wive, kids, and nanny into the corporate jet and take an extended vacation in Switzerland or Bermuda. Depending on what time of year it is.
My prediction is that you are going to see a whole lot more scaremongering, security theater, posturing, and expensive programs that accomplish nothing. We know what works but we can't bring ourselves to swallow hard and do it. Too many people making too much money exploiting the fear selling rabbit's foot talismans to do anything serious that might actually mitigate the problem.
For business a problem is an opportunity to be nurtured and milked to maximize profits. Solving the problem eliminates opportunities that might be exploited.
Previous Topic
Index
