Bound to Fail: Why Cyber Security Risk Cannot Be “Managed” Away

Executive Summary: Rather than a much-needed initiative to break the legislative deadlock on the subject in Congress, President Obama’s new executive order for improving critical infrastructure cyber security is a recipe for continued failure. In essence, the executive order puts the emphasis on establishing a framework for risk management and relies on voluntary participation of the private sector that owns and operates the majority of U.S. critical infrastructure. Both approaches have been attempted for more than a decade without measurable success. A fundamental reason for this failure is the reliance on the concept of risk management, which frames the whole problem in business logic. Business logic ultimately gives the private sector every reason to argue the always hypothetical risk away, rather than solving the factual problem of insanely vulnerable cyber systems that control the nation’s most critical installations.

The authors suggest a policy-based approach that instead sets clear guidelines for asset owners, starting with regulations for new critical infrastructure facilities, and thereby avoids perpetuating the problem in systems and architectures that will be around for decades to come. In contrast to the IT sector, the industrial control systems (ICS) that keep the nation’s most critical systems running are much simpler and much less dynamic than contemporary IT systems, which makes eliminating cyber vulnerabilities, most of which are designed into products and system architectures, actually possible. Finally, they argue that a distinction between critical and non-critical systems is a bad idea that contradicts pervasiveness and sustainability of any effort to arrive at robust and well-protected systems.