The Risk of Cyberattack and Motivations
While listening to a recent NPR podcast with an interview of Ted Koppel I heard of number of statements that I started thinking about. The reason for the interview was that Koppel has written a book called “Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath” on the risks associated with a cyberattack on the power grid. A number of statements are being made on that subject that are interesting to evaluate.
One is “knock out the power grid” made by Janet Napolitano. One of my first questions on that is for how long? By that I mean knock it out permanently, 1 year, 1 month, 1 day, 1 hour or less?
Statements like these are being used to assess the risk and therefore justify significant federal expense in mitigating those potential risks. Koppel made several points including that “a group of 10 former senior government officials” had written a letter “regarding a cybersecurity bill” that said an attack could “knock out power over an extended geographic area involving 10s of millions of people over a period up to 2 years”.
With that I wondered if those former officials now worked for defense contractors that would stand to benefit from federal contracts associated with cybersecurity?
These statements take me back to Y2K which was said going to be a catastrophe and ended up being somewhat less so. However, that risk resulted in significant expense in examining software or firmware that might be a concern.
At times I wonder if we had not done anything or significantly less that was done regarding Y2K would anything have happened?
I frequently hear that we are experiencing many cyberattacks per day but generally the gravity of those so called attacks is not included. What is considered an attack? It may range from a failed login attempt all the way to a coordinated and well planned highly technical series of actions by a foreign entity.
The scale between those two ends is very wide and any statement about attacks should include where on that scale the numbers range. No single number indicates any useful information.