{"id":558,"date":"2017-08-21T13:54:07","date_gmt":"2017-08-21T13:54:07","guid":{"rendered":"http:\/\/securitycurve.com\/?p=558"},"modified":"2017-08-21T13:54:07","modified_gmt":"2017-08-21T13:54:07","slug":"digital-pearl-harbor-100","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=558","title":{"rendered":"Digital Pearl Harbor? 100%"},"content":{"rendered":"<p><img decoding=\"async\" class=\"alignright size-medium lazyload\" data-src=\"https:\/\/i.pinimg.com\/736x\/5e\/4f\/89\/5e4f891775d1e973a287eee7f4bf2b7a--cajun-chef-chef-quotes.jpg\" width=\"360\" height=\"360\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 360px; --smush-placeholder-aspect-ratio: 360\/360;\" \/>In this business, every once in a while you hear somebody bring up the &#8220;digital pearl harbor&#8221; &#8211; sometimes you hear it as &#8220;cyber pearl harbor&#8221; or (also occasionally, to convey a slightly different connotation) the &#8220;digital (or cyber) 911&#8221;.<\/p>\n<p>This is &#8220;a thing&#8221; that comes up from time to time and has for years. \u00a0And, in fact, today we have <a href=\"https:\/\/nakedsecurity.sophos.com\/2017\/08\/18\/how-likely-is-a-digital-pearl-harbor-attack-on-critical-infrastructure\/\">an article over on Naked Security<\/a> posing the question &#8220;how likely is it?&#8221; to occur. \u00a0The gist of the article is that it&#8217;s been 20 years since someone coined the phrase (which, by the way, seems spurious to me &#8211; I contend it&#8217;s been maybe longer since the original inception, but whatevs). \u00a0They spend the article discussing the relative probability of this hypothetical event occurring, and reach what seems to be the general conclusion that it&#8217;s improbable but maybe could happen someday. \u00a0Not sure how much new information that is, but I get it that it&#8217;s productive to discuss.<\/p>\n<p>This could very well be true &#8212; i.e. that the &#8220;cyber-zombie-apocalypse&#8221; is unlikely in the next few years (maybe, could be, who knows). \u00a0But here&#8217;s the deal: the question as discussed doesn&#8217;t specify a time horizon. \u00a0The problem with that is that it leaves something really important out of the discussion. \u00a0Here&#8217;s what I mean. \u00a0If I were to ask you, &#8220;what is the probability that pigs will grow wings and fly?&#8221;, you&#8217;d say that&#8217;s pretty unlikely, right? \u00a0Or &#8220;how likely is it that a team of rabid lemurs will win the super bowl?&#8221; \u00a0Also, unlikely. \u00a0But now assume an infinite time horizon and a non-static, cyclical universe. \u00a0In that case, the answer (to both questions) is absolutely, provably, &#8220;100%.&#8221; \u00a0The same answer as the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Infinite_monkey_theorem\">typewriter monkeys coming up with Hamlet<\/a>. \u00a0So really, there&#8217;s something off about the question that we&#8217;re asking if we leave out when. \u00a0Meaning, It&#8217;s not &#8220;will there be a cyber-pearl-harbor?&#8221; but instead, &#8220;when will it occur?&#8221; \u00a0Because it eventually will &#8211; (channeling my best Justin Wilson) &#8220;I Gerr-on-tee.&#8221;<\/p>\n<p>So let&#8217;s assume for the minute that we accept that logic and we assume that this will eventually occur. \u00a0Is it a short term or a long term thing? \u00a0Can we point to factors that are likely to make it more or less likely? \u00a0I think we can. \u00a0Factors that make it more likely are: 1) belligerent\/bellicose digital &#8220;powers&#8221; such as nation states (e.g. Russia, China, North Korea), 2) an atmosphere rife with vulnerabilities and other &#8220;low hanging fruit&#8221; critical infrastructure issues, 3) issues with security posture at points that support critical infrastructure, 4) lack of guidance for those points about how to improve and lack of regulatory oversight for same, and 5) vulnerability to single points of critical infrastructure failure. \u00a0Sound familiar?<\/p>\n<p>Look, I hate FUD. \u00a0Anybody who knows me knows this to be true. \u00a0However, it seems to me that anything that we can do to make the &#8220;digital pearl harbor&#8221; more likely we have already invested heavily in. \u00a0So I don&#8217;t know how one can support the conclusion that it&#8217;s unlikely. \u00a0In fact, I&#8217;m at the point of speculating why it is that it hasn&#8217;t happened already. \u00a0In fact, I think the main motivator (at least for a nation state actor) about why it hasn&#8217;t happened yet is because we&#8217;re all in the same boat. \u00a0Retaliation is likely to be swift and in kind &#8211; kind of like &#8220;mutually-assured cyber hijinx&#8221; or whatever.<\/p>\n<p>Anyway, tl;dr is that this thing is absolutely coming. That&#8217;s not FUD, it&#8217;s math. \u00a0Ergo, it seems to me that we should prepare for the eventuality just the same way that we prepare for other attacks. \u00a0If we can&#8217;t scrape together the national will to at least address a few of the points that make it more likely (see above), maybe we could do just a little bit of prep? \u00a0A touch of oversight? \u00a0A soupcon of getting it done? \u00a0Or is that asking too much?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this business, every once in a while you hear somebody bring up the &#8220;digital pearl harbor&#8221; &#8211; sometimes you hear it as &#8220;cyber pearl harbor&#8221; or (also occasionally, to convey a slightly different connotation) the &#8220;digital (or cyber) 911&#8221;. This is &#8220;a thing&#8221; that comes up from time to time and has for years. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[39],"class_list":["post-558","post","type-post","status-publish","format-standard","hentry","category-security","tag-digital-pearl-harbor"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/558","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=558"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/558\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=558"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}