The Truth About Cyber Consequences

Friday, February 15, 2013
Room 312 (Hynes Convention Center)
Scott Borg , U.S. Cyber Consequences Unit, Norwich, VT
People are aware that cyber security helps prevent credit card fraud and short-term interruptions of services.  This is not, however, where cyber security makes its biggest contributions.  Credit card fraud, while expensive, is very limited in its effects.  Short-term interruptions of service are not at all as costly as is often supposed.  The two most important benefits of cyber security are ones usually overlooked. One of cyber security’s greatest benefits is enabling economic growth.  The eight biggest economic opportunities currently available to developed nations are arguably:   1) flexible re-allocation of capacity, 2) mobile information support, 3) remote provision of services, 4) information rich markets, 5) customization of production, 6) smart products, 7) nano production, and 8) non-petroleum energy sources.  All of these depend heavily for their economic success on new information systems.  These information systems depend, in turn, on better cyber security.  If these economic initiatives continue to move ahead without being stopped by terrible security problems, we will have cyber security research to thank. The other greatest benefit of cyber security is preventing genuinely catastrophic events.  Critical infrastructure industries are all utterly dependent on information systems:  electric power, oil and gas, telecommunications, banking and finance, water and sanitation, chemicals, air transport, railways and commuter trains, hospitals and health care, electronics, software, automobiles, and food processing.  All of these could be subjected to cyber attacks that would cause them to produce dangerously defective outputs or that would do massive damage to their physical facilities.  A serious cyber campaign of such attacks could cause economic destruction that would be exceeded only by nuclear war.  The fact that we have so far managed to avoid such catastrophes is not due to an absence of malevolent attackers.  It is due to cyber security research. As long as we are dependent on general purpose, instruction executing machines (i.e., computers), we will also be dependent on cyber security research to prevent those machines from executing malicious instructions.  The necessary cyber security research will increasingly need to encompass economics, cultural anthropology, strategic studies, and other fields beyond technical fixes for cyber security vulnerabilities.  A rigorous, quantitative, risk-based approach to cyber security expands the list of sciences on which cyber security must draw, rather than narrowing it.