The curious incident of the dog that didn’t bark

There is nothing more beloved of apocalyptic thinkers, intelligence agencies, conservative politicians and general scare-mongers than the threat of some disaster. It is even better when the threat is insidious, little understood and able to be transformed into policies which actually have other purposes.

One of the most common in this digital age is the threat to online security and the malign ways bad actors can use vulnerabilities in the devices and networks we use every day. Yet it may be that computer security is actually quite good, a lot better than other areas in which threats arise and something which can be fixed with the odd bit of IT sticking plaster and piece of string rather than spending millions on consultants and IT providers whose projects frequently run over budget and fail to work properly anyway.

Ironically many of the consultants charging the huge fees are part of the big four accounting/consulting service firms which have proved incapable of adequately auditing companies such as Deutsche Bank, Carrillon and Enron.

At the same time governments are the main threats to personal security and privacy through their intrusions into our data – with the Australian Government among the worst among democracies – even though the politicians responsible (such as George Brandis) have derisory knowledge of what’s involved and how it all works.

A recent article, Cybersecurity Is Not Very Important, by Andrew Odlyzko in the June 2019 issue of, Ubiquity, an Association for Computing Machinery publication, confronts some of the myths involved in the whole debate.

He starts by discussing the fear of a “digital Pearl Harbor” event occurring and admits that “one, or more, almost surely will. But that has to be viewed in perspective. Given our inability to build secure system, such events are bound to happen in any case. So all we can affect is their frequency and severity, just as with large physical dangers.”

“There have been many far larger disasters of the non-cyber kind such as 9/11, Hurricane Sandy, the Fukushima nuclear reactor meltdown, and the 2008 financial crash and ensuing Great Recession,” he says and asks: “Has any cyber disaster inflicted anywhere near as much damage to any large population as Hurricane Maria did to Puerto Rico in 2017?”

And that’s where the quote about the ‘curious incident’ of the dog that didn’t bark in then Sherlock Holmes story Silver Blaze comes in.

As Odlyzko says: “In information technology insecurity, there are two curious ‘incidents’ that have not attracted much notice: Why have there been no giant cybersecurity disasters? And: Why is the world in general doing as well as it is?”

Naturally there are problems. For instance: “as the old saying goes, bank robbers went after banks because that is where the money was. But now the money is in cyberspace. So that is where criminals are moving. And that is also where security resources are being redirected. Completely natural and expected, and happening at a measured pace.”

Odlyzko is far from sanguine about risks. He balances competing risks and looks at what the appropriate resources and systems which should be allocated to them. He also points out a number of security risks – such as in US electronic voting – which could be fixed quite easily largely by simple IT fixes or by going back to the old pencil and paper system which serves Australia so well.

Moreover “measures that provide resilience against cyber attacks are often the same as those against physical manmade or natural disasters. As just one example, there is much concern about the potential damage to the electric power grid that might be caused by malicious actors.”

Odlyzko cites an example of such a natural disaster, the Carrington Event when a giant geomagnetic solar storm that hit Earth in 1859 causing widespread failures of telegraphs and other things. “Estimates are that if it were to occur today, it would cause damages in the trillions of dollars. And it is bound to recur some day! The conclusion that emerges is again that cyberspace is not all that different from the more traditional physical space we are more used to. And security measures for the two are similar,” he says.

So don’t be scared. It might not happen and lots of worse things might. But in the meantime be aware that the most potent threats are from the supposed good guys rather than the bad guys.

The Ubiquity article was drawn to the blog’s attention by its friend John Spitzer.