The New York Times alleged that the United States and Israel put together a computer virus, called Stuxnet, that infected Iran’s industrial process control machinery for its uranium enriching, fast spinning, nuclear centrifuges. The upshot being that the virus reportedly shut down Iran’s nuclear purification process, causing Iran to lose about a year’s worth of work toward fueling its own nuclear weapon.
What is interesting is that possibly other entities eventually caught a version of Stuxnet. Usually when you think of “catching a virus,” you think of it causing problems wherever it goes, but since it was only set up for a very specific situation in Iran, it could not do other damage anywhere else in the world. Or could it?
Entities who later realized they had indeed caught Stuxnet could actually determine that they had caught it. And, this is the interesting thing, they could deconstruct it, kind of like taking a car apart to see how the components of the latest car technology works. (For those in the know, this is called malicious software reverse engineering.)
So by deconstructing the virus, it’s possible to learn how it works and use that same type of code to make new viruses. That is, virus technology can spread in unexpected ways. Consider how national security can or cannot help businesses.
According to Richard A. Clarke, who worked in the U.S. National Security Council, there are five realms of military operations: the land domain, defended by the Army; the sea domain, defended by the Navy and Marines; the air domain, defended by the Air Force; the space domain, also defended by the Air Force; and the fifth domain, which is the information cyber space domain, often considered to be defended by the National Security Agency and U.S. Cyber Command.
Clarke, though, suggests that it has to be up to each business and organization to defend itself in the fifth domain because, in essence, free trade includes the free trade of information through free information links. So the fifth domain is not quite as easily defensible as the land, sea, air and space domains are. Also, each business has its own supply chain and peculiarities related to its own business relationships, which means depending on a government agency to understand each individual business well enough to provide successful protection can never work.
And this could get ugly because your self-driving car might get hacked and drive you halfway to Denali, then lock you in and play really bad 1950s elevator music until you go insane. Probably the Army, Navy, Air Force or the Marines will not be able to protect you then, although any special forces officer would have the good sense to shoot the radio speaker, disabling it and saving your sanity.
On the other hand, as my Homeland Security and Emergency Management colleagues explain, there are services that are available to protect your businesses.
In fact for the past several decades, organizations are, and have been, defending themselves against computer failure. It is difficult constitutionally with separation of federal and state jurisdiction to try to get any one agency of the government to do this.
Basically, with any risk you have three choices: mitigate it, transfer it or accept it. We might mitigate risks in Interior Alaska every time we use our woodstove properly so as not to cause a fire, or we may use fire retardant materials near the woodstove so that a fire doesn’t have a chance to spread. Similarly most of us only click on safe websites, use hard to crack passwords (not “password”) and virus software. Some even use three different kinds of virus software.
Transferring risk means you have an insurance policy of some sort for when an event does occur. You might even consider having cyber personnel as insurance. It does cost something, so you have to conduct your own cost/benefit analysis.
The last option is to just accept the risk, which means you endure the costs of a breach. So, like fire protection, no matter how careful you are, and even if you have insurance, you might endure a fire and there might be some amount of cost to pay, even if it is only the inconvenience of the event. Although, if a cyber security breach does happen, you can get help from appropriate federal and state agencies.
As for me I’m going to ride my bike to work, and drive my 1960s AMC Rambler.
Doug Reynolds is a professor of Economics at the University of Alaska Fairbanks’ School of Management. He can be contacted at DBReynolds@Alaska.Edu. This column is brought to you as a public service by the UAF Community and Technical College department of Applied Business and Accounting.