From Innovation to Destruction: How much cybersecurity is enough?

An student issue analysis for MIS41240 at University College Dublin.

Written by Julia Starzetz, Summer 2019. Dublin.

A power outage hits Europe in the middle of winter. All of a sudden, a whole continent is paralysed. Traffic lights switch off, heaters no longer work, communication systems cut out, and nuclear power plants cannot be cooled, causing harmful radiation leaks. After a short time, riots begin, as people fear for their lives. This scenario, described by Mark Elsberg in his thriller “Blackout: Tomorrow Will Be Too Late”, indicates the possible consequences of a blackout brought about by a cyberattack. But while this is merely the plot of a thriller, events such as the power outage in Venezuela in March this year demonstrate the chilling proximity of Elsberg’s descriptions to reality and call to question the current state of national and international cybersecurity.

Are countries and companies adequately prepared for cyberattacks? Are safety precautions sufficient? How can existing systems be improved, or indeed, should they be improved? These are just a few questions cybersecurity experts deal with, the answers of which broader society may benefit from learning.

With dependencies on electricity networks already evident and ever increasing, one might not expect that these will decrease in near future. Reasons for this increasing dependency are, amongst other things, trends like the Internet of Things and progress with regard to smart cities which rely on electricity networks and enhance quality of life. For example, my car, sensing that I have begun my journey home, may autonomously power on my heating, allowing me to arrive in a warmed apartment while also saving energy. Everybody seems to profit, that’s why governments, companies and individuals seek more such innovations. But one must be conscious that this development is accompanied by challenges and risks. It is, for example, clear that it makes our life easier and safer that petrol pumps work electrically. But in the case of a blackout, no electricity then means no petrol, which limits the driving capability to deliver goods, finally resulting in empty supermarket shelves. Thus, in this sense, as dependency on digitalisation and electronics increases, so too does our vulnerability.

Are countries and companies adequately prepared for cyberattacks?

While the majority of people are likely of the opinion that more cybersecurity is better and that constant innovation is vital towards ensuring the best possible defence mechanism this is met with some opposition. For instance, one group of researchers, “ The Maintainers”, critiques our unhealthy obsession with innovation. They propose that rather than relentless innovation, we should focus on existing systems and particularly, their maintenance, in order to sustain society.

This goes hand in hand with Christopher Grey’s (Royal Holloway University of London) criticism of the “fetish of change”. According to Grey, the perception that we’re living in “times of unprecedented change” creates a hysteria that change is necessary to survive. However, Grey argues that our present age is not special in comparison to other periods, refuting the perceived need to be extraordinarily innovative.

In the context of cybersecurity, this means we should focus more on those cybersecurity systems which already exist and accept that these are not perfect. It is also not sustainable to invest more and more in better cybersecurity, as perfect security is technically not possible. As we have learned from the past, even advanced organisations as Google, Facebook and the U.S. Military fall victim to data breaches. Accepting that perfect security in a system does not exist might be difficult, but after a certain appropriate level of risk reduction is reached, it is economically rational to focus on building resilience when developing a plan to deal with and recover from cyberattacks.

Such a plan might include limiting the amount of information we digitize. Rather than digitizing everything as quickly as possible, analog alternatives should be considered. In order to keep control over our world, it might not be wise to put all one’s eggs in one basket, that is, the basket of cybersecurity and thus, we ought to reduce dependencies and vulnerabilities. In Elsberg’s thriller, remote areas, with seemingly antiquated life-styles, were much better prepared for this exceptional situation than modern cities, as they were self-catering, at least temporarily. This doesn’t mean that we must build fountains or grow our own vegetables in cities in order to be prepared for a blackout, but we should certainly rethink the pace at that we digitize and innovate.

 

The real difficulty lies in finding the appropriate level of risk reduction. While we know that neither no security nor an eternal striving for new and innovative security are advisable, the task is now to identify the ‘happy medium’. Further, who tells us when this point is reached? Does this level change over time as new technological opportunities occur? Finding the balance and ensuring a conscientious maintenance of cybersecurity systems might be the more relevant task to be solved, which would reduce potential negative consequences of a cyberattack blackout, rather than continuing the eternal and unfulfilling quest for perfect cybersecurity.