Will there be a digital Pearl Harbor?

>> We often hear talk of the possibility of a digital Pearl Harbor affecting our industry. Do you think that's the right analogy? Is that really the right description for the state of affairs of data security today?

>> Who do you want? I'll start.

>> Ok.

>> Actually I think it's a bad analogy. First off we react from fear when we talk about extreme cases and I think there's much less rational analysis. If we look at and I'll get this from the press all the time. What's the worst thing that can happen? I think you know what's the bigger risk is what's likely to happen and it's not gonna be the extreme catastrophic thing. It's gonna be cybercrime. It's gonna be the boring thing. It's gonna be identity theft. It's gonna be buffer overflows. That we're better as an industry if we don't stoke fear, if we don't talk about the digital Pearl Harbor because people, people turn off from that. You know people are used to hearing about the fear of the day and they hear about it and they're scared and then something else happens the next day and I think we're better if we look at the more common risks, the more important risks. The risks that actually cost them money and not the risks as you can say well you know that didn't happen last year so maybe we're ok next year.

>> Did you also want to comment?

>> Well I think one I think we're more likely to suffer what I call a digital 911 than a digital Pearl Harbor because Pearl Harbor was an attack by a known I won't say enemy exactly but a known belligerent power with which we were in contention about various issues in the Far East at the time, oil in particular. Whereas the thing that was striking about 911 is of course it came you know the nerve of something that wasn't a nations state to conduct an attack on the order of warfare and I think nobody knows you know whether the loft when it said to congress 20ish years ago, 15 anyway that they could bring the internet down in 20 minutes. I don't believe anybody knows, I don't know certainly, whether that was correct then and whether something like it is correct now. So I'm, I think we could suffer some very astounding event and we've sort of had a few of them in other domains in the sense of the blackouts of 1965 and there was another one in the 80's or 90's right? And then there was the one's closest sort of our sorts of things sometime during the 80's there was a big telephone failure that resulted from some update in ESS number 5 and some bug got widely propagated and then got triggered when rush hour arrived and we had a very severe telephone outage. So I, I think the prospects for an unpleasant surprise are not to be poopooed assumed spelling.

>> Risk, risk and management is all about allocating the sources. How much money you want to spend on preventing various types of low probability events and I would say I would put the digital Pearl Harbor fairly low in my list. If you look for example at what's likely outcome of such a digital Pearl Harbor it's going to be a loss of monetary value, a loss of profits, inconvenience etc. But if I compare it to other catastrophic events like Madof assumed spelling loosing $50 billion I think it was the kind of losses we saw from cyber security incidents over the last few years. So if the government had extra money to spend they should spend on regulating the financial markets and not spending on cyber security effects.

Clapping

>> Ron did you want to?

>> Yeah I want to say something some of the points you made touch on the shape of the tail. I mean Marty's been concerned about the major nuclear risks that we all face and Bruce is saying well really maybe what you should be focused on is sort of the smaller ones cause they're more prevalent and it's hard to estimate what the tail looks like. If you look at earthquakes for example they have this nice law, the Gutenberg Richter law that says for every increase of 1 point on the Richter scale, the frequency goes down by a factor of about 10 and that's historically about right. But the power goes up by a factor of 30. You know so maybe if the damage is proportional the power you're actually on an annualized basis you're actually going to be suffering more on the very large earthquakes but the ratio between 10 and 30 is what matters here and so I don't know what should be in cyber security.

==== Transcribed by Automatic Sync Techologies ====