Some colleagues and I were discussing DDoS attacks earlier this week: who is waging DDoS attacks, what techniques they’re using and how to deal with attacks when they occur. While discussing the value of advance warning of such attacks, one person said offhandedly, “the problem with advance warning is that the threat may be just the threat of the attack, not the attack itself.” It was an interesting and valuable insight, one that deserves some exploration.
The comment reminded me of the famous statement by President Franklin D. Roosevelt in his 1933 Inaugural Address: “the only thing we have to fear is fear itself.” There is a systems dynamic that operates in financial crises, a vicious cycle in which erosion of trust damages our ability to address a problem, which in turn erodes trust. That same dynamic can happen in security as well. Whether it’s a DDoS attack or a new virus — or even new regulation — the threat of disruption can lead to at least distraction from and at worst significant negative impact on our business. When it looks like the sky is falling, after all, who has time for our mundane day-to-day work?
But such disruption in anticipation of an attack may be as dangerous as any that might result from an attack. Our ability to project forward into the threats that may damage our systems, our business, even our lives, enables us to deal with them more effectively when they occur, perhaps forestall them altogether. We do need to take threats seriously, assessing the level of risk and responding accordingly. We certainly need to anticipate low-probability but high-impact events, that tail of outliers in the power law distribution where highly-disruptive DDoS attacks may lie.
But we need to ensure that this foresight doesn’t itself cause the damage we are concerned with from such events. We need to plan for them within a larger process and strategy for security that helps us keep perspective. Here’s one way of representing such a process and strategy, one that we at RSA have been using in discussing this topic, based on the ISO 27001 security management framework and the ISO 31000 risk management framework:
Such a process and strategy can lead us to bold moves and significant initiatives in response to the threats we face, entailing dramatic changes in our security technology, process and human resources. At the same time, it helps us to maintain perspective, so that we can avoid giving undue weight to the threat of the threat itself.