"And as critical as Twitter is, we have the exact same dynamic with
our privatized water and power companies - who have no plans to make
strategic investments in security or anything really - which is why on
public calls you can hear them humiliating themselves asking Jen
Easterly to absorb the entire costs of their security programs. "
Long time lurker, first time poster. This hits me where I live because
I run a Red Team for a large privatized power company, which is one of
many strategic investments in security my company makes despite the
fact that our budget is scrutinized and approved to the line item by
the state's Public Service Commission and we must justify the value
of, in some cases, individual tools. I've only been doing this a few
months and it's been quite an education in how far the definition of
capitalism can be made to stretch. It's hard to call something a
failure of the market when there never was a market and it definitely
wasn't free, notwithstanding the fact that it has shareholders and
dividends.
Whether we do it ourselves, which we do, or ask the government to pay
is somewhat academic, since taxpayers and ratepayers are the same
people, and since our money is subject to state control just like the
state's money. It's even more academic in the age of COVID, when
people aren't paying their power bills and the state and federal
governments are helping keep the lights on.
The standard model in our industry is to make a profit on capital
expenditures but not operations and maintenance, e.g., all of
security. The PSC/PUC rightly scrutinizes O&M expenditures because
that's where you put the executive yachts and such if you are so
inclined. Security does OK in the state where my employer is located
because the PSC can read the news, but the point is: the Board of
Directors isn't scheming to offload costs to the taxpayer. The Board
of Directors spends what it's allowed to by the taxpayers'
representatives.
We may not really be the target of that remark, though, because for
all of that we're actually the haves. The have-nots in power utilities
are the rural co-ops with ten employees, two servers, a bunch of
distribution transformers, and zero profits, where IT is done by a
local contractor and security is not done. Those are the folks who are
really offloading security to the taxpayer, and they have no choice
whatsoever.
On Wed, Aug 24, 2022 at 8:51 AM Dave Aitel via Dailydave
<dailydave(a)lists.aitelfoundation.org> wrote:
>
> If you were at a talk at Defcon this year in the Policy track, you probably heard
someone talk about how they, as a government official, are there to address "market
failures". And immediately you thought: This is a load of nonsense.
>
> Because that government official is not allowed to, and has no intentions of,
addressing any market failures whatsoever. If the Government was going to address market
failures, they'd have to find some way to convince every cloud provider from making
their security features the upsell on the Platinum package. They'd have to talk about
how trying to get into different markets means every social media company faces huge
pressures to put Indian spies on their network.
>
> Obviously you know, as someone who did not emerge from under a rock into the security
community yesterday, that the answer to having a malicious insider on your network is
probably some smart segmentation, which we call "Zero Trust" now.
>
> But Zero Trust is expensive! And most social media companies are not exactly
profitable as the great monster known as TikTok has eaten every eyeball in every market
because the very concept of having people explicitly choose who their friends are is
outdated now.
>
> In fact, as everyone is pointing out, almost all companies you know are in this
position! They're cutting costs by sending jobs overseas while spending huge amounts
of money propping up their stock prices and paying their executives to sell them to a
dwindling market of buyers. Private Equity companies spend every effort on squeezing the
last dollar out of old enterprise software by exploiting the lock-in they have on small
businesses.
>
> And as critical as Twitter is, we have the exact same dynamic with our privatized
water and power companies - who have no plans to make strategic investments in security or
anything really - which is why on public calls you can hear them humiliating themselves
asking Jen Easterly to absorb the entire costs of their security programs.
>
> The ideal practice for all of these companies is to offload their costs onto the
taxpayer, which is why instead of investing in security, they cry for the FBI to go
collect their bitcoin from whatever ransomware crews are on their network this week using
offensive cyber operations that themselves cost the government an order of magnitude more
than the bitcoin is worth.
>
> As you're sitting in that Defcon talk, listening to someone from government talk
about how they only want to regulate with the "input of industry" or something,
you have to wonder: if this is every company we know, maybe the market failure isn't
just how hard it is to buy a good security product because they all abuse the copyright
system to avoid any kind of performance transparency. Maybe it's also how hard it is
to SELL a good security product because every single company is trying to cut their budget
to the exact minimum amount that will allow them to tell the FBI they did their best, and
the FBI needs to go out there and pick up their slack.
>
> -dave
>
> _______________________________________________
> Dailydave mailing list -- dailydave(a)lists.aitelfoundation.org
> To unsubscribe send an email to dailydave-leave(a)lists.aitelfoundation.org