On the Nuclear Threat Initiative's Report on Cybersecurity Risks at Nuclear Plants
Paul Rosenzweig offers a critique of the Nuclear Threat Initiative’s report on cybersecurity risks at nuclear power plants that is summarized in his statement that
The NTI assessment is based on a legal and policy analysis, not a practical examination of actual vulnerability.
Published by The Lawfare Institute
in Cooperation With
Paul Rosenzweig offers a critique of the Nuclear Threat Initiative’s report on cybersecurity risks at nuclear power plants that is summarized in his statement that
The NTI assessment is based on a legal and policy analysis, not a practical examination of actual vulnerability.
I understand and share his disappointment that the report did not address actual vulnerabilities. But he concludes his piece by saying that “Starting at the top is probably the wrong place to begin.”
I’m not so sure about that part. I’ve tracked cybersecurity issues at nuclear plants for a while, and I am pleased that the NTI report was written. That is, I think we’re better off with the report in hand compared to the alternative – the report not being in hand. Paul’s right that we can’t stop with fixing the problems identified in the report, but telling people what they should be doing is for me a necessary precondition to getting them to do those things.
I should point out that this (small) difference between Paul and me reflects a broader question—do security checklists and the like contribute in a meaningful way to cybersecurity? I think the answer can be yes, but not if they become mindless check-the-box activities, which do all too often. Paul, I suspect, would say no, because becoming mindless check-the-box activities is inevitable.
