So says David Kepler, corporate vice president and chief information officer of The Dow Chemical Co., in Midland, Mich., who gave the opening keynote address at the ISA Show, held in October in Houston. A capacity crowd heard Kepler’s talk, “Plug, Play and Connect,” in which he addressed the progress of technology, secure computing and safe behaviors.
Two of the fundamental laws of technology—Moore’s Law and Metcalf’s Law—are alive and well today, says Kepler. Technology development continues to progress with Moore’s Law, which says chip power doubles every 18 months. And our Internet-connected world continues to support Metcalf’s Law, which states that the value of a network is proportional to the square of the number of devices connected to it.
The missing law
These two principals, however, have driven the need for a third law—The Law of Unintended Consequences. Kepler contends that this third law is about balancing the benefits for adoption of technology against the unintended consequences that may come about through its use. The exact point of “unintended consequences” occurs when the risk of moving forward is greater than the potential loss incurred if controls are put in place. In other words, it may be better to limit the use of the technology with appropriate controls, than to suffer the unintended consequences from its unfettered use. With the Internet, the consequences can include virus attacks, piracy and cyberterrorism.
To support his theory, Kepler cites the economic losses due to these unintended consequences. In August 2003, the worldwide economic cost of cyber attacks was $32.8 billion, $29.7 billion of which was due to the Sobig virus alone, according to a report from mi2g (www.mi2g.com), a London-based digital risk assessment company. In the United States, 23 percent of business software is unlicensed, with technology piracy costing $13 billion a year.
When it comes to risk mitigation, Kepler suggests that the information technology industry can learn some lessons from the chemical industry.
Risk mitigation in the chemical industry extends from product development, manufacture and distribution, through the chemical’s ultimate use in society. On the manufacturing risk side, Dow has reduced its injury illness rate by 75 percent since a 1994 baseline. It has done so by using operating discipline, new technology and information sharing.
Cybersecurity requires the same approach. Kepler recommends the following steps to ensure secure computing:
* Think broadly when applying secure access
* Suppliers need to hold themselves accountable for security
* Each industry, company and professional must understand cybersecurity threats and the interdependence of industries
* Industry must recognize that physical and cybersecurity extend to reliability, operational excellence and financial performance.
The chemical industry has established the Chemical Sector Cybersecurity Program (www.chemicalcybersecurity.com) and Information Sharing Forum for cost-effective access to current best practices in risk mitigation. The Forum consists of representatives from 10 trade associations, including the American Chemistry Council and the National Association of Chemical Distributors, which together represent more than 2,000 companies in the chemical industry.
The Program is focused on the following five initiatives for enhancing cybersecurity within the chemical sector:
* Foster involvement and commitment across the sector
* Establish a cybersecurity public affairs program
* Establish risk-based sector practices and standards
* Establish an information sharing network
* Encourage acceleration of improved cybersecurity technology.
What can you do? Kepler offers this advice, “Manufacturers need to promote better collaboration among IT, manufacturing and research and development; they need to assess and define their systems and inherent risks; and they need to support the development of cybersecurity standards for their industry.”