“We accept the risk.”

“A lot of smaller communities are resource-constrained.  If you have a million dollars, are you going to fix the potholes constituents have been calling about, open parks and swimming pools for the summer? Or buy new servers and do all the things that are going to make you more secure?”

When Ransomware Cripples a City, Who’s to Blame? This I.T. Chief Is Fighting Back
New York Times, August 22, 2019

Yes. The answer is yes.

Municipal leadership, like the leaders of any organization, are tasked with balancing the seemingly endless number of competing priorities. That’s why they get paid the big bucks.

Crumbling physical infrastructure or reductions in municipal service offerings are always sure to elicit strong reactions from residents and constituencies. Technology assets and infrastructure are not as visible to their end customers. As a result, software updates and hardware refresh cycles often take a back seat because “well it still works” or “but we only bought that server 5 years ago and it’s not broken.”

But in today’s operating environment, proper maintenance and risk management of a municipality’s technology infrastructure, endpoints, and systems are as just as critical as the maintenance and risk management of its roads and bridges.

When faced with audit findings and risk assessments, far too often management takes what is viewed as the “easy” way out: just accept the risk. I mean, it’s just a checkbox or your initials, as opposed to thousands of dollars and person hours that could be used for other things, right? Quick election cycles and the tendency to kick the can down the road for the next administration makes accepting the risk even easier…let the “next guy” deal with it in the “next budget.”

But the crucial caveat that management is failing to remember in these situations is that when you accept the risk, you accept the risk.

In the case of Lake City’s ransomware attack, I look forward to seeing what comes out through public records requests and the legal process. It should be relatively easy to determine what decisions were documented and what actions were or were not taken.

It is crucial that this incident be a lesson to better understand that day-to-day actions and decisions do have consequences:

  • For management and “the Business,” ensure that you have an appropriate level of understanding about your environment. Understand its functions, life cycle and risks; look to your technical leaders and individual contributors to help educate you so that you can make informed decisions. Don’t just check a box and move on…the ass you save might just be your own.
  • For technical leaders and individual contributors, as the subject matter experts for your environment, you need to ensure your management chain, auditors, and Boards / Committees have the right information make good decisions.

Regardless of how management chooses to act, remember this invaluable advice from SANS NewsBites Editorial Board Member William Hugh Murray in reference to the Lake City incident:

Any such risk acceptance, and its acknowledgement by the leadership, must be documented. If that was done in this instance, Hawkins will have a good case. In the absence of such documentation, his case may turn upon the honest recollection of that leadership of a decision made months ago. The three rules of risk management are document, document, document.

Living the “Dream”

It was never my dream to turn on the TV and hear entitled assholes speculating about my health, my injuries, and devoting segments on their shows to discussing my medical file, guffawing their way through segment after segment about the hell I have endured. But that’s what life becomes for NFL players: reciting tired sound bites through gritted teeth and long, sleepless nights, handfuls of pills, and early-morning rehab sessions, sideways looks from coaches who want you on that field, who need you on that field, or else your ass is gone.

Nate Jackson, “Andrew Luck Got Out. I Couldn’t.” (Deadspin)

The Human Factor

Horrible news today out of Ethiopia, with the loss of a second Boeing 737 MAX 8 resulting in the deaths of all aboard. I’m grateful to learn that the recorders have been recovered, though one was severely damaged. Hopeful Boeing and the authorities can piece things together quickly.

Reading the initial reporting on today’s incident, this amateur plane nerd’s first reaction was a single word: Prius.

Remember when shortly after the Prius hit the mainstream there was a series of unfortunate events involving vehicles and their occupants sailing through hedge bushes and shopping mall storefronts? Toyota did eventually issue software updates to help prevent crashes, but over time the platform also became familiar to the public. Now, we see more and more models with push button starts and unconventional shift levers and transmissions.

This is the Prius, at scale. Boeing is already working with the FAA to deploy software updates to improve safety, and I’m sure they will help prevent future events. But training and familiarity with an aircraft and, now more than ever, it’s software, will always win the day. Like when you hit birds and determine your best bet is to go for a swim.

Further Reading

That Corned Beef Sandwich Steals the Spotlight, Again

John Young died January 5 at the age of 87. He was NASA’s longest-serving active astronaut, having flown two missions each for the Gemini, Apollo, and Space Shuttle programs. He commanded the maiden Shuttle flight, taking the Columbia out for a spin with Bob Crippen. He was also one of only three people in human history who returned to the moon for a second visit.

But despite his storied career and extensive experience as a master spaceman, his accomplishments have always seemed overshadowed by an incident onboard Gemini 3. Continue reading “That Corned Beef Sandwich Steals the Spotlight, Again”