Pentagon Cyber ‘Scorecard’ Is a Big Risk Register

Stung into action by warnings of lax security, the repeated hacking of sensitive US government data, and revelations about lose controls surrounding the email of former Secretary of State Hilary Clinton, the Pentagon is going to take action to counter the threat of hackers infiltrating military systems. Reuters reports that the US Department of Defense is going to build…

…a massive, electronic system to provide an overview of the vulnerabilities of the military’s computer networks, weapons systems, and installations, and help officials prioritize how to fix them.

That sounds like a good idea. But it sounds less impressive when you read on.

…officials should reach agreement on a framework within months, with a goal of turning the system into an automated “scorecard” in coming years.

And then they noted that…

Initial data entry would be done by hand, but the goal was to create a fully automated system that would help defense officials instantaneously detect and respond to cyber attacks.

So whilst the Reuters headline is that the Pentagon is going to created an automated ‘scorecard’, the simple truth is that the Pentagon intends to put together what risk professionals would call a ‘risk register’. And we all know that ‘register’ is just a fancy name for a list. So, in short, the Pentagon is going to compile a list of cyber risks.

The Pentagon should have a list of cyber risks; you will not find me arguing otherwise. What is worrying is this is being presented as a major step forward. An organization maintaining a list of cyber risks is like a doctor following a checklist when examining a patient, or you writing a shopping list for your groceries. It is such a simple and sound technique that we should not be applauding its use, but bemoaning professionals who lack the discipline to employ it.

Should the Pentagon have a list of cyber risks, and what it will do about them? Of course! Should they compile the list manually, if they have no automated way of collecting the data? Yes! Any list is better than none. But this is only a major leap forward if they never bothered to maintain a list before. Shame on the Pentagon for their past failure – though we should thank them for putting into perspective why so many other (smaller, less well funded) organizations fail to employ basic methods to manage serious risks.

The way this story is presented also displays all the hallmarks of why risk registers fail to be used well in practice. Having a list is a big step forward, if you had no list before. But saying you will compile a list sounds lame. So instead of focusing on the basic incremental improvements in identifying, recording, prioritizing and mitigating risks, the Pentagon is promising to boil the ocean.

The Pentagon will not just have a list, they will have a ‘massive’ list. The list will not be written on paper, it will be electronic. They will not just pay some people to update the list fairly regularly, they will ensure the list is ‘fully automated’. As a result, they will ‘instantaneously’ detect and respond to attacks (whatever that means). And because of everything the Pentagon will do, it will take them months just to agree the framework. In the meantime, what stops the hackers from doing their worst today?

Instead of admitting they were lousy (having no list) and planning to be a bit better (compiling a list) and then make incremental improvements (progressively better, bigger, more up to date lists), the Pentagon is promising to leap from zero to hero in one massive bound. Hoorah for them! However, any decent risk manager should be telling them that a project which takes a massive leap forward will often fall off a cliff.

To be fair to Air Force Lieutenant General Kevin McLaughlin, who made the announcement, he seems to have some inkling of the danger of being too ambitious.

He said the initial focus of the new scorecard would be on the greatest threats, including weapons systems fielded 30 years ago before the cyber threat was fully understand, as well as newer systems that were not secure enough.

“There’s probably not enough money in the world to fix all those things, but the question is what’s most important, where should we put our resources as we eat the elephant one bite at a time,” he said.

You manage risks one step at a time, and with a keen sense of priorities. Many organizations do too little to manage risks in a systematic and methodical manner, and then panic themselves into promising to do too much. Being overambitious with risk management is as fatal an error as being underambitious. You can learn from the Pentagon’s example, by not following it.

Instead of planning for a super-whizzy hyper-automated real-time knobs-and-whistles risk management scorecard to be implemented in a few years from now, try to keep a list of the top risks facing you today. Try to do a better job of managing those risks today. When you go into work tomorrow, try to do a slightly better job. If you take that approach every day, you will really be managing risk, instead of promising to manage risk in the future. And if you succeed every day, you will really get better at managing risk, and have the results that prove it.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Director of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.