Risk and Rewards
The Essentials Newsletter, Thirty-fourth Edition
On November 13, this newsletter and my consulting firm hosted a conversation about the risks and rewards of innovation in critical infrastructure (CI) sectors. We’ve all heard about cost-benefit analysis -- while the terms “risk and reward” are similar, in my mind at least, the latter combination enables a broader view, beyond financial costs and benefits, which the former often implies. According to Merriam-Webster:
Risk (noun): the possibility of loss or injury: someone or something that creates or suggests a hazard; the chance of loss or the perils to the subject matter of an insurance contract, also: the degree of probability of such loss; a person or thing that is a specified hazard to an insurer; an insurance hazard from a specified cause or source (war risk); the chance that an investment (such as a stock or commodity) will lose value.
Reward (noun): something that is given in return for good or evil done or received or that is offered or given for some service or attainment |the police offered a reward for his capture; a stimulus (such as food) that is administered to an organism and serves to reinforce a desired response.
Working with my colleagues at Joy Ditto Consulting and the panelists we invited to participate in the event – Bridgette Bourge of BBS Consulting, Alisha Hathaway of Blue Bench Advisors, and Alan Hill of the J.A. Hill Group – we further homed in on the need to evaluate and discuss technological innovations in our most critical infrastructure sectors. Of course, there are other types of innovation – product improvement, process improvement, collaboration improvement – but we wanted to focus on the technological element. According to Merriam Webster:
Technology (noun): the practical application of knowledge especially in a particular area; a manner of accomplishing a task especially using technical processes, methods, or knowledge, the specialized aspects of a particular field of endeavor.
While this definition of technology is broad, it’s also applicable to CI sectors because what they do, and have done from the beginning (see this newsletter’s first 24 or so editions for more on each sector’s development), is apply practical knowledge to complex infrastructure challenges. Our discussion a few weeks ago focused in further on software-deployed technologies that have enabled an incredible amount of progress in the last 40 years(ish), but have come with a particular set of risks and rewards.
In the context of CI sectors, the deployment of “industrial control systems” (ICS) to enable operators to remotely control all or part of their systems began in earnest in the 1980s and into the 1990s, although some industries began doing so as far back as the 1960s. As noted in an article by Chris Rahbek-Nielsen on macautoinc.com:
In the 1970s, the first Distributed Control System (DCS) revolutionized industrial control by replacing analog control panels with digital interfaces, allowing operators to manage processes from a central location. These early systems combined control and monitoring functions, streamlining operations and improving efficiency.
Since that time, CI sectors have deployed digitally delivered technology to improve products, services, processes, and efficiency, and to minimize risk. These technologies rely on a few foundational elements – electric power, power electronics, and telecommunications, the latter of which is deployed via interconnected systems such as the internet or intranets. About 25 years ago there was a marked shift in how we think about these ICS systems because nation states and other groups began to systematically attack such systems to gain access/intelligence, intellectual property, and, potentially, to gain control (either immediately or in the future, known as “pre-positioning”). This situation – now known as cybersecurity -- injected a massive risk into the CI sectors, a risk that was not fully understood for decades.
Back to this past November 13, and our discussion. First, our special guest, Congressman Brandon Williams (R-NY), graciously and eloquently set the stage. As a former technology company owner and nuclear submarine naval officer, he knows of whence he speaks, and framed the conundrum perfectly. I would not be able to do justice to his remarks here but suffice it to say that situational awareness across CI sectors and the federal government is lacking, precisely because the cybersecurity risk was not understood for decades, at which point “legacy” systems had been deployed without sufficient cybersecurity controls.
The panelists further framed the topic for attendees. They all agreed that, regardless of the risk-reward ratio, at this point the “genie is out of the bottle,” and we will continue to deploy digitally based technology in our CI sectors-- to great reward in terms of efficiency and increased services. However, Alisha reminded the group that we are understaffed in our country when it comes to people who understand the technology itself and the cybersecurity needed, citing a federal government report that noted a deficit of 500,000 people in cybersecurity alone. Bridgette emphasized that the cyber risk must be managed indefinitely, and that collaboration within CI sectors, amongst CI sectors, and with the federal government, via technical assistance and information-sharing, are central to successful risk management. Alan discussed the technology itself – touching on artificial intelligence (AI) and helping to define quantum computing, which when fully developed, will make today’s encryption technologies obsolete.
The audience came back to the AI question and the panel clarified that AI in the form of iterative machine learning has been around for a long time, but the promise of its usefulness has increased exponentially because of the data we’ve been collecting for decades, via sensors and other data-gathering technologies, is now available to be analyzed, and even packaged, by AI. Use of AI underscores the workforce needs rather than detracts from it, as AI still needs to be programmed/directed/overseen and its outputs analyzed by humans. For CI sectors, this may mean that data scientists can step away from culling through massive amounts of data and instead have AI do it. The people can then take that packaged information and further correlate it to the needs of CI. At the end, the panel and the audience all agreed that people are key to both AI and to managing/assessing the risks and rewards of these digital technologies. Educational pathways, retraining, and external communications are needed by CI sectors as is even more collaboration between and amongst these sectors, and with federal and state governments in certain areas, such as cybersecurity.
Congressman Williams and the panel were incredible as was the audience. As such, we’ve decided to host another event in D.C. in the first quarter of next year, so stay tuned for those details. Also, I’ll take a break from this newsletter until after the first of the year, so please have a wonderful holiday/Christmas season and Happy New Year!