The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


Why We Don’t Need Another Cyber ‘Wake-Up Call’

Tom Alrich's picture
Supply chain Cyber Risk management - emphasis on SBOMs and VEX documents, Tom Alrich LLC

I provide consulting services in supply chain cybersecurity risk management and am now primarily focused on software bills of materials (SBOMs) and VEX (Vulnerability Exploitability eXchange). I...

  • Member since 2018
  • 427 items added with 154,818 views
  • Apr 9, 2021


The title of this post isn’t mine. It’s the title of an article written by Mark Weatherford that Kevin Perry forwarded to me this week. Mark, as you may know, is the former VP and CSO of NERC and former DHS Deputy Undersecretary for Cybersecurity (and I believe he was the first officer at DHS who had “cybersecurity” in his title). He’s currently CISO at AlertEnterprise and Chief Strategy Officer at the National Cybersecurity Center. He also is the moderator of the panel I’ll be participating on in this year’s virtual RSA Conference.

I’ll let you read it, but Mark makes a great point: It’s way past time that we should stop calling each new cyberattack a “game-changer”, “wake-up call”, “watershed moment”, etc. All of these phrases subtly convey the idea that this latest cyberattack could never have been properly prepared for. Furthermore, nobody is really to blame for it happening (other than the attackers), since it was so unprecedented that it would have been almost impossible to defend against it.

The problem with this idea is that there’s literally no end to possible cyberattack types. There will always be “game-changing” attacks, since the game is always changing anyway. I’ll grant that nobody (that I know of) predicted that the software build process itself could be compromised and malware planted without the developer having any idea this was happening, as about 1,000 Russians did in the case of SolarWinds, just as nobody (again, that I know of) predicted that a fired AWS employee would be able to penetrate the cloud environments of at least 30 AWS customers and cause serious damage to one of them, Capital One…etc.

In fact, I’d say the only real game-changing cyberattack was the Morris Worm of 1988. This infected a few thousand computers, crashing a large number of them. The crashes were due to a coding error by Morris, the perpetrator. He actually didn’t intend to cause harm. In fact, he considered this to be a wake-up call! It was certainly that. In fact the CERT-CC was founded at Carnegie-Mellon as a result of this attack. And if you think a few thousand computers isn’t a lot, consider that there were only about 60,000 computers connected to the internet at the time.

Ever since the Morris Worm, the internet community should have been not only protecting against whatever led to the last big attack, but trying to anticipate what the next one will be. But we all have suffered from a failure of imagination, which is why we continue to have game-changing attacks, and probably will until human nature changes.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at



No discussions yet. Start a discussion below.

Tom Alrich's picture
Thank Tom for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network® is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »