{"id":570,"date":"2024-04-01T16:16:08","date_gmt":"2024-04-01T14:16:08","guid":{"rendered":"https:\/\/lendl.priv.at\/blog\/?p=570"},"modified":"2026-01-05T23:06:42","modified_gmt":"2026-01-05T22:06:42","slug":"on-cybersecurity-alert-levels","status":"publish","type":"post","link":"https:\/\/lendl.priv.at\/blog\/2024\/04\/01\/on-cybersecurity-alert-levels\/","title":{"rendered":"On Cybersecurity Alert Levels"},"content":{"rendered":"\n<p>Last week I was invited to provide some input to a tabletop exercise for city-level crisis managers on cyber security risks and the role of CSIRTs. The organizers brought a color-coded threat-level sheet (based on the <a rel=\"noreferrer noopener\" href=\"https:\/\/www.cisecurity.org\/cybersecurity-threats\/alert-level\" target=\"_blank\">CISA Alert Levels<\/a>) to the discussion and asked whether we also do color-coded alerts in Austria and what I think of these systems. <\/p>\n\n\n\n<p>My answer was negative on both questions, and I think it might be useful if I explain my rationale here. The first was rather obvious and easy to explain, the second one needed a bit of thinking to be sure why my initial intuition to the document was so negative.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Escalation Ratchet<\/h2>\n\n\n\n<p>The first problem with color-coded threat levels is their tendency to be a one-way escalation ratchet: easy to escalate, but hard to de-escalate. I&#8217;ve been hit by that mechanism before during a real-world incident and that led me to be wary of that effect. Basically, the person who raises the alert takes very little risk: if something bad happens, she did the right thing, and if the danger doesn&#8217;t materialize, then &#8220;better safe than sorry&#8221; is proclaimed, and everyone is happy, nevertheless. In other words, raising the threat level is a safe decision.<\/p>\n\n\n\n<p><br>On the other hand, lowering the threat level is an inherently risky decision: If nothing bad happens afterwards, there might be some &#8220;thank you&#8221; notes, but if the threat materializes, then the blame falls squarely on the shoulders of the person who gave the signal that the danger was over. Thus, in a CYA-dominated environment like public service, it is not a good career move to greenlight a de-escalation.<\/p>\n\n\n\n<p><br>We&#8217;ve seen this process play out in the non-cyber world over the last years, examples include<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Terror threat level after 9\/11<\/li><li>Border controls in the Schengen zone after the migration wave of 2015<\/li><li>Coming down from the pandemic emergency<\/li><\/ul>\n\n\n\n<p>That&#8217;s why I&#8217;ve been always pushing for clear de-escalation rules to be in place whenever we do raise the alarm level.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Cost of escalation<\/h2>\n\n\n\n<p>For threat levels to make sense, any level above &#8220;green&#8221; need to have a clear indication what the recipient of the warnings should be doing at this threat level. In the example I saw, there was a lot of &#8220;Identify and patch vulnerable systems&#8221;. Well, Doh! This is what you should be doing at level green, too. <\/p>\n\n\n\n<p><br>Thus, relevant guidance at higher level needs to be more than &#8220;protect your systems and prepare for attacks&#8221;. That&#8217;s a standing order for anyone doing IT operation, this is useless advice as escalation. What people need to know is what costs they should be willing to pay for a better preparation against incidents.<\/p>\n\n\n\n<p><br>This could be a simple thing like &#8220;We expect a patch for a relevant system to be released out of our office-hours, we need to have a team on standby to react as quickly as possible, and we&#8217;ve willing to pay for the overtime work to have the patch deployed ASAP.&#8221;. Or the advice could be &#8220;You need to patch this outside your regular patching cadence, plan for a business disruption and\/or night shifts for the IT people.&#8221; At the extreme end, it might even be &#8220;we&#8217;re taking service X out of production, the changes to the risk equation mean that its benefits can&#8217;t justify the increased risks anymore.&#8221;.<\/p>\n\n\n\n<p><br>To summarize: if there were no hard costs to a preventative security measure, then you should have implemented them a long time ago, regardless of any threat level board.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Counterpoint<\/h2>\n\n\n\n<p>There is definitely value in categorizing a specific incident or vulnerability in some sort of threat level scheme: A particularly bad patch day, or some out-of-band patch release by an important vendor certainly is a good reason that the response to the threat should also be more than business-as-usual.<\/p>\n\n\n\n<p><br>But a generic threat level increase without concrete vulnerabilities listed or TTPs to guard against? That&#8217;s just a fancy way of saying &#8220;be afraid&#8221; and there is little benefit in that.<\/p>\n\n\n\n<p>Postscript: Just after posting this article, I stumbled on a <a href=\"https:\/\/things.uk\/@eclectech\/112195378556075301\">fediverse post<\/a> making almost the same argument, just with April 1st vs. the everyday flood of misinformation.<br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last week I was invited to provide some input to a tabletop exercise for city-level crisis managers on cyber security risks and the role of CSIRTs. The organizers brought a color-coded threat-level sheet (based on the CISA Alert Levels) to the discussion and asked whether we also do color-coded alerts in Austria and what I [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,9],"tags":[],"class_list":["post-570","post","type-post","status-publish","format-standard","hentry","category-cert","category-pet-peeves"],"_links":{"self":[{"href":"https:\/\/lendl.priv.at\/blog\/wp-json\/wp\/v2\/posts\/570","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lendl.priv.at\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lendl.priv.at\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lendl.priv.at\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lendl.priv.at\/blog\/wp-json\/wp\/v2\/comments?post=570"}],"version-history":[{"count":1,"href":"https:\/\/lendl.priv.at\/blog\/wp-json\/wp\/v2\/posts\/570\/revisions"}],"predecessor-version":[{"id":807,"href":"https:\/\/lendl.priv.at\/blog\/wp-json\/wp\/v2\/posts\/570\/revisions\/807"}],"wp:attachment":[{"href":"https:\/\/lendl.priv.at\/blog\/wp-json\/wp\/v2\/media?parent=570"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lendl.priv.at\/blog\/wp-json\/wp\/v2\/categories?post=570"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lendl.priv.at\/blog\/wp-json\/wp\/v2\/tags?post=570"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}