The San Francisco Chronicle says five families sue PG&E after the San Bruno fire:
The suits say the pipe was a “ticking time bomb” that PG&E ignored. They attack the utility for not having automatic shutoff valves on the line, which could have reduced the time it took to cut off the flow of gas that fed the inferno.
“This wasn’t an accident. This was a foreseeable consequence of ignoring safety measures,” said Frank Pitre, a Burlingame attorney representing the families. He said he would file cases on behalf of about two dozen more families in the next two weeks.
Richard Clarke cited this disaster in his keynote at RSA Europe last week. Here is my problem with his use of it as an example: he first said how simple it is to blow up a gas-line and cause massive destruction, then he said how complicated it is to design and deploy an attack on a utility (e.g. Stuxnet).
I asked him afterward about this apparent contradiction — easy to cause a disaster yet hard to cause a disaster. He said the sophisticated nature of “what they were trying to do” is what made Stuxnet different from the San Bruno explosion.
Ok, regardless of motive, which we can not really know anyway, let’s talk consequences.
Can we honestly say we are far more at risk from a “highly targeted” and “weaponized” and “highly sophisticated” attack like Stuxnet when it has had literally zero impact?
It seems to me that Clarke’s message about cybersecurity is weakened when he brings up examples of actual disasters and how easy they are — like a “ticking time bomb” instead of a bumbling virus.
His speech made me think the non-cyber environmental disasters (especially from energy companies) pose the more present danger (more likely, more severe) than anything he has to say about security. This is not to diminish the importance of security, but to keep it in perspective relative to things that the five families are describing in their lawsuit.