IBM has posted an online simulation game called CityOne, where you can try and make a city as disgusting and dirty…ahem, I mean as clean and efficient as possible:

Think you know what it takes to make the energy systems that serve a city more efficient? Given the opportunity, could you make the city’s water cleaner and more plentiful, its banks more robust and customer-centric and its retail stores more innovative?

Changes you make affect sensors in the game. You are meant to “evolve” four industries: retail, banking, energy and water.

You have to sign in and agree to store information on IBM servers before you can play. I could not help but notice the incongruity here. Do you see a “submit” button?

Does this mean I am not bound by the terms because I clicked continue instead? The game has not even started and I have found a decision flaw.

This reminds me of games I used to play to solve the Middle East conflict. Although it is fun to choose from a limited set of options, after a while it becomes clear that someone has an agenda and you are just learning how to follow along.

The start of the IBM game, for example, gives you three water options based only on technology (that presumably that IBM sells): desalination, smart water meters, and separate water systems. I could not find the option for deregulation, issuing fines, or invading a neighboring state and seizing their water supplies. The “water consultants” in other words give the sort of advice you might expect if IBM placed a consultant in your city.

There is no city jester and no military/security consultant to offset the industry consultants who just seem to want to spend money on IBM.

Don’t ask why a CEO is said to be in charge of a city, instead of an elected official, let alone why this CEO only has four consultants and they are all working on industry. Just play along now.

The San Francisco Chronicle says five families sue PG&E after the San Bruno fire:

The suits say the pipe was a “ticking time bomb” that PG&E ignored. They attack the utility for not having automatic shutoff valves on the line, which could have reduced the time it took to cut off the flow of gas that fed the inferno.

“This wasn’t an accident. This was a foreseeable consequence of ignoring safety measures,” said Frank Pitre, a Burlingame attorney representing the families. He said he would file cases on behalf of about two dozen more families in the next two weeks.

Richard Clarke cited this disaster in his keynote at RSA Europe last week. Here is my problem with his use of it as an example: he first said how simple it is to blow up a gas-line and cause massive destruction, then he said how complicated it is to design and deploy an attack on a utility (e.g. Stuxnet).

I asked him afterward about this apparent contradiction — easy to cause a disaster yet hard to cause a disaster. He said the sophisticated nature of “what they were trying to do” is what made Stuxnet different from the San Bruno explosion.

Ok, regardless of motive, which we can not really know anyway, let’s talk consequences.

Can we honestly say we are far more at risk from a “highly targeted” and “weaponized” and “highly sophisticated” attack like Stuxnet when it has had literally zero impact?

It seems to me that Clarke’s message about cybersecurity is weakened when he brings up examples of actual disasters and how easy they are — like a “ticking time bomb” instead of a bumbling virus.

His speech made me think the non-cyber environmental disasters (especially from energy companies) pose the more present danger (more likely, more severe) than anything he has to say about security. This is not to diminish the importance of security, but to keep it in perspective relative to things that the five families are describing in their lawsuit.