The Catalyst Problem: What Forces Governance Models to Change
Part 5 of 5: Why Cyber Can't Wait for Disaster to Innovate
The nuclear industry reorganized its governance structure not through foresight, but through catastrophe. Three Mile Island in 1979 killed no one. But it demonstrated that the regulatory model based purely on government agencies was insufficient. It took that visible failure to mobilize the political will for INPO, for WANO, for the entire shift toward industry-led peer review and continuous improvement.
Fukushima in 2011 came 32 years later, proving that even reorganization doesn't create perfection. But it forced anotherround of governance evolution, leading to new international coordination between IAEA and WANO, updated standards for design margins, and rethinking of assumptions about maximum plausible accidents.
Each time, visible, catastrophic failure preceded governance innovation.
Cyber governance has not yet had its Three Mile Island moment. Or rather, it's had dozens of them—SolarWinds, Colonial Pipeline, the healthcare ransomware epidemic, the Twitter breach, the Okta compromise—but none triggered fundamental governance reorganization. Instead, each incident prompted tighter regulation within the old framework, not abandonment of the old framework itself.
This is actually a structural problem unique to cyber. Understanding why requires understanding what made Three Mile Island genuinely transformative for nuclear governance.
Why Three Mile Island Changed Everything
Three Mile Island was effective as a catalyst for exactly three reasons:
1. It was unambiguous A reactor partially melted down. The cause was clear: equipment failure (stuck valve) combined with operator error (misreading instruments and believing the stuck valve was open when it was closed). The failure mode was specific and addressable. Regulations and procedures could be changed to prevent the exact failure sequence from happening again.
Most importantly, it was obvious. Anyone could see that something had gone catastrophically wrong. The cover-up attempts actually made things worse, because the more the industry tried to minimize the incident, the more suspicion it created. The public knew something terrible had nearly happened.
2. It was systemic, not isolated After TMI, investigators discovered that serious incidents had occurred at other reactors and were either unreported or underreported. The safety culture was discovered to be systematically broken—not just at TMI, but across the entire industry. This meant TMI wasn't a one-time fluke; it was evidence of a pervasive problem.
The Kemeney Commission (the official investigation) concluded that humans were being treated as abstractions in a system designed around hardware. The social and organizational factors that actually determine safety had been ignored. This diagnosis was devastating because it was system-wide. TMI didn't prove a single reactor was unsafe; it proved the regulatory model for all reactors was inadequate.
3. It threatened the industry's existence After TMI, nuclear plant construction essentially stopped for two decades. Political opposition made it nearly impossible to build new reactors. Insurance costs skyrocketed. The industry faced existential threat. This created urgency for governance innovation. The nuclear industry couldn't survive without reorganizing how it approached safety.
INPO was created because the industry realized that government regulation alone, combined with public hostility, would kill the industry. Self-regulation—peer review, continuous improvement, transparency—became the only way to restore public confidence and political support.
Why Cyber Can't Have This Moment
Now look at cyber governance. Cyber has experienced incidents that dwarf Three Mile Island:
- SolarWinds (2020): A nation-state compromised the software supply chain affecting 18,000+ organizations. The attack was undetected for 9 months. The consequences rippled across government, finance, healthcare, and private enterprise globally.
- Colonial Pipeline (2021): A ransomware gang shut down the largest fuel pipeline in North America. Gas prices spiked. Panic buying occurred. The pipeline operator paid $4.4 million ransom. The incident demonstrated that critical infrastructure security was catastrophically inadequate.
- Healthcare ransomware epidemics (2021-2024): Hospitals across North America have been unable to provide services during ransomware attacks. Patients have died. Operating rooms have been cancelled. Cancer treatment schedules delayed. These are human casualties directly attributable to cyber attacks.
Yet none of these prompted governance reorganization. Why?
The answer lies in the differences between TMI and these incidents:
Cyber failures are ambiguous. When a hospital is hit with ransomware, did the attack happen because:
- The hospital failed to patch a known vulnerability?
- An employee fell for a phishing attack?
- A vendor's software was compromised?
- The attack was so sophisticated that even perfect security wouldn't have stopped it?
Nobody can say definitively. Investigations take months. Causation remains uncertain. In the ambiguity, the regulatory response defaults to: tighten existing standards.
Cyber failures are diffuse. Three Mile Island's failure was concentrated at one reactor and its effects were localized. SolarWinds affected 18,000 organizations in unpredictable ways. Some detected breaches quickly; others don't know they were compromised. Some experienced major impacts; others none. The diffusion of failure across millions of attack surfaces means there's no single, clear signal that governance is broken.
Cyber failures are often invisible. Many cyber attacks go undetected. Millions of security incidents occur with no human awareness. A breach that happened two years ago might only be discovered today. A compromise of critical systems might go unnoticed because attackers are careful not to disrupt operations while they extract data.
Because many failures are invisible, governance can claim success by pointing to the failures that were detected. "Look, we caught the intrusion in 6 months instead of 9! We're improving!" The fact that other intrusions are undetected and have been operating for years is unknown.
Cyber failures don't threaten the industry. After TMI, the nuclear industry faced existential threat. Political opposition was severe. Construction stopped. The industry had to reorganize or die.
Cyber attacks have not threatened the existence of the cybersecurity industry. If anything, they've boosted it. Every major breach generates demand for more security consulting, more monitoring tools, more compliance frameworks. The cybersecurity industry has become one of the fastest-growing sectors globally. A governance model that claims the problem is getting worse while the industry is booming has perverse incentives to keep problems from being solved.
Causation chains are opaque. In TMI, the investigation could trace the exact sequence: valve stuck → operator misread indicator → operator didn't compensate → temperatures rose → cooling systems failed → meltdown began. Specific procedural changes could prevent recurrence.
In a supply chain attack, the causation chain involves vendors, cloud providers, endpoint security, network architecture, detection systems, incident response—dozens of independent actors with no unified control. You can't change procedures at the hospital to prevent a SolarWinds-style attack; you can only demand that SolarWinds improve (which it will, for a while, until it slips again).
The Governance Trap That Creates Inaction
These differences create a governance trap:
- Each incident is attributed to local factors (that vendor was negligent, that hospital didn't patch properly) rather than systemic failures in the overall governance model.
- Responses tighten existing standards (patch faster, segment networks better, monitor more aggressively) rather than questioning whether the standards address the right problems.
- Blame is distributed (the vendor, the operator, the attacker) rather than concentrated on governance failure.
- The solution space is technically complex (zero-day defense, supply chain security, nation-state adversaries) rather than organizationally clear (like reorganizing who's responsible for safety oversight).
- The cybersecurity industry is profitable so there's no existential threat that would force reorganization.
- Failure is often invisible, so success can be claimed even as compromise increases.
The result: cyber governance can claim to be evolving (more standards! more frameworks! more compliance requirements!) while the underlying problems metastasize.
What Would Trigger Change
For cyber governance to fundamentally reorganize, you'd need an incident that:
- Is unambiguously catastrophic: The damage is so obvious and severe that attribution doesn't matter. Not "we detected an intrusion" but "the grid is down for two weeks."
- Is systemic: Shows that the problem isn't one vendor or one organization, but a pervasive vulnerability in the entire model.
- Is visible: The failures can't be hidden or attributed to isolated incidents. Hundreds of millions of people experience the consequences directly.
- Is attributable: Either it's so sophisticated that even perfect security couldn't have stopped it (forcing rethinking of what's achievable), or it's so obviously negligent that responsibility is clear.
- Threatens the industry: Creates political will to reorganize, not just tighten.
What might that look like?
Scenario 1: A sustained nation-state attack on financial infrastructure A major adversary takes down significant portions of the US financial system for 48 hours or longer. Securities exchanges go offline. Banking systems are compromised. Not just a brief disruption, but a cascading failure across multiple institutions. Trillions of dollars in economic value are destroyed or at risk.
This would be unambiguous (you can't deny financial markets are down), systemic (showing that despite massive security investment, the entire sector is vulnerable), visible (every major institution, every media outlet, every citizen with a bank account is affected), and likely attributable through intelligence (nation-state capability required).
But even this might not trigger governance change if it can be blamed on "the attacker was just too sophisticated" rather than "our governance model is broken."
Scenario 2: A compromise of critical medical infrastructure at scale A coordinated attack on hospital networks across multiple regions prevents emergency care. People die from preventable causes because hospitals can't function. Respiratory patients can't get mechanical ventilation. Trauma victims can't get surgery. Maternity wards are shut down.
This is unambiguous (patients die), systemic (multiple hospitals compromised simultaneously), visible (grieving families, national news coverage), but attribution might be difficult. And the response might be "hospitals need better security" rather than "the governance model is broken."
Scenario 3: A supply chain compromise of semiconductor or software at the most fundamental level Something compromises the tools or hardware used to build everything else. The compromise is pervasive (affects most chips or most software globally) and discovered only long after deployment (years of compromised systems in the field).
This would be all of the above—unambiguous, systemic, visible, and with clear attribution (this wasn't the hospital's fault; this wasn't one organization's negligence). This might actually force rethinking of the entire model.
But most other incidents, no matter how severe, can be absorbed into the existing framework and blamed on isolated factors.
The Uncomfortable Truth
Here's the uncomfortable part: cyber governance probably won't fundamentally reorganize until the current model fails visibly and catastrophically in ways that can't be blamed on isolated actors.
And it might never reorganize through planned governance evolution, only through crisis.
This is actually unique to cyber. Nuclear governance evolved through a combination of crisis (TMI) and foresight. But foresight was possible because nuclear is concentrated and centralized. It's possible to imagine the entire system and redesign it.
Cyber is so distributed and complex that genuine foresight is nearly impossible. The people responsible for governance have no deep knowledge of the actual attack surface. The people responsible for operating systems have no authority over governance. The people experiencing attacks (enterprise security teams) have limited influence on policy.
So governance will likely continue its current trajectory: tightening standards, adding compliance requirements, creating more institutions, building higher barriers to entry, and becoming increasingly unresponsive to actual threats.
Until something breaks visibly.
What Can Be Done Now
Given that systemic governance change probably requires crisis, what can be done in the meantime?
Build parallel structures outside formal governance.
The most effective cyber governance is already happening outside formal institutions. Information sharing communities operate on their own terms. Open source projects set standards through adoption. Incident response communities mobilize rapidly through networks rather than hierarchy. Bug bounty programs create continuous incentive for disclosure.
These parallel structures should be expanded, funded, and protected from regulatory capture. Governments should fund open source security tools. Organizations should be incentivized to share threat intelligence. Academic research should be directed toward problems that matter (how to defend distributed infrastructure) rather than problems that are theoretically interesting.
Make cyber governance's failures more visible.
Cyber incidents often go invisible. When breaches are discovered years after they occur, the original defenders don't get the learning that would come from immediate feedback. When supply chain compromises ripple across organizations in ways nobody recognizes as connected, the systemic nature is hidden.
Governments should invest in better detection infrastructure that makes incidents visible sooner. They should fund research into causal analysis of compromises. They should create information sharing that connects incidents that might be related. This won't solve the problem, but it will make failures more obvious, increasing pressure for governance change.
Explicitly separate different governance domains.
Criminal cybercrime, industrial espionage, nation-state attacks, and cyber accidents all require different governance approaches. Treating them all as one "cybersecurity" problem creates confusion and poor solutions. Criminal cybercrime requires law enforcement. Industrial espionage requires counter-intelligence. Nation-state attacks require deterrence. Cyber accidents require safety engineering.
Governance frameworks should explicitly acknowledge these differences and create separate institutions for each, rather than trying to create one framework that addresses everything equally.
Accept that leading powers won't constrain themselves.
Any governance framework that improves global cyber defense will reduce the advantage of leading powers. Those powers—particularly the US—will resist. This isn't a conspiracy; it's rational behavior.
Instead of hoping that leading powers will voluntarily constrain themselves through international agreements, focus on helping other actors build resilience. Fund defensive capabilities that can be deployed globally. Support open source tools that don't depend on proprietary intelligence. Help non-aligned nations build capability to defend their own infrastructure independently.
Plan for the crisis.
A major cyber incident is coming. It might be this year or it might be five years away. When it happens, there will be political pressure for rapid response. The frameworks that exist at that moment will be path-dependent.
Organizations should be developing the institutional models, the funding mechanisms, the governance structures, and the policy proposals that should be implemented in response to a major crisis. When the crisis hits, those frameworks will be ready to deploy. If they don't exist yet, the response will default to tightening the existing model.
This is actually what happened after 9/11 in national security and after 2008 in finance. When crisis hits, the pre-prepared frameworks that exist get implemented. Governments should be funding the development of post-crisis cyber governance frameworks now, not waiting for the crisis to force improvisation.
The Real Problem: Governance Lag
The deepest problem in cyber governance is that governance changes slowly while cyber changes quickly.
A nuclear regulation takes years to develop and decades to fully implement. By that time, the threat environment has shifted, new vulnerabilities have been discovered, new technologies have emerged. The regulation is already partially obsolete when it's implemented.
Cyber threats change weekly. New attack techniques emerge constantly. Defenders develop countermeasures. Attackers adapt. The threat environment of 2022 is barely recognizable in 2024.
Creating a governance framework that can adapt at the speed of the threat environment is an unsolved problem. You can't lock governance into long negotiation cycles and expect it to be relevant. But you also can't have every organization making up its own security rules.
The answer probably involves:
- Standards that are updated continuously rather than through multi-year cycles. ISO and NIST frameworks should be living documents, updated quarterly or monthly rather than every five years.
- Governance that's advisory rather than prescriptive. Instead of mandating specific controls, governance should provide guidance about response to specific threat categories, with the expectation that guidance changes as threats evolve.
- Built-in assumption of failure. Governance should not assume it's possible to prevent all cyber incidents. It should focus on resilience, recovery, and learning from failures as standard operations, not exceptions.
- Distributed authority. Instead of central governance bodies making decisions, authority should be distributed to sectoral and regional organizations that understand local threat landscapes and can adapt quickly.
This is the opposite of how nuclear governance evolved. Nuclear governance became increasingly centralized (IAEA making standards, nations implementing them). Cyber governance needs to become increasingly distributed.
Whether that actually happens probably depends on whether a crisis forces it.
The Meta-Problem: Governance of Governance
Here's the final problem that neither nuclear nor cyber governance has solved: who governs the governors?
IAEA and WANO are supposed to regulate nuclear operators. But who ensures that IAEA and WANO are making good decisions? This becomes especially important when:
- IAEA's nonproliferation mission conflicts with its promotion of nuclear power (it did after the Iran nuclear deal)
- WANO's dominance by Western operators means Western standards are treated as universal
- National governments resist international oversight that constrains their sovereignty
- Private organizations (INPO, WANO) exercise regulatory authority without democratic accountability
Similar problems exist in cyber. Standards bodies like NIST and ISO set frameworks that everyone follows, but:
- They're dominated by large, wealthy organizations
- They respond slowly to emerging threats
- They're not accountable to anyone but themselves
- Small organizations and developing nations have little voice in governance
Creating governance structures that are themselves governed—accountable, adaptable, transparent, and representative—is the meta-problem that cyber governance hasn't begun to address.
What It Would Take to Actually Change
Here's the realistic path:
- A major incident occurs that is unambiguously catastrophic and visible.
- Political pressure forces rapid response. Congress or international bodies demand immediate governance reorganization.
- Pre-prepared frameworks (developed now, while nobody's paying attention) are deployed. These become the new baseline.
- The new frameworks prove more effective at actual threat mitigation than the old ones. Evidence accumulates that the new model works better.
- Path dependency shifts. Organizations start building around the new frameworks. New practices become standard. The old frameworks are gradually abandoned.
- Meta-governance structures emerge to ensure the new frameworks themselves stay responsive and accountable.
This happened with nuclear after TMI. It happened with aviation safety after accidents. It happened with financial regulation after 2008.
But it requires both crisis and readiness. If the crisis comes without pre-prepared frameworks, the response will be improvisation, which usually defaults to tightening existing models rather than replacing them.
The Bet We're Making
Cyber governance is implicitly betting that no single incident will force reorganization. That the system will continue to absorb shocks and adapt incrementally. That incidents will remain sufficiently ambiguous and diffuse that systemic failure can always be blamed on isolated factors.
This is actually a reasonable bet. Many complex systems operate this way—experiencing regular failures, absorbing shocks, adapting incrementally, without requiring fundamental reorganization.
The problem is that cyber infrastructure is increasingly critical. Power grids, hospitals, financial systems, transportation networks, water treatment—all depend on cyber systems. The surface area for catastrophic failure is enormous and growing.
Betting that the system can absorb increasingly large shocks with increasingly distributed consequences and no unambiguous signal of systemic failure is a dangerous wager.
But it's the wager we're making, because the governance structures to do anything else don't exist yet, and creating them requires starting now, during boring times when nobody's paying attention, rather than waiting for crisis to force improvisation.
Conclusion: Three Futures
There are three plausible futures for cyber governance:
Future 1: Slow incremental improvement Governance tightens incrementally. Standards get stricter. Compliance requirements grow. The industry becomes more mature and professional. Incidents continue but decline slowly over decades. Cyber security improves, but so slowly that new threats emerge faster than defenses.
This is the default path if nothing forces reorganization. It probably continues for another decade or until a major incident forces change.
Future 2: Catastrophic crisis and reactive reorganization A major incident forces political pressure for rapid reorganization. Governance frameworks are implemented hastily, designed to address the specific crisis rather than the underlying problem. The new frameworks are imperfect and create new vulnerabilities while fixing others.
This is the nuclear path: crisis forces learning, but learning is incomplete and other crises occur decades later.
Future 3: Planned reorganization before crisis Organizations develop new governance frameworks now. These are deployed proactively, reducing the severity of future incidents and creating institutional structures that actually respond to threats at cyber speed.
This is the hardest path because it requires action during peacetime, without the political pressure that crisis provides. But it's the only path that might actually work.
We're currently on Future 1, drifting toward Future 2.
Future 3 would require governments to fund governance innovation now, organizations to adopt new frameworks before they're mandated, and a collective recognition that the current model is insufficient even if it hasn't yet visibly failed.
It would require treating cyber governance as an ongoing challenge that demands continuous attention and innovation, not something to be solved once and forgotten.
It would require accepting that cyber is fundamentally different from nuclear and requires fundamentally different governance.
Most of all, it would require starting now.
Because when the crisis comes—and it will come—all the pre-crisis planning won't eliminate the damage. It will only prevent the response from making things worse.
The question is whether we start preparing for that moment now, or wait for it to arrive and improvise in panic.
Based on current trends, the answer seems clear.
But that doesn't make the other path impossible.
It just makes it require more intention, more resources, and more political will than the default path of slow incremental tightening until crisis forces change.
Which is its own kind of governance failure: the failure to plan for what we know is coming.
Member discussion