Shostack + Friends Blog


What are we going to do: CO2 edition

What happened when Microsoft tried to buy climate abatements Amongst the takeaways image

There's a fascinating article in Nature, Microsoft’s million-tonne CO2-removal purchase — lessons for net zero. It's an analysis of the 154 bids the company received to remove carbon emissions. And the short form is almost none of them met Microsoft's criteria. That's interesting in and of itself as we think about climate change. They point out that pests, fire, and other threats limit the estimated lifetime of forest, soil, and ocean based storage to roughly 100 years (Part of me wishes the figure was log scale, but perhaps that short term thinking, and it just doesn't matter that much.)

The paper is fascinating in and of itself, and I want to use it as a chance to talk about the question 'what are we going to do about it?' as we ask it in threat modeling.

What the authors are doing is to say that many proposed mitigations don't meet their criteria of long term storage, confidence in the technology and others. Expressing criteria like this help us align thinking about mitigations or risk management techiniqes across an organization much more than a CVSS score. They allow decision makers to express their preferences and weights. Nominally, the CVSS component scores might allow you to do this, and it would not surprise me if Microsoft had internal weights expressed, but the focus is not on those weights, but the higher level issues.

Some of the criteria we might consider in a complex mitigation of a cybersecurity issue include cost to implement, ease of bypass, usability or other side effects, "unusual" circumstances like dropped my phone in the ocean or being abused by an intimate partner. I don't think my list is complete, but I'm curious what other people's lists are.