- BlogInfoSec.com - https://www.bloginfosec.com -

“Infosec, You’re Doing a Heck of a Job!”

… to paraphrase President George W. Bush’s praise of “Brownie,” a.k.a. FEMA director Michael D. Brown, just before the flooding of New Orleans and one of the most damaging, and least-well handled catastrophes in US history – see my chapter on “Responsibilities and Liabilities with Respect to Catastrophes” in the Handbook of Research on Social and Organizational Liabilities in Information Security at www.igi-global.com/downloads/excerpts/8415.pdf [1] 

I’m writing this column during RSA Conference week. No, I’m not at the conference. Nor have I ever been to an RSA Conference. I may well have been the only senior infosec executive who has never attended this conference. I just could never justify, in my own mind, the week or more that needs to be invested. In any event, my brain tends to saturate going into the second day of most conferences.

However, there is an aspect of these somewhat ostentatious celebrations of infosec grandeur that is both pretentious and sad at the same time. Here are the leaders of our field pontificating about the great things of which our profession is capable, while, at the same time, information security is in the worst state that it has ever been. Successful exploits are way up. Millions of computers have been taken over and fraud is rampant.  Foreign groups have infiltrated government systems and our electrical grid, as reported on the front page of the April 8, 2009 issue of The Wall Street Journal. Also, just as the RSA attendees bask in their self-congratulatory glory and “fiddle while Rome is burning,” we learn (in an article on the front page of the April 21, 2009 issue of The Wall Street Journal) of another major breach. Computer spies, who have also infiltrated into the Air Force air-traffic control system, stole terabytes of data about the Joint Strike Fighter project. The infosec New Orleans is already under water … the only questions are how high will the flood rise and how long will it take to crest?

By the way, have you wondered why it is The Wall Street Journal, of all news sources, which is getting all these scoops on cyber attacks and cyber espionage? I attribute it to the outstanding investigative reporting of Siobhan Gorman, who has appeared from relative obscurity to achieve front-page status in a matter of months.

Two keynote presentations at the 2009 RSA Conference were by very prominent government officials, laying out the current known state of cyber security affairs and what generally needs to be done to achieve an acceptable level of protection of our critical systems, networks and infrastructure. That alone is a telling statement of the condition that we are in. It points to a clear failure of the private sector to protect the more than 80 percent of the critical infrastructure that it is purported to own, and of the public sector’s protection its even more critical 20 percent. As with the financial crisis, government can only go so far. The private sector has to step up to its responsibilities. If not, then government will just as surely step in and take control.

Even the spending of ten of billions of dollars on an updated CNCI (Comprehensive National Cyber Initiative) – see my January 13, 2009 column – may be a case of too little, too late. The call for tens of thousands of cyber warriors is commendable, but it takes a fair amount of time, running into years, to find and train suitable candidates.

What we need now are strong, decisive, immediate actions, even if they intrude on the convenience and ready access to which we have all become accustomed. The patient is in the ER … first stop the bleeding, then treat the cause, and then worry about whether the patient’s pillow is soft enough. Perhaps it is necessary to take a step back, reduce ubiquitous access, and disconnect critical systems from public networks, before some foreign adversary or terrorist group decides to pull the plug on our critical infrastructure altogether.