Blog

Security

Strategy, Not Knee-Jerk

Today a lawmaker who was briefed on the Federal Office of Personnel Management breach of employee data leaked that the incident is far worse than originally reported. Not 4 but maybe as many as 14 million records of federal employees, past and present, are in the hands of the bad people. Very disturbing. http://bloom.bg/1Fc8EMx

T
OPM Seal Small
hese record sets are what is known as “fulls” or “fullz” in the hacker lingo. They are full sets of information. Names, addresses, phones, social security numbers, pay, health records, military service records, and – most damaging – security clearances. Think of the opportunities. Think of the damage. Think of the outrage from the victims that their very safety and personal property has been exposed.

Plus it may have come from China.

But what bothers me most is the knee-jerk reaction from the Congressional hawks. They want a response. They want to declare war. They want to go to the alleged perps servers and destroy data. John McCain is almost shouting for a “preemptive strike.”

It’s another example of governmental leaders making quick decisions without thinking through the implications or consequences. Cyberwar is nothing trivial. Not only could it unleash a storm of “weaponized code” – as my clients in the information security world call it – but it may not come only from from a few sources like China or North Korea. The entire hacking community could get involved. That’s a lot of enemies. The implications are chilling.

McCain spoke about the ability to shut down the US power grid from abroad. If the US declares cyberwar we can probably expect exactly that type of action. The hawks will have guaranteed it. Often the government takes action without thinking through the unintended consequences.

Stuxnet, the malware developed to attack Iran’s centrifuges concentrating nuclear material, turned out to be reverse engineered and various versions were dropped back into US systems and weapons systems.

USCYBERCOM_Logo
Let’s not forget that the Snowden incident was a game-changer. One person was able to create an entirely different perception about government collection of data on upstanding citizens. He revealed the capabilities of the NSA and the US Cyber Command. Cybersecurity is an area where one person can create significant damage.

It is never good strategy to reveal your thinking to your enemy. “What’s wrong with you Santino? Never let someone outside of the Family know what you’re thinking.” Is it really a good idea to rattle sabers if you don’t have a prepared strategy to back it up. We can almost guarantee that one does not exist.

The smart way to approach this problem is with a two-pronged effort. One is the ratification of US and worldwide law that provides severe penalties for these actions. That’s what McCain should be backing and initiating with his history of taking brave political initiative. But the other prong should be a robust but clandestine plan to penetrate, invade, creatively disable enemies and deal with as many resulting contingencies as possible.

Technology Trends from the Trenches of Enterprise IT

I’ve moderated and presented the closing keynote at the largest global gathering of information security professionals for the past two years. It gives me insight to what they see as emerging technologies, issues, and dangers.

This is an unusual conference. A task force guided the producers to stage a three day global meeting that departs from the typical talking heads and death by PowerPoint. Incisive interviews, extremely well-moderated panels, and audience interaction are the norm. This year there was an especially intriguing hands-on session co-led by IDEO and Deloitte on how to provide the right space for innovation within organizations.

In 2011 the huge buzzword was “Cloud.” It was so pronounced that by the third day we were joking about avoiding the “c-word.” This year the cloud was taken as a matter of fact, a reality that all executives (CIO’s, CISO’s, VP-level info security types, and consultants) take in stride and provide for in information security tactics. Here are some other salient tech trends from the conference:

  • SAAS – using the cloud, “software as a service” is now reality in many organizations. Google’s penetration with Google Docs into large enterprises or sales departments’ non-IT-aided implementation of SalesForce are both examples.

  • BYOD – lots of acronyms, right? “Bring your own device.” Workers want to use their personal technology-du-jour on the job. That means organizations can’t mandate Berries but have to adjust to iPhones, Droids, and the various tablets as accessing sensitive company information.

  • Big Data – this has been around in various forms, most often in the term “data-mining” for well over a decade. But now there are accessible, pragmatic tools to allow organizations to probe their mountains of data for patterns, opportunities, and profit generation.

Six years ago, on the eve of the Great Recession, a financial services CEO criticized me bitterly for engaging her board in scenarios that forecasted the possibility of individual customer experiences or products. Today large financial institutions can use Hadoop to gather information and do exactly what I posed as a possibility. That exec, incidentally, no longer heads that organization.