Right Sentiment, Right on Time
I'm not aware of anyone who doubts the commitment Melissa Hathaway has to the cyber security cause, and she does a nice job of hitting the highlights here: (h/t to Bob for posting the op-ed in its entirety, ahem, ODNI web site . . .)
[Cyber crime stories] such as that aren't only sobering news for consumers. For folks charged with securing and protecting the nation's defense and intelligence infrastructure, however, increasingly sophisticated cyber assaults are a chilling -- and increasingly familiar -- challenge.
The same devices that thieves use to sneak into bank accounts, the same techniques that hackers use to disrupt Internet service or alter a digital profile, are being used by foreign military and spy services to besiege information systems that are vital to our nation's defense.
The cyber security issue that garners the most attention in the news cycle tends to be data breaches (credit cards, ID theft and the like) but even today I bet you would be hard pressed to find someone who remembers what major retail chain is linked to the nation's largest loss of personal information; none of them would know that most of the identities in the British military are now up for grabs; and even if you stuck a gun to their heads they've have no idea that the Bureau just got done pwning a bunch of online miscreants. This is a war we've been fighting here, there and everywhere for so long most people have forgotten about it.
The fact of the matter is that every 5-10 years, with sine wave like regularity, we go through this same drill of talking about the importance of cyber security and then doing very little practical about it. Having said that, it is important to note that the current administration is putting its money where its mouth is in a way that I don't believe any previous administration has, and if there is one thing people who work in this domain are chronically short of, its cash.
Why? Because securing systems tends to impede the primary reason why people use such systems: to get things done. This is particularly true in the secrets business, where security concerns can mean that actually driving across town with a satchel full of paper is a better way to get information to a colleague than trying to email it to them.
The cyber security initiative, new information sharing and collaboration policies, and related changes all indicate a coordinated shift in the right direction, though if the shift is tectonic or just a shimmy remains to be seen. While we see the right kind of changes in some parts of the government, in others we have increased focus on factors that complicate the security issue and potentially nullify any positive gains . . . and of course a flood of money can bring out the worst in people.
Some things Melissa didn't mention but that could prove useful to anyone driving this train:
If industry and government need to work together better (and they do) then we need to IPA the heck out of industry's best and brightest. There is no getting around the talent=cash calculus so if we're serious we need to ante up.
Deliver serious penalties for serious crimes. People are going to "pirate" movies and music (what, you never made a mix-tape?) and if they're egregious then punish them accordingly, but stop chasing kids and moms. At least domestically, send the message that screwing with networks can have serious repercussions, and the punishment will fit the crime. This does nothing for the international problem, but it does take one pot off the stove.
Don't over think the solutions and drop the façade. Nation-states use non-state proxies to carry out their dirty work. It's true for terrorism, its true for cyber crime/espionage. Everyone knows this but no one wants to go on record. Its the Wild West, its high-seas piracy, and like the terrorism; you fight this lot on their terms, not with an org chart.