Change and Hope for INFOSEC
D/DNI Don Kerr preps the political and intelligence battlespace for another term of the same old song and dance:
"I have a deep concern . . . that the intelligence community has still not properly aligned its response to what I would call this period of amazing innovation -- the 'technological Wild West' -- by grasping the full range of opportunities and threats that technology provides to us," …
"Major losses of information and value for our government programs typically aren't from spies . . . In fact, one of the great concerns I have is that so much of the new capabilities that we're all going to depend on aren't any longer developed in government labs under government contract."
The inability of seniors to truly grasp the scope and scale of related issues, much less come up with (and see through) an effective plan of attack is highlighted about every five years (with a major effort surfacing every 10). Most of these ideas have been tried and found wanting – or what fruits they did bear were allowed to fall to the ground and rot.
It would help if info-based missions didn't get short shrift, but no info-age mission seems able to withstand the power of industrial-age thinking and operation. There is always some 30-year tank-counter with seniority to squash anything sufficiently useful.
Cashing the 'collaboration' and 'sharing' checks that policy writes but operations fails to honor is the next most meaningful step to take. My most meaningful exchanges were clandestine affairs between like-minded partners in sister agencies; had we let mgt in on what we were doing we'd all have been chained to our desks. Word from the inside is that little on that front has changed, so some real muscle behind policy is essential.
There is also a very fundamental problem associated with the gov't taking an equity stake in commercial concerns; namely the fact that industry and governmental goals don't mesh well. In the former security has to be good-enough to allow business to happen; in the latter security is paramount and if it hinders operations then so be it. The idea that federal best-practices imposed upon pretty much any business model would work is difficult to swallow.
Besides, popping a box in a company that lives and dies by its IP takes serious work; all it takes to bust into NIPR (and then sneaker-net into higher networks) is a sufficiently humorous viral video, or well-crafted (in a social engineering context) email. This is not a ding against COMPUSEC/INFOSEC folks; it speaks to policy enforcement and management outlook. You can get away with a lot more misuse and abuse online than you could in meat-space (hold open a security gate for your un-cleared pals to walk through so you can go have lunch in the cafeteria and see what happens). Noah exposed the world to the CI posters most current and former practitioners are familiar with; where is the corresponding poster for INFOSEC violators?Some suggestions for whomever rides into power tomorrow night:
- Get the DICE Man or a reasonable facsimile thereof in front of every industry forum/conference/seminar. Communicate both horror stories and successes and stop with the hand-waving and vagueness. Industry can handle the (sanitized) truth and would reward genuine sharing on the government's part.
- Radically expand gov't-industry partnerships. Used to be a special, rare thing for an intel officer to get to spend a year in industry; you should be rotating the entire (functionally appropriate) workforce in-and-out to partner companies every 4-5 years. The first-hand knowledge and new ideas gained is worth more in the long run than any short-term staffing pain up front.
- Hold people accountable and publicly so. If you want people to take information security as seriously as they do any other aspect of security then you need to rap some knuckles (or worse) - and everyone needs to know about it - otherwise the attitude that bad behavior on a computer is of no consequence will lead you down a path towards a spectacular failure.
Solutions to most of the problems that continue to plague us in this area were generated in the aftermath of a major event several years ago. Of course the attitude that "compromise = shame" ruled the day and only about 20 people actually know how the nerds came up with a plan to save the virtual world (or at least make it easier to do so). The real shame here is that we continue to stand athwart the digital security divide . . . and do next to nothing.