As we close out one year and begin another, let's look at a handful of the 100-plus blogs I had written in 2011 to identify themes in information security over the past 12 months. Here are five of them that should resonate in 2012: Breaches, responsibility, trust, cyberwar and risk.
RSA, Sony, Digitnotar, TRICARE, the Pentagon ... The list goes on as it seems every new day brings a new IT security breach. But not all breaches are created equally.
In The Gore Score: Are Hacks Being Overhyped? Erez Liebermann, chief of the computer hacking and intellectual property unit for the U.S. attorney's New Jersey district, suggested the significance of some breaches - not necessarily the ones listed above - is being blown out of proportion, such as attacks instituted by hacktivists that cause inconvenience to those whose identities are compromised but cause relatively little damage to government and corporate IT systems. "These data breaches are more like shoplifting nowadays; they are run of the mill; they happen all of the time," Liebermann said. "And, if companies start to report them more often, they wouldn't make any news, frankly, because shoplifting and bank robberies barely make news."
Yet, the publicity surrounding these cyber incidents make the public more aware of vulnerabilities to IT and encourages businesses and individuals to adopt safe cyber hygiene. As we learned in Silver Lining Behind the Rash of Breaches, public awareness of the Internet's security dangers has spiked. Awareness doesn't equate pain, and many people must feel pain before they act. "Unfortunately, a lot of people read about things happening, and don't think it will happen to them," said Patricia Titus, chief information security officer at Unisys, which published a survey showing the increase in awareness. "Are people going to hold their breath and wait and see what happens, or are they going to proactively to and take action?"
Who bears responsibility for damage caused by a cyber disruption? The attacker, obviously, though cyber assailants often can't be identified. Shouldn't user organizations accept responsibility for not adequately protecting their digital assets?
Though not a cyberattack, the failure of Research In Motion's BlackBerry messaging network in October meant millions of corporate e-mail messages didn't get through, causing real harm to some businesses. In BlackBerry Slowdown: Heads Should Roll, cyber lawyer Francoise Gilbert said end-user organizations should have a business continuity plan in place to deal with such situations, and if not, people should be dismissed. "Companies that do not have a disaster recovery plan in place ... should fire whoever is in charge of information systems. If none exists, then the CFO and the CEO should be fired for not having allocated money for a disaster recovery plan. Not having a disaster recovery plan is irresponsible. It is like being on a ship that does not have lifeboats and lifejackets."
Gilbert's comments drew the ire of some readers. "No one in their right mind is going to invest millions of dollars in a redundant communication system so their employees can BBM and whatsapp (messaging services)," one reader wrote. "It's not the CEO's fault or anybody else's for the BB rubbish dying in a company's communication set up."
Still, these types of cyber events serve as wakeup calls for non-IT executives - CEOs, CFOs, departmental and agency heads - who control the purse strings. In Scared Straight, New York State Cybersecurity Director Tom Smith said: "There's a clear understanding that they want to address those risks before they're the ones who have the breach that is discussed in the news." Even in tough economic times, money is being found to fund IT security projects, at least more so than for other initiatives.
One of the tenets of IT security is trust, a trait that keeps being tested. An example of trust - or lack thereof - was addressed in Who Do You Trust? Part 2, which discussed a so-called man-in-the middle attack employing a fraudulent SSL certificate supposedly issued to Google by a small Dutch company DigiNotor. "It's likely the government of Iran is using these techniques to monitor local dissidents," F-Secure Chief Research Officer Mikko Hyppopen wrote in a blog. How does aging certificate technology endanger trust? Simply, if a government such as Iran's can control Internet routing, it could reroute Gmail traffic within its borders, and read users' e-mail messages. "Even most geeks wouldn't notice this was going on," Hyppopen said.
Trust also is essential for the Internet to function as a global communications medium that's key to international commerce. Chris Painter knows that's a major barrier the United States must clear to facilitate international consensus on cybersecurity. "We try to build a consensus around these norms of behavior, these norms of state actions that build more confidence around this area," Painter, the State Department's cyber coordinator, is quoted in a May blog entitled Creating Trust Out of Norms of Behavior.
Cyberwar. It's a term often used, but not fully understood. The concept whether cyberwar can exist was explored in Cyberwar: Reality or Exaggeration. Many experts contend that cyberwar exists only in the context of a kinetic war. But did Stuxnet change that? The computer worm launched against Iran disrupted its nuclear weapons program, with Israel suspected as being the aggressor. "If Stuxnet was indeed created by a state and if it's target was Iran's uranium-enrichment capability, then it was as much a weapon of war as a cruise missile or drone," said Surviving Cyberwar author Richard Stiennon, who earlier had embraced the kinetic-warfare-linked theory. "Most would agree that a kinetic attack using cruise missiles, smart bombs or a nuclear warhead against another country's means of producing weapons is an act of war. Using carefully engineered software to accomplish the same thing would fall under the same definition."
Cyberattack also is a term overused and often misused, as Jim Lewis pointed out in Exploiting the Term Cyberattack. "This is wrong on so many levels that it almost defies analysis," Lewis, senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies wrote in an article posted on the CSIS website. "A more precise accounting would show that there have been no cyberwars and perhaps two or three cyberattacks since the Internet first appeared.
"A better way to identify an attack is to rely on 'equivalence,' where we judge whether a cyberexploit is an attack by asking if it led to physical damage or casualties. No damage, no casualties, means no attack."
The entry, Saying No to Government Auditors, suggests that agencies needn't always comply with recommendations made by government auditors. It's not that the auditors' suggestions aren't valid, they usually are. But it's the departmental or agency chief information officer or CISO who must weigh the risks, and decide how best to spend limited dollars to shore up IT systems and data.
"Resources are increasingly constrained and it is unlikely that our cybersecurity program will receive the additional resources as anticipated in our earlier planning," Transportation CIO Nitin Pradhan said in explaining why the Department of Transportation wouldn't necessarily comply with all of the inspector general's recommendations. "It is neither realistic nor plausible to commit to addressing all of the issues described in the (inspector general) draft report in a single year. ... It is imperative that we focus our constrained resources on the highest priority actions."
The IG's recommendations in its annual Federal Information Security Management Act review are merely one set of approaches to take. By employing an information risk management framework, Pradhan and other government IT leaders can decide how best to provide information security.
Isn't that the way it should be today and in the coming year?