How Best Practices Put IT at RiskGetting Gov't to Share with Industry Its Intel Know-How
One of the sobering points made in the paper issued this past week by the Intelligence and National Security Alliance is that some of IT's best practices put organizations' information systems at risk from hackers, especially those who want to cause significant harm.
As the paper points out, the software architecture most organizations employ is intricately complex yet relatively inexpensive, resulting in economies of scales. That's good for businesses' and governments' coffers, but not necessarily for protection. As the report states:
"Part of the cost of using a cookie cutter computing platform has been to give attackers the blueprints to our infrastructure. These blueprints, combined with the complexity of the infrastructure that gives them a place to hide, are all they need."
Longtime intelligence practitioner Terry Roberts edited the study, and she told me why securing assets in the virtual world presents a greater challenge than providing similar security in the real world:
"If they (our adversaries) wanted a new missile system, it took five to 10 years to develop that missile system, and we had plenty of time to collect information about what they were developing. We could go to air shows; we could go to open forums; we could develop a perceptive at what they have."
Not so in cyberspace, where tracking those who would do us harm is done in real time, says Roberts, who chairs INSA's cyber council, adding:
"What it means is that you need a cyber intelligence discipline tracking all of those technologies and looking at how they're being used in the .com realm so that you can profile some of these threat vectors, so you can talk about what that means to all of us, whether you're an industry or government. It's having a more comprehensive and methodical approach to what capabilities hackers have.
A main point of the study, Cyber Intelligence: Setting the Landscape for an Emerging Discipline, is that much of the expertise to track our digital adversaries exists within the federal government's 17 intelligence agencies, and the know-how in the classified arena must be shared with industry to protect its sensitive, though not classified digital assets (see A New Approach to IT Security).
Feds' Commitment to Info Sharing
At a House Financial Services Committee hearing on Wednesday, the top cybersecurity official at the Department of Homeland Security testified that the government is working to share its knowledge with industry through new, collaborative programs.
Greg Schaffer, acting deputy undersecretary of DHS's National Protection and Programs Directorate, briefed lawmakers about six initiatives underway with the aim of securing IT in the .com realm. And more is to come. Schaffer said DHS plans to launch later this year the critical infrastructure Cybersecurity Information Sharing and Collaboration, which seeks to create a secure online collaboration portal where organizations can provide accurate, timely and thorough information about current, emerging and evolving threats posed to critical infrastructure networks. The portal will have the capability to process protected critical infrastructure information while offering timely and actionable analysis and mitigation products for critical infrastructure participants based on stakeholder contributions and unclassified government reporting.
Schaffer said the mission to reduce the cyber risks posed to critical systems is a national endeavor, requiring broad collaboration:
"Robust public-private approaches to cybersecurity are essential to ensuring that government, business and the public can continue to use the critical services on which they depend. DHS is committed to working with its partners to create a safe, secure and resilient cyber environment that supports the banking and finance sector and fosters national economic prosperity."
It's good that the government buys into this public-private sector partnership, yet more needs to be done. But barriers to the partnership might be found in parts of industry, where sharing corporate information - even for the benefit of making IT more secure for all - goes against many corporate chieftains' instincts to keep information about their organizations close to their vests.