If you aren’t yet convinced that IT security – or what our friends in the government space simply refer to as “cyber” – is becoming a mainstream political issue, you can rest assured that indeed it has.
It’s not every day, after all, that you see the U.S. President putting his name on an op-ed in the WSJ, and to see one in there this morning regarding cyber was pretty remarkable.
Security has grown into a mainstream issue for the pols, over the last year or so, with a string of high profile incidents including the Wikileaks activities, Anonymous hacking campaigns, and most recently the StuxNet/Flame/Mahdi cyber-war revelations.
I find what Obama had to say in the piece somewhat encouraging. The President’s editorial deals with a vital national issue and the corresponding Congressional initiatives are timely.
Public studies (such as the Verizon DBIR) show that network breaches are common, and that most of these breaches are the result of simple or at most intermediate defensive gaps. That is, it does not take highly sophisticated cyber weapons to attack typical commercial and critical IT infrastructure today.
As the President and Congress consider ways to improve our collective defensive posture, it is vitally important to understand why so many easy defects exist. The root cause is complexity. Our IT infrastructure, for national critical assets and equally for our commercial infrastructure, has grown vastly more complex over the last two decades.
Networks are more interconnected, more complicated, and more critical than ever before. This complexity defeats old protection mechanisms based on human effort and diligence. We can no longer understand all the interconnections of these systems. We need new tools to solve this new problem.
Automation of defensive analysis is the only way forward – we have to use computers to simulate attacks before they happen, so that we can identify the weak points. These weak points are often simple – a detail overlooked in one corner, creating easy access for an attacker. Even the simple details get missed, though, when we send people to review all the details of the vast and complex infrastructure.
We need automated “chess computers” able to assess, understand and prioritize our defensive weaknesses. If we miss this point, any new legislation is likely to generate mountains of paperwork, driven from checklists that don’t test the right issues, and filled in by people who can’t solve the underlying problem. We need continuous monitoring of all the controls we have in place to ensure that they don’t fall out of alignment driven by change, as the White House OMB has ordered all federal agencies to employ before the end of this year, and as spelled out in FISMA 2.0.
Will Obama’s editorial create some new momentum around the issue on Capitol Hill? Only time will tell. I do find it encouraging thinking that among the debates we’ll be seeing during the election season, cyber-security may surface as a significant issue, and that whoever is president after the elections will indeed take more aggressive action in responding to the current conditions.
At least that’s my vote.