Cyber Security in the United States

False roadblocks:

  • Are we preparing for cyber warfare, or
  • are we preparing for cyber terrorism, or
  • are we fighting cyber crime?

Crime. We are fighting cyber crime. Or it may be simply unwanted and undesirable activity, since enacting laws is normally a slow process. That is, pernicious or malicious activity is not necessarily illegal and criminal activity. Calling it a form of terrorism or a form of warfare shows a lack of respect for war and terrorism. Calling it terrorism or warfare employs hyperbole to create a sense of urgency. Even worse, calling it terrorism or warfare implies that central coordination, probably a central government initiative is required to address the problem.

Calling it terrorism or warfare speaks to the motives of the activity. Understanding motives is important when prioritizing and predicting attacks. Prioritization and prediction are subsets of the defense problem. You can proceed directly to a “defend against” solution while leaving the “motivation for” question undetermined.

Lock your doors. Take your keys. Assume responsible for your own house.

False roadblocks:

  • Where do we start?
  • Who is in charge?
  • What happens next?

Start with what you do best. Don’t wait to be told to do. Don’t wait for a crisis. Don’t wait for a government agency to tell you what you have to do. Don’t wait for an industry consortium, such as the payment card industry, to tell you what minimum precautions you must take. Government agencies and industry consortia do not write the practices; they read the practices, such as ISO 27001. Practices are already written. Government agencies and industry consortia pick their deliverables from the practices. Government agencies and industry consortia take action only after problems have occurred, and even then only when problems are on public display.

It takes a disaster to move regulations.

The need for defense precedes the compliance measures; the compliance measures do not create the need. For example, “PCI Compliance” exists as an effort to address a lax state of credit card protection.

Patrol your own attack surfaces and improve your own defenses. Government agencies are slow to respond to detected threats (see Fighting Back and Business Continuity). You are not  subject to their encumbrances. You can shun suspicious activity. You need not wait for someone else to confirm that the suspicious activity is malicious or unlawful. You need not wait for someone else to shut down suspicious activity. You can view your log files, filter out suspicious traffic, blacklist (URL filter) destinations. Don’t wait to be a victim and blame the government for not protecting you.

The Einstein project, authorized under the still classified portions of the Bush Administration’s Comprehensive National Cybersecurity Initiative (CNCI), is a plan to deploy Intrusion Detection sensors (IDS) at all of the government’s Internet gateways. Sensors are good; analysis without sensors is difficult. Sensors without analysis is waste.

See also

This entry was posted on Friday, June 25th, 2010 at 5:29 PM and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

One Response to Cyber Security in the United States

  1. Craig Edwards says:
    June 26, 2010 at 1:47 PM

    Thanks for citing ‘The Slow Road to Cyber Security’ Podcast/ Audio Documentary