Defining Success

Oct. 27, 2008

It was a beautiful fall day, and even the trip around the infamous DC Beltway felt like a vacation from the confines of the office. I was headed for the University of Maryland —a campus I remember well from my doctoral studies just over a decade ago. The conference center I sought is situated in a pastoral area on a rolling hill near the president's Georgian residence.

I had arrived early for my scheduled presentation. Not only would I be able to enjoy the complimentary lunch, I would also be able to catch the much-hyped luncheon speaker, an experienced private-sector leader of a cyber security research organization. He was slated to speak on recent Congressional testimony regarding potential nation-state-supported cyber espionage targeting sensitive U.S. government computer systems.

Having spoken on similar topics over the years, I was eager to hear how this savvy practitioner and researcher would frame the information and what analysis he would derive for the audience. Looking around the standing-room-only hall with expectant conference attendees at tightly-packed lunch tables, I envied his venue.

My colleague opened his presentation with a vaguely threatening and ominous tone. He stated that the entire information security dialogue in the government has been changed forever. He alluded to a dramatic shift of perception by our elected representatives instigated by an event of seismic import. Since I was well aware of the recent Congressional testimony, I was not surprised when he cited the case of the foreign system crackers, but I was bemused by his application of dramatic poetic license worthy of Edgar Alan Poe.

From there the speaker changed tack several times, first showing a canned set of slides about a completely unrelated attack first employed in 1999, then moving on to offer a pointed critique of existing government security programs. He transitioned to this attack by claiming both government and industry had failed in their security responsibilities. I waited for a qualifier or explanation that never came. He trotted out a list of policy and technology safeguards he denoted as woefully inadequate, including the requirement for certifying and accrediting computer and telecommunications systems to address security-relevant concerns.

As the speaker's pool of security practitioners and policy makers worthy of castigation continued to increase, it dawned on me that this was becoming a sales pitch. Sure enough, he eventually came to the hook. He felt only those experts who had hands-on experience with his attack-and-defend program merited respect. In order to be an effective IT security professional, he stated, you needed to be a trained counter-attack specialist. He went on to claim that our government's one and only research role was to fund programs to continually test perimeter defenses.

I did not have time to talk with my friends in the audience after the presentation, because I had to make my way to the room in which I was to speak. As I walked, I mused about the return of the FUD speech. The acronym stands for fear, uncertainty and doubt. Once that FUD factor is introduced, the speaker, like our luncheon guest, can spend the rest of his or her presentation with dire warnings of future attacks and demands for immediate action.

The presentation I was to give lacked the excitement and drama I had just witnessed. I had been asked by the conference organizers to provide a presentation on the subject of information sharing. This admittedly mundane topic has become a cottage industry around the Beltway in the last two years, with entire conferences and bureaucratic positions being created to address the issue. Information sharing is portrayed as the solution to everything from national intelligence failures to the inability of first responders to communicate quickly and easily. It doesn't rate as highly on the interest scale as foreign bands of hackers, but it certainly is a critical national issue.

After I began my presentation by defining the information sharing requirement, I asked the audience to give me ideas about the technological impediments that precluded us from effective information sharing. As each respondent raised a hand with a suggestion, I was able to show how the problem they suggested could easily be overcome with either a Web-based solution or a common database interface such as a software API like ODBC. It soon became obvious to most everyone in the room that open standards, commercial products and Web-based interfaces allowed nearly limitless opportunities for information sharing. As the question-and-answer session progressed, an attendee in the front row raised her hand.

“Excuse me, John,” she said. “You are answering the technical questions, but it appears that's really not the problem.”

“Very good,” I responded. “So what is the real problem?”

“If they just put everything up on a giant Web server, as you suggest, they would lose control of that information,” she said. “They wouldn't be able to control who got it and how it was used, even if they initially had strong access controls.”

“Precisely,” I congratulated her. “So the problem is not about the ability to share information, it's about the ability to manage it according to organizational policies. Now that we have identified the correct problem, how do we solve it?”

“I'm not sure,” she answered candidly, “but perhaps security consultants and vendors can come up with better ways to control information.”

Here was a person who decided to think beyond the obvious. It dawned on her that security is not solely the realm of attack-and-defend antics. There is another side to this coin. Security for our precious information resources is also about developing and implementing more effective and more granular ways to manage information wherever it is needed. Although we need to remain constantly vigilant to emerging threats and vulnerabilities in the dynamic world of technology risk, we also need to employ safeguards and controls to allow for better use of all the information we currently have available.

For all areas of security—including physical, personnel and disaster recovery—those with the most applicable, timely and accurate information will be best able to respond and effectively leverage resources for the protection of lives and property. Not only is protecting information from attackers critical, but so is our national ability to make it available to those making life-and-death decisions. Only by developing and implementing new security technologies that provide more granular control of information resources will we be able to continue to meet this ongoing challenge.

There will always be media coverage and open podiums for those with scary stories. One need only pick up today's newspaper to see the innumerable articles on everything from global warming to avian flu. In my world, hacker attacks usually garner the place of honor above the fold. Those who focus on attack-and-defend scenarios always have the best stories. However, the hard work of deploying and managing information resources to protect lives and property may be our biggest challenge and the hardest work yet to be accomplished.

John McCumber is a security and risk professional. He is the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology from Auerbach Publications. Mr. McCumber can be reached at [email protected].