No Technology Can Replace Wetware

A lot of malicious activity succeeds because it first exploits a human being, and then technology. This isn’t a call to burn your security tools, but a reminder that – to paraphrase Smokey the Bear –  people are the first line of defense against cyber threats. How important is training your people and getting them involved in your defense? I can think of $26B reasons why you should make it a priority.

 

Everything Breaks, Eventually

An old adage oft repeated by my cryptologic school instructors was that ‘what one can create, another can break.’ It was their go-to phrase when we were stuck up against a hard problem that didn’t appear to have a solution. It forced us to look at other angles and use different methodologies to achieve our goal. Just because a thing is hard to break doesn’t mean it’s unbreakable. This is not a dig on any given technology or manufacturer, only a lesson we should all keep in mind: how secure a thing is, is really a matter of time.

 

Network Problems Cannot be Solved With Warm Bodies

The idea that USCIS is going to catch the next evil-doer by setting up fake accounts and mining social media of aspiring citizens and visitors would be laughable if it were not so classic government. Algorithms put people and ideas in your stream or timeline; algorithms are better suited to combat the issue at that level. A clear and unambiguous set of rules and standards that humans can enforce when the algorithms come up short is also required, but algorithms first because the scale of these things far outstrips Uncle Sam’s ability to hire.

 

Stop Recruiting (and Promoting the Need for)  “Hackers”

We literally do not need more people learning how to break into systems. This is a solved problem for which there is no shortage of resources. Improving the state of cybersecurity in this world requires people with a much more diverse set of skills. Working knowledge of how things are broken is sufficient for the vast majority of this work; knowing how to mitigate – both at technical, organizational, and individual levels – is far and away more important. But of course, where is the glamor in that?

 

“Cyber” Not Essential for Success

Hong Kong, if you’ve not been paying attention to the news lately, has been something of a kerfuffle. The other day the Chinese government decided to strike back in a virtual sense, though it’s not clear that it had the result they were looking for. The full scope of how and why the HK protesters are succeeding is beyond the scope of a single post, but this item should serve as a reminder that if you do it right, the cybers need only be an adjunct to your effort, not the backbone of it.

 

What Gets Measured Gets Managed (Poorly)

Security is not a numbers game. Well, it is, but you need to make sure you’re paying attention to the right numbers. Security metrics are a notoriously difficult nut to crack, but doing it wrong because it’s easier to get the top-level buy-in you need is almost worse than measuring nothing. It is (yet another?) an indication that yours is a culture of compliance, not security, which isn’t the worst thing in the world, but it isn’t going to end well.

 

Leading by Example

Yes, the government should be setting the example about how to run an effective cybersecurity program. It is in the government, after all, where you can truly compel people to follow rules, and demark clear and unambiguous lines about acceptable behavior. Would that any government agency’s IT enterprise be so neat and tidy, and federal employees, well, immune from the same human nature that leads to compromises in the civilian world. The government can and does do a good job of defining a baseline, but except in extreme circumstances there is no adverse action taken against those who aren’t compliant.

 

Attacking Legitimacy (Part 739)

We are governed by our consent. We receive benefits In exchange for adherence to certain norms and behaviors, and generally speaking it all works out pretty well. Until the means to govern is taken away, or in this case long-held promises are unable to be kept. Some consider my stance on this an extreme one – a “movie plot threat” – but how long would you be willing to hold out if your government didn’t hold up it’s end of the deal?

 

This is Not a Game

In case you were curious about the nature of those you are up against, it’s helpful to remember that by and large, they are professionals. They have similar, if opposing, goals as their victims. You ignore the fact that you are dealing with people who are just as serious about their business as you are of yours at your peril.