CAUTION: RANT ALERT
On Wednesday, November 19, Admiral Michael Walters, the head of the NSA made a very disturbing announcement.
He said that China and one or two other countries have the capability to launch a cyber attack that could successfully shut down parts of the US power grid.
He also told a hearing of the House Intelligence Committee that US adversaries are currently performing “reconnaissance” regularly in order to be in a position to attack a wide variety of industries that rely on Supervisory Control And Data Acquisition (SCADA) technology.
SCADA is used to manage and monitor remote equipment. The power grid, water treatment plants, and chemical facilities are just a few examples of industries that rely on SCADA technology. A sobering thought, indeed.
Is our technology really so bad that we don’t seem to be able to notice in a reasonable amount of time — much less prevent — adversaries from mounting successful attacks against our systems?
NO! This is not a technology problem.
So what’s the real problem behind this sorry state of security — not just in the industrial sector, but across broad swaths of the entire economy?
The Culprit
I sincerely believe that the culprit is a corporate culture propagated by IT and senior management that continues to prioritize availability and up-time above all else, while failing to understand the fundamentals of security.
Time and again this culture leads IT to think in the short term and make statements to senior management like “Remember that project to improve security that our auditors are making us do. Yeah. That is going to be too risky, cost too much, and/or negatively impact the productivity of the entire company.”
Senior management, believing that information security is purely a technical issue, tends to accept these pronouncements at face value. It’s as if they assume they need a technical background in order to make a business decision about security. So they leave the business decision up to the folks who have the technical background, but are not considering the true business risks.
Worse yet, the internet has led to a widespread interconnectedness of businesses. Therefore, a business partner’s ignorance of information security management can impact your organization even if it has a robust information security management process; as evidenced by the Target breach about one year ago.
The “it’s too risky” argument wouldn’t be nearly as frustrating if it was based in fact. In my experience it is nearly always based in ignorance.
Ignorance and lack of an explicit information security management process driven by the highest levels in the organization — this evidenced by the lack of formal security policies.
Ignorance of the basic information required to efficiently and effectively use readily-available security mechanisms appropriately — this evidenced by the widespread use of all (or nearly all) users on the system being capable of directly accessing all (or nearly all) data.
Ignorance of the mechanisms and tools available (or of how to use them appropriately) to allow users authority to applications without giving them direct authority to the data manipulated by those applications.
Ignorance of the real and present threats facing all organizations today — this evidenced by statements such as “We’re a close knit company,” “We trust our employees,” and “We haven’t fired anyone in 20 years. No employees want to harm us.”
Ignorance of the fact that if you don’t prevent your own employees from accessing data for which they have no business need, it is highly unlikely that you can prevent non-employees from accessing the same data.
Why do we allow ignorance to drive critical security decisions regarding our power grid OR our businesses?
What Can We Do?
Trying to be an optimist, I’m really hoping that the latest revelations will get senior management to start thinking about risk differently – that it might be too risky to accept “it’s too risky” as an argument not to improve security!
Let me be clear, I’m not suggesting that companies accept large amounts of risk in order to improve security. I’m advocating that companies stop blindly accepting claims of “too much risk” and/or cost that are based on misperceptions, misunderstanding, and ignorance.
The first and most important step for senior management to take is to define, implement, drive, and champion a rigorous information security management business process with the following attributes:
- Visible
Across the entire organization – not just IT - Inclusive
Accepts input from the entire organization regarding requirements, communication, problems, and suggestions - Comprehensive
Considers company requirements, state and federal laws, industry standards, government regulations, and the current threat environment which may affect company security policies. - Documented
Produces a written (hardcopy and/or electronic) set of security policies that defines employee roles, business assets, and acceptable/unacceptable interaction between them. - Sanity-checked
Ensures that security policies are periodically audited and compared against requirements, laws, standards, regulations and best practices; making changes as necessary. - Enforced and measured
Ensures through periodic internal and external audits that security mechanisms and products are being used effectively and efficiently to accurately enforce appropriate security policies. - Exception-friendly
Defines a process whereby management is made aware of and approves or disapproves requests to bypass security policies in special situations where following them would be unduly burdensome. The process needs to include an audit trail that shows who made the request, for what reasons, and who approved the request. - Repeatable
At least annually, review company requirements, external factors, as well as existing security policies to identify the need for new or changed security policies.
A process with these attributes allows senior management to make informed business decisions about information security. They will have access to much more accurate information about both the cost of the risk as well as the cost of mitigating that risk. If the argument is primarily technical in nature – for example, it is too complex to enforce policy xyz – management can turn to outside technical experts for advice and ideas about more efficient ways of enforcing the policy. They’ll have access to all of the data they need to perform a formal risk analysis.
Some might believe that I am unfairly negative about the roles currently being played by senior and IT management. I would point out that I have explicitly used the term “ignorance” and not stupidity. I don’t think these folks are incapable of understanding and effectively performing their roles in the information security management process. I believe they are literally unaware of the information security management business process and its inputs and outputs. I also believe that until this ignorance is addressed, no technology can significantly improve the current state of information security.
Please do your part! Listen for the “It’s too risky” argument related to information security projects. If you hear it, contact me for a reality check!
