Global Security, Privacy, & Risk Management

“We Can’t Live in Castles” – FBI Official Concedes; CyberSecurity Policy is a Failure March 28, 2012

In my Google alerts  today was an article from Foxnews titled: “Retiring FBI Official Says Current US CyberSecurity Strategy ‘Unsustainable'”  Shawn Henry, the FBI’s Assistant Director for CyberSecurity refers to the increasing cyber attacks on government and corporate targets and says: “We are not winning”.  All I can say at this point is…WOW..again we are beating a dead horse!  In 2010, I said the same thing at an InfraGard event in Salt Lake City, and RSA has said the same thing.  We sound like broken records at this point.  This post will likely be a bit more pointed and blunt than most but my frustration is mounting on the subject. For a shameless plug on my own research brief, please read: “A Failed State of Security” now published by IDGA.

CyberAttacks against corporates, committed by individuals are crimes.  Crimes are human acts undertaking by living, breathing, thinking human beings.  CyberSecurity, at its core, is about more than building castles to keep the princess protected.  It is also about changing human behavior to deter the criminal behavior.

“deterrence is ultimately about decisively influencing decision making.  Achieving such decisive influence requires altering or reinforcing decision makers’ perceptions of key factors they must weigh in deciding whether to act counter to (our interests) or to exercise restraint.”[1] Lets build on the castle analogy purely from a security perspective.  For our history buffs this will be old news.  Originally, Castles were built of mud and wood.  Why did they change? Fire.  The adversaries starting burning the castles down.  What was the response?  To build the castles out of stone.  Did this work? For a while.  Then the adversaries brought in the trebuchet and catapult. Higher walls, thicker walls, moats, etc.etc. It became an arms race against the attackers.  Much like we see today.  The point is that the Federal Government, and regulatory bodies focus on compelling companies to comply with more and more stringent security requirements while doing little to deter the criminal’s behavior.  Deterring unwanted behavior is not simply the domain of criminology.  It was originally taken from defense.  What is so shocking about the FBI’s position is that they ignore one of the very cornerstones on which US defense policy is made…deterrence theory.  When the World Trade Centers were attacked and knocked down President Bush made it clear that the US would go to war with anyone who harbored terrorists.  Was the point to continue ad infinitum fighting wars (although in 2012 it may look that way) rather the idea was to deter unfriendly countries from harboring terrorists that could act against US interests.

In 1962 the US was on the brink of nuclear war with the Soviet Union.  The Soviet Union was placing missiles in Cuba and the president was faced with a dangerous decision.  The Soviets sincerely believed that the US would not take any action to prevent the placement of missiles as it could result in nuclear war.  In fact the US initiated a naval blockade and it was the Soviet Union who blinked.  Nikita Krushchev’s own words when he warned colleagues that they were: “face to face with the danger of war and of nuclear catastrophe, with the possible result of destroying the human race.”  He went on to say: “In order to save the world, we must retreat.”[1] You can read more about the story in The Essence of Decision.

The point is simple.  As long as those with bad intentions against US interests (government, corporate, etc.) can act with impunity, they have little incentive to change their behavior.  This puts companies at a distinct disadvantage as their only real option is to build stronger and stronger castles all while losing the inevitable war.  Fighting purely defensive battle is a losing proposition.

As stated by the incomparable Mike Tyson when talking about a fight plan: “Everyone has a plan until they get punched in the face”.    That punch…changes behavior in the ring. Without being able to throw punch, the US and her companies will continue to get pummeled.

[1] Allison, Graham (1971). Essence of Decision: Explaining the Cuban Missile Crisis, 1ed. Little Brown.

[1]Chilton, Kevin; 2009; Waging Deterrence in the Twenty First Century; Strategic Studies Quarterly, 2009