Partnerships and Procurement Are Not the Answer

The latest Federal Computer Week magazine features an article titled Cyber warfare: Sound the alarm or move ahead in stride? I'd like to highlight a few excerpts.

Military leaders and analysts say evolving cyber threats will require the Defense Department to work more closely with experts in industry...

Indeed, the Pentagon must ultimately change its culture, say independent analysts and military personnel alike. It must create a collaborative environment in which military, civilian government and, yes, even the commercial players can work together to determine and shape a battle plan against cyber threats...

Ok, that sounds nice. Everyone wants to foster collaboration and communication. Join hands and sing!

“Government may be a late adopter, but we should be exploiting its procurement power,” said Melissa Hathaway, former acting senior director for cyberspace for the Obama administration, at the ArcSight conference in Washington last month...

Hmm, "procurement power." This indicates to me that technology is the answer?

Although one analyst praised the efforts to make organizational changes at DOD, he also stressed the need to give industry more freedom. “The real issue is a lack of preparedness and defensive posture at DOD,” said Richard Stiennon, chief research analyst at independent research firm IT-Harvest and author of the forthcoming book "Surviving Cyber War."

“Private industry figured this all out 10 years ago,” he added. “We could have a rock-solid defense in place if we could quickly acquisition through industry. Industry doesn’t need government help — government should be partnering with industry.”

Hold on. "Private industry figured this all out?" Is this the same private industry in which my colleagues and I work? And there's that "acquisition" word again. Why do I get the feeling that technology is supposed to be the answer here?

Industry insiders say they are ready to meet the challenge and have the resources to attract the top-notch talent that agencies often cannot afford to hire.

That's probably true. Government civilian salaries cannot match the private sector, and military pay is even worse, sadly.

Industry vendors also have the advantage of not working under the political and legal constraints faced by military and civilian agencies. They can develop technology as needed rather than in response to congressional or regulatory requirements or limitations.

I don't understand the point of that statement. Where do military and civilian agencies go to get equipment to create networks? Private industry. Except for certain classified scenarios, the Feds and military run the same gear as everyone else.

“This is a complicated threat with a lot of money at stake,” said Steve Hawkins, vice president of information security solutions at Raytheon. “Policies always take longer than technology. We have these large volumes of data, and contractors and private industry can act within milliseconds.”

Ha ha. Sure, "contractors and private industry can act within milliseconds" to scoop up "a lot of money" if they can convince decision makers that procurement and acquisition of technology are the answer!

Let's get to the bottom line. Partnerships and procurement are not the answer to this problem. Risk assessments, return on security investment, and compliance are not the answer to this problem.

Leadership is the answer.

Somewhere, a CEO of a private company, or an agency chief, or a military commander has to stand up and say:

I am tired of the adversary having its way with my organization. What must we do to beat these guys?

This is not a foreign concept. I know organizations that have experienced this miracle. I have seen IT departments aligned under security because the threat to the organization was considered existential. Leaders, talk to your security departments directly. Listen to them. They are likely to already know what needs to be done, or are desperate for resources to determine the scope of the problem and workable solutions.

Remember, leaders need to say "we're not going to take it anymore."

That's step one. Leaders who internalize this fight have a chance to win it. I was once told the most effective cyber defenders are those who take personal affront to having intruders inside their enterprise. If your leader doesn't agree, those defenders have a lonely battle ahead.

Step two is to determine what tough choices have to be made to alter business practices with security in mind. Step three is for private sector leaders to visit their Congressional representatives in person and say they are tired of paying corporate income tax while receiving zero protection from foreign cyber invaders.

When enough private sector leaders are complaining to Congress, the Feds and military are going to get the support they need to make a difference in this cyber conflict. Until then, don't believe that partnerships and procurement will make any difference.


Anonymous said…
Maybe it is time to put good old Gene Kranz in charge of all government cyber security "From this day forward, Flight Control will be known by two words: 'Tough' and 'Competent.' Tough means we are forever accountable for what we do or what we fail to do. We will never again compromise our responsibilities. Every time we walk into Mission Control we will know what we stand for. Competent means we will never take anything for granted. We will never be found short in our knowledge and in our skills. Mission Control will be perfect"
John Ward said…
Hahaha thank you Rich. You probably know better than I at this point that industry and consulting don't act within "miliseconds". In the private sector, security is an after though, especially in application development where the "security standard" is a bare minimum of requirements that usually entail implementing simple authorization and authentication schemes, a firewall, and a virus scanner. The only way real progress gets made is, as you pointed out, when a C level employee gets embarrassed enough by an incident to put peoples asses to the fire. Thats not a model to follow. It wont be a few more years until the current crop of grunts who have been through their paces make their way to the top to be those leaders.
Ken Bradley said…
Bravo Richard. I can feel the passion. A song comes to mind: Twisted Sister...'we're not gonna take it...'

In seriousness, passion is the key ingredient to overcoming many hurdles, be it a sporting event, life adversity, natural disaster...the list goes on. It's time for the infosec practitioners to make this a matter of pride, national or personal, you pick. Pride equivalent to that of the intruders behind the these attacks plaguing us all.
Anonymous said…
A good number of practitioners DO take pride in doing good work and protecting their infrastructure. It's just most of us can only wave the flag for so long before we look around and see we're alone in the wilderness. Senior management as a general rule isn't going to give a flying hoot of doing much of anything beyond checklist compliance until their bottom line is affected.
Anonymous said…
IMO, the only real answer is in policy. Industry is fighting a battle with a shield. I like to say that some of us are like the 300 - we kick some serious butt with a shield, but in the end, you still need a sword to win.

Within the country, we need the support of the legislative and legal communities. Internationally, we need leadership and assertiveness by our policymakers in the executive branch. Until the "cost effectiveness" of stealing data is decreased, we will continue to have these problems. There is only so much non-government organizations can hope to accomplish within their legal and ethical bounds.
Marcus Ranum said…
Leadership is part of the answer. But even Napoleon Bonaparte wouldn't have been able accomplish anything without trained troops who understood the job they were trying to do. Unfortunately, the trend in federal IT is to outsource everything to the point where all many government IT managers are capable of doing is reading powerpoint presentations from beltway bandits.

I'm becoming a fan of negative consequences. How about if someone's network gets penetrated horribly, it ruins their career? You know - like it can do in the private sector.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics