Mike Daconta

COMMENTARY

Are we serious about cybersecurity? Here's a test to find out.

When the cover story for the January 2012 issue of Popular Mechanics is entitled, “Digital spies: How China’s secret war threatens our economy, national security – and you,” it is evident that awareness of the cyber threat has gone mainstream. Unfortunately, after reading the latest strategy document from the Department of Homeland Security, entitled the “Blueprint for a Secure Cyber Future,” we need a reality check on whether our current response is up to the challenge.

It is unfortunate that as a country we don’t seem to muster enough political will to solve a problem until after a crisis occurs. We are currently facing many, many challenges – from the federal deficit to energy policy to aging infrastructure to cybersecurity – where easy answers no longer suffice. In IT, we face daunting problems related to authoritative data sources, electronic discovery, data quality and anomaly detection. Here again, easy answers no longer suffice.


Related coverage:

2011: The year of the breach 

DHS outlines goals for securing critical infrastructure


We will either get serious and do the hard work necessary to surmount these challenges or suffer in the doldrums of mediocrity and decline. To help prevent that and gauge our readiness to tackle these problems, here is a six-point litmus test to determine if we are serious about cybersecurity.

1. Secure software signoff

The first question we need to answer is – do we know how to build secure software? If so, prove it! For every other engineering discipline, a “P.E.” or licensed Professional Engineer signs off and is accountable for the quality of the design and implementation of the project. Not so in free-wheeling software development. It is time for a P.E. for software engineering in the areas of security and reliability.

2. Trusted computing components

Our entire computing infrastructure has been built on openness, free-spirited sharing and a Pollyanna mindset right out of a 1960’s “love-in.” Time to get serious and develop trusted hardware, an operating system, apps and networking for our next “Manhattan Project.” Fortunately, the mass migration to cloud computing (for applications) and IPv6 (for networking) are targets of opportunity in this endeavor.

3. National vulnerability database

Our current patch-based, after-the-attack modus-operandi requires an authoritative data source for every known vulnerability in every known IT system and software application out there so we are not flying blind. If we are serious, this could be done in six months.

4. White-hat hacking of U.S. industries

We need to face economic espionage head on by finding the vulnerabilities before our enemies do. Not only would this enable DHS to warn those companies that are vulnerable and give them guidance on how to prevent unfriendly attacks, it would also provide offensive training for our cyber warriors.

5. Offensive cyber-operations policy

The old adage that “the best defense is a good offense” should be applied to cybersecurity. We will never have a real grasp of our vulnerabilities until we see through the eyes of an attacker. Given that, and the reality that we have plenty of adversaries, requires us to enact offensive cyber operations on par with how we fund, train and equip physical operations.

6. Accelerate national strategy for trusted identities

This strategy is sound yet requires a fast-track approach. The implementation must not take the usual bureaucratic path of over-analysis and hand-wringing. We need to end our after-the-fact, band-aid mentality towards cybersecurity as that approach has failed. 

Unfortunately, 80 percent of the just-released DHS blueprint is just more of the same. Just doing more cybersecurity stuff is frankly not good enough. It’s time to get serious before we face a crisis situation. If the Popular Mechanics article is to be believed, then we may already be there. Game on!

Reader Comments

Mon, Jan 9, 2012 Mahesh Sarmalkar Mumbai, India.

Article is good for knowledge and government work. And we are getting serious about cyber security.

Wed, Dec 28, 2011 Bob Donelson South Carolina

Such a refreshing and honest article throughout. CIO's should be promoted for passing these test by demonstrations of success with each of the 6 points of the article. CIO's should be fired for not achieving results or failing any of the goals. Excuses are weak managers badge of medicrity that cannot be tolerated. Like many other great achievements of this Administration, IT Security should become a Strong Federal Benchmark versus the old tired mantra of "Good Enough For Government Work"!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above