We are in the middle of what may be the single most disruptive transition in the practice of information security. Not one of technology, threats, or practices, but of politics. It is occurring in the hallways of capitals and the planning rooms of militaries, instead of in boardrooms of enterprises and startups in California and Massachusetts. This transition will define our priorities for the coming decades, as well as the winners and losers of the future.
We, as an industry and collection of communities, need to understand this transition and find our places within it, or risk irrelevance.
The president of the United States has placed cybersecurity on par with gun control, tax and education reform, and job creation, in the State of the Union address. It is time to step back, take stock, and understand the implications. We are playing an old game, where we are barely in the stands, never mind on the field.
First, let’s take a moment to look at the buildup to this point. Major security incursions, even at the nation-state level, have been occurring for decades. But beginning in 2010 with Google’s revelation of the Operation Aurora attacks, followed up by disclosures that dozens of technology firms believed they were targeted and attacked by China, we have seen a flood of major attack disclosures – RSA, Stuxnet, Lockheed-Martin, and the New York Times, just to get started. Some here in the US, some perpetuated by the US, but all focused on the cat and mouse game between world powers, not merely banks and criminal hackers.
The revelation of these attacks and its timing is more significant than the attacks themselves. Defense contractors don’t reveal they have been breached without a good reason.
Seven recent events best illustrate the nature of the impending shift. The first, clearly, was the State of the Union address. The second followed closely with the President signing an executive order on cybersecurity. This was preceded by revelations that a classified National Intelligence Estimate was issued, naming China as the top cybersecurity threat. Combine these three events with the failure of Congress to pass a cybersecurity bill (due to competing lobbying efforts) and the European Commission proposing new cybersecurity legislation, and it becomes clear that the politicians and lobbyists are fully engaged.
This was accelerated dramatically this week by Mandiant’s release of specific intelligence tying China to a massive attack campaign, and the White House’s release of the Administration strategy on mitigating the theft of U.S. trade secrets (PDF) strategy position paper.
And let’s not forget that the US government apparently used cyberarms to attack Iran’s nuclear program, instead of allowing Israel to launch kinetic weapons.
Cybersecurity is now operating fully at a geopolitical level. (As much as you might hate the word ‘cybersecurity’, that battle is long lost, and fighting it is the quickest way to the kids’ table). That means future regulations, and massive amounts of government cash, will be fought over by lobbyists and special interests; in national capitals and on the screens of Sunday morning talk shows.
Although we may be the professionals with the most experience in security, that doesn’t buy us an inch of credibility or influence in this process. And I mean ‘buy’ in the literal sense. Just ask teachers how much influence they have over education legislation – and they even own a union. Security standards, disclosure laws, information sharing, criminal laws, and cyber arms control (vulnerability research and exploit development) are all likely to be regulated in one way or the other in the coming years across different nations. Many of these have the potential to directly affect how we do our jobs, and the direction of federal funding will influence what tools and technologies succeed in the market.
It doesn’t matter if you are a vendor, researcher, or practitioner – the only way to influence this process (if you care) is to play the political game. Engage with politicians, hire lobbyists, and start making the rounds in the halls of government. Understand that other vendors or “industry representatives” won’t necessarily represent your needs, and are focused on their own narrow interests. Your opinion, however logical, doesn’t matter unless you have a lever to pry decisions in your direction – the effective ones are all built around large wads of cash.
Those of you in the vendor community, in particular, need to realize you are up against defense contractors looking to maintain profits as two wars end. And they can no longer afford to perform poorly in the commercial market. If your CEO doesn’t have a travel schedule that involves Dulles or Reagan, you are already losing.
You don’t need to be a cynic to know it’s the toughest game in history, and we just landed in the middle.
Reader interactions
7 Replies to “House of Cybercards”
Try them all: http://www.google.com/trends/explore?q=cybersecurity#q=cyber, cybersecurity, “cyber security”&cmpt=q
I take this as a hype alert – in part of the infosec industry, “cyber” may be regarded as a key to budget or the ear of management. But it’s likely to be a short-lived trend.
Which I personally think is good – then we can concentrate on the actual, separate threats, rather than lump them together under the banner of “cyber”. After all, there’s not much really in common between an activist DDoS attack and state-sponsored espionage – except they all get passed to infosec to fix.
@Andrew
I’m not sure what point you’re trying to make, but a similar search on “Cybersecurity” shows a definite upward trend since 2009 – about the same time that this BS started…
http://www.google.com/trends/explore?q=cybersecurity
It’s interesting to look at Google Trends on the word “cyber” http://www.google.com/trends/explore?q=cyber.
Demonstrates 10% year-on-year decline of usage of the word for the last 9.5 years – apart from huge peaks corresponding to “Cyber Monday”.
@rnri
And where is the “cyber” domain precisely? It’s the ruddy Internet, networks etc. The same places we have been attempting to defend for years. It is NOTHING new. The “Emperor’s New Clothes” if you will. New words describing the same old problems. It is total BS.
Here’s the problem: it is getting attention and funding and focus. This is a GOOD thing because it means SECURITY is getting funded and a revived focus. So do I ‘play the game’, even though it is total BS? That’s the problem, at least for me. And as Rich points out, the purpose of his post.
“Cybersecurity” is most definitely not bs.
It’s about security in the “Cyber” domain.
Guess what, people practically live there now, and are heavily dependent on it.
We’re protecting them and their interests, not just their information.
They may be our bosses, clients, constituents or families.
Sorry, but Cyber or Info or Whatever security has been in corporate hands for years now and look how great things are.
Maybe it’s time for the big boys to step in?
Yep- exactly the point of the post. And the reason 95% of our research and posts is on practical security.
But this is where we are headed, whatever our desires.
“Cybersecurity” is a bullshit, meaningless word. The patients are in control of the asylum. As security professionals, we are already doomed.
And to use your teaching analogy, certainly here in the UK, it has been a long time since any of our teaching professionals have had ANY influence over education legislation. And I speak as an ex-teacher. The politicians know it all and they don’t need ANY help from those with any actual teaching experience.
Similarly, our legislators don’t need any help in terms of information security from those with real infosec experience. With the hype machine that is “cyber”, APT, AET and all the other junk relabelling terms which currently exist, I suspect it won’t be too long before I’m an ex-security professional as well.
Don’t believe the hype, kids – fight the power. Stand up for common sense information security and “back to basics”….