Tales from the Technoverse

Commentary on social networking, technology, movies, society, and random musings

Tales from the Technoverse header image 2

The Problem With Government Security

June 23rd, 2010 · No Comments · cyber-security

During the time I served as the CIO at the US Department of Transportation when I wanted to annoy my Chief Information Security Officer (CISO) of the CISO staff, I would point out that in my opinion there were two things wrong with computer security within the Federal Government.

First, we put security in charge.

Second, we kept secrets.

If we solved for those two issues, we would not have a security problem.

Of course, I was joking. Well sort of.

The point I was making regarding security being in charge was to illustrate that in the end security was an advisory function supporting the business owner. The business owner needed to make the final call regarding what to do re operational systems.

Taking the extreme example at the Department, which happily we never faced, was what if the air traffic control system had been infected with a virus which we felt might spread to other operational systems. The senior executives who were responsible for air traffic control would be the responsible officials deciding if we could take the systems off-line, not security.

My second point was that if we needed to much more aggressively think through what systems, and data, we really needed to protect. The more we needed to protect the less likely we were able to protect anything. My final line was always if we didn’t have any secrets we wouldn’t have a security issue.

In retrospect, I have more recently realized that in addition to being a bit flippant, I was also wrong. As any security professional knows, even without secrets we still will have a serious security issue – that of integrity. By integrity I mean both of the data and the systems themselves.

READ  WikiLeaks

Since it remains my contention that in today’s world, all organizations have to ultimately choose if they are going to be great at information sharing or information protection AND that all organizations are going to eventually have to choose information sharing (I’ll do a separate post on this); this leads to a problem.

Recently I have been talking to professionals who touch DoD and military doctrine, an area I am pretty unknowledgeable. A number have mentioned the work of John Boyd, http://en.wikipedia.org/wiki/John_Boyd_(military_strategist). Boyd came up with the concept of decision cycles, what he called an OODA Loop:

  • Observation
  • Orientation
  • Decision
  • Action

A simplistic summary of Boyd’s thinking was that in combat, the organization with the fastest, high quality OODA loop would win; where combat could be combat in anything.

Taking this concept to cyber-security, one conceptual approach would be to not try and protect the periphery of a network but to be able to rapidly change the network or access to it, or its contents, so that an adversary would never have the opportunity to penetrate and/or corrupt it.

As usual, I am much more able to articulate these kinds of things conceptually than to actually understand the implementation implications. However, I hope to interact with people who can help me understand those details as well as let me know if this is a reasonable approach to security.

Be Sociable, Share!

Tags: ···

No Comments so far ↓

There are no comments yet...Kick things off by filling out the form below.

Leave a Comment

This blog is kept spam free by WP-SpamFree.

Time limit is exhausted. Please reload CAPTCHA.