It's no secret, those who work in cyber security in the DoD are accused of being a low-value administrative requirement fed mostly by fear and pressure from leadership based on gregarious stories in the news. The reputation cyber professionals have is that they slow progress, impede the mission and generally operate on rules that continually change.
First, let's address the rumor of cyber requirements always changing. The answer is, yes, cyber requirements do change all the time. Policy changes because threats change. Techniques change from criminals. Technologies emerge and then get exploited. Insiders get better, or perhaps lazier. All these changes need to be addressed by changing the way cybersecurity is performed.
The other issue with cybersecurity is that it ends up taking too long to implement and approve. Typically the organization is held to the standards of an outside standards body or approver and needs to meet the mark in terms of required compliance checklists, vulnerability assessments. There are so many rules, policies, guidelines, best practices and expectations that to address EVERY possible security control would take months if not years. And then, when you think you've addressed them all, you need to start over because the threats have changed, the policies have been updated and what you addressed in the beginning is outdated. A vicious circle that can never been completed.
But it this really the best way? Perhaps we're trying too hard? Are all these checks really necessary if we're ultimately postponing the delivery of a capability to our company or organization?
Another perspective:
In the early 1940s when America was jumping into WWII, the entire country took enormous sacrifices to support the warfighter. Women took jobs, factories previously making iron parts changed to making bombs (my grandfather was one of them) and the ability to field capabilities and products to those on the front line was streamlined without mission-essential checks.
Let's present this perspective another way:
Your wife is pregnant, 40 weeks. It's 2am and she screams hat her water broke. Your job is to get to the hospital right away. But, if you were to do things the RIGHT way, this is what it would look like:
1. You get out of bed.
2. You make your bed.
3. Brush your teeth
4. Put on fresh clothes. Perhaps dress in layers.
5. Before leaving, adjust the thermostat so not to waste energy while not there.
6. Ensure all the doors are locked, windows closed, major appliances not running.
7. Both of you get in the garage.
8. Inspect car to ensure all tires are properly inflated
9. Once inside the car, adjust the mirrors to make sure proper field of vision is required, especially in blind spots.
10. Make sure wife is buckled in, perhaps get her some bottled water.
11. Turn on car, and let it warm up (remember back in the 80s)
12. Find a radio station that is soothing to your wife. Adjust the temperature control.
13. Back out, but go slowly to look for neighbors, dogs, etc.
14. Program the hospital in Waze and select the most efficient route.
15. Drive conservatively since it is late night, your senses are muted and the darkness could obscure a cute raccoon or other furry animal.
16. Pull into the hospital and find a good parking spot in a well-lit area, in proximity to security cameras.
I think you get the point.
In real life, ALL those checks go out the window, and it's a mad dash to the hospital with little regard for how your breath smells, what you're wearing, or proper road etiquette. Laws be damned, this baby is coming out!
In real life, if we were under physical attack by our advisaries and bombs were being dropped in our cities, boats were coming ashore and bad guys were taking over our cities and terrorists were using chemical weapons aimed at our schools and government centers, you know for a FACT that cybersecurity would be limited to:
1. Network defense
So while we are not currently under attack, we are under attack by digital enemies who are looking to beat our networks and steal our military and technological secrets. A rapid model like this won't work in the DoD or any other organization, but how could we develop a model where a system could undergo an appropriate level of review, validation and risk assessment but without putting the data or people at risk? I'm thinking, like two weeks.
Like most everyone else, we are at the mercy of the approving official. I don't have an answer for this. I can't control those who are pulling my strings, but perhaps I can find a way to cut them.
No comments:
Post a Comment