A few questions have come in from some readers.  Since some of them are similar I felt that it would be best to answer them here. 

Can anyone really defend themselves against hackers or dishonest insiders? For example, if data leakage is invisible (because there may be no evidence left behind that information has been copied without authorization), how can one possibly defend against it?

Welcome to the Information Age!  Knowledge is power; he who has the knowledge has the power.  Intellectual Assets have become more valuable than physical assets.  The simple text file that contains the formula for a prescription drug could be worth tens of millions.  Individuals, companies, and governments are impacted when their information gets into the wrong hands. 

Information Warfare involves everything from personal identity theft to corporate espionage to offensive attacks against government assets.  The control of information is critical to the new Information Age.  Is it worth the risk interacting with this digital age?  We hear daily about vulnerabilities discovered in the operating systems that we use for work and play.  The applications we trust to hold our data, to view the world with our digital eyes, to pay our bills are fraught with bugs and backdoors.  Our Inboxes are filled with e-mail trying to entice us to provide our personal information.  Malware abounds throughout our interactions.  All around us are threats to our personal information.  With this focus on information, is it truly possible to defend against information warfare attacks when the attacks are just as varied as information warfare itself?

Life is about risk.  We all take risks when we get up in the morning and start our day.  We take risks as we drive our cars.  Our lives involve a mixture of risk avoidance and risk acceptance.  Defending our information against information warfare attacks is also an exercise in risk. 

Can we avoid all information warfare attacks?  No.  Information Systems are too embedded in our lives.  Even were we to hide all our money under our mattresses and never leave the house, the energy we use, the water we drink, the government that provides us services are all provided in some way using information systems.  We cannot avoid all risks therefore, we must decide which risks we can accept and which risks we try to avoid.  We can take efforts to insist that the companies we deal with conduct business securely.  We can petition our government to enforce common sense measures to protect its information systems.  We can ensure that we use good judgment when surfing the Internet. 

It all comes down to levels of acceptable risk.  We need to determine how we go about our lives and conduct business in a way that reduces the level of risk to our information and information systems.  What we cannot reduce or eliminate we must accept.  Much like the Age of Exploration, the Information Age is fraught with pitfalls and unknowns.  The mariners of old stocked their ships with the materials they might need should the unexpected come up.  They did what they could to minimize the impact of unforeseen circumstances and continued onward.  We should take a lesson from them and continue onward.

I was browsing some blog posts this morning and came across one on The Dark Visitor which is a site focusing on Chinese Hackers.  The post was about how China’s cyber warfare efforts have caused India’s military to step up their own cyber defense capabilities. 

This may seem to be an international political issue but does your company outsource anything off shore?  Do you offshore to India?  Do your partners?  Do you really know where your critical information is once it leaves systems under your direct control?  Do you verify that your outsourcing company protects your information at least as well as you do?

Let’s forget for a minute that the attacker is China (Honestly they’re just an easy target for my attention; there are other countries that have information warfare programs.); let’s forget that the target in this case is India.  The real point is that critical information is at risk once it has left the corporate environment.  By outsourcing, companies are delegating responsibility for protecting the information but in the end they cannot truly transfer this responsibility. 

It is not enough to include clauses in a contract that mandate the protection of your critical information, you must audit and verify that your partner (be they domestic or international) is conforming to how you mandate your information be protected.  Outsourcing can bring great savings but along with that savings comes additional Risk.  Have you considered the additional risk?