(Just to let everyone know, I haven’t forgotten about the Infosec/Professional Cooking string – I’ve been both very busy and very sick the past few weeks.  I also don’t want to just put something down and post it.  As the last post, I want to really bring the analogy together and I’d rather hold off a bit and do it right than lose it just before I bring it across the finish line.)

(Oh, and just another quick note on terms – I know that some people out there have an issue with any use of the term “cyber.”  With all the issues out there I think this one is perhaps the most worthless.  Personally I don’t care what we call it but it appears that “cyber” has caught on and therefore I will use it until another word tends to dominate.  Arguments and debates over semantics serve no purpose other than to distract us away from the real issues.  If you really want to debate that then let me know and I’ll start another thread for that.)

After seeing a tip from Bob Gourley on an article over at Government Computer News (GCN) I went over to read it.  Bob, and his blog, CTOVision are great sources to keep abreast of the goings on of the federal government especially from the National Security/Intelligence Community perspective. 

The article, entitled “Cyber threat calls for flexibility in command model, general says” offers great insight into the problem of cyber warfare as well as the general problems that everyone faces with threats from the Internet.  The article is rather short but it brings up a lot of issues that would take a great amount of space to really explore. 

Running the risk of oversimplifying things let me say that the issues that we face with the Internet both from a Cyberwar as well as a Cyberthreat perspective is that it are never static.  Attacks can come from anywhere and most often not directly from an attacker.  A device or network that is safe today won’t necessarily be so tomorrow or even five minutes from now.  Now I’m no military strategist by any stretch of the imagination but to the laymen it appears that the natures of cyber warfare and cyber threats are more akin to guerilla warfare than a traditional battlefield. 

The article talks about how the command and control structure should be established within the U.S. Military to deal with the threat.  It cites Lt. General William Lord, Chief of Warfighting Integration and Chief Information Officer of the Office of the Secretary of the Air Force.  One of the quotes I find most telling:

“We need to operate without heavy restrictions.  There are enormous restrictions in the offensive domain.  The biggest problem isn’t the enemy, the biggest problem is us.”

There is so much contained in that short three sentence quote that we could talk for days. 

The problem is that Cyberspace is global as well as local.  It involves both the physical devices that transmit information in the electromagnetic spectrum and the electromagnetic spectrum itself.  There are physical boundaries (network, national, and international) in some respects but in others there are no boundaries at all.  Any action taken within this realm has the potential for global ramifications.  Achieving cyber superiority may not be as easy and straightforward as it seems. There are a confusing array of laws and international agreements that deal with the free flow of communications between countries.  These add layers of complexity to an already complex issue. 

We have hemmed ourselves in with the laws and agreements we have made and have chosen to operate by a code of conduct that our adversaries do not have to follow.  This is how we have chosen to organize ourselves as a society and there is no doubt that it sometimes puts us at a disadvantage when pitted with an adversary who rejects our conventions.

I don’t believe that we can ever eliminate all risk or all threats.  I believe that these are just part of the world we live in.  We can chose to manage them and we can find ways to reduce them to levels with which we are comfortable (acknowledging that comfort levels can also change over time.)

As the article suggests, we must above all else remain flexible in order to meet the challenges that face us.  We must be learn to fight the next war, not the last one.

Over the past week or so I’ve been following the pirate attacks on international shipping off the east coast of Africa.  As I was listening to the news coverage a few statistics were given.  While I couldn’t write them down immediately these were the notes that I took as soon as I could pull over and find a pen. 

Every year there are approximately 80 successful pirate attacks off the coast of Somalia.  (The number of unsuccessful attacks is higher) This may sound like a lot but when you compare that with the estimated 300,000 commercial vessels that pass through this section of ocean.  That amounts to 0.027% of the traffic.  It would take 3,000 successful attacks before you would reach 1% of the estimated commercial traffic in that region.  Now I’m not sure what the statistics are worldwide but my guess is that the ratio would be about the same. 

As I was listening to the coverage I began to think about the parallels with other kinds of risk management.  It sounds cold, especially considering all of the human interest pieces the media has been doing on Captain Richard Phillips and his crew but it is no different than decisions that business leader’s make daily on how their critical information is protected.

Situations like these tend to put risk-based decisions into perspective.  The decision makers at the A.P. Moller-Maersk Group now have a different perspective on the risk of piracy than they did two weeks ago.  Now I’m not deriding the decision makers at the A.P. Moller-Maersk Group.  Up until now I would bet that their decisions were based upon quantifiable numbers and in line with their industry’s best practices.  In other words they have taken a risk-based approach that has worked. 

Worked?!? – you say.  Yes it has worked.  By all accounts some crews have been trained in how to respond to pirate attacks and thus have been successful in avoiding or thwarting the occurrence of this risk up until now.  (Another good example of this is the evasion of another pirate attack conducted against another U.S. flagged ship within the past 24 hours)  It is a common fallacy that risk management is about the elimination of risk.  Risk management is not about the elimination of risk but rather its reduction to acceptable levels.  The risk still exists though be it in a reduced form. 

This then uncovers two important concepts:

·         Risk can never be totally eliminated – it can only be managed to acceptable levels; and

·         Perception is as large an influencer of decisions as statistics and other forms of measurement. 

In the coming weeks I’ll take some time to explore these two concepts in relation to information risk management. 

Okay so I spent the week in DC and attended the pilot presentation of the NIST’s Risk Management – An Organizational Perspective course and I thought that I’d share my thoughts on it with everyone. 

First off the course is intended to provide an overview of the methodology for managing organizational risk unsurprisingly called the Risk Management Framework (RMF) developed by NIST and aimed at Federal Agencies. 

When I accepted the invitation to go I really didn’t give it much thought and showed up expecting to sit through an overview class that would be presenting some new information.  When I got there I realized that what NIST wanted was feedback on the content and presentation.  Ever one to have an opinion, I was delighted to provide constructive feedback.

The course is based on their Special Publication 800-39 document: Managing Risk from Information Systems: An Organizational Perspective.  The primary audience is of course the federal government but it contains tried and true principles familiar to anyone who manages risk.  What is surprising is that after all these years many organizations focus on what I call “point solutions” and not on organizational risk.  I’ve seen this happen at federal agencies as well as private institutions in more than a few different industries.  So with this in mind it is important to keep repeating the obvious until people begin to take some notice – enter this course.

Apparently NIST is planning on developing both an executive overview of the document as well as a three to five day overview course for government people who will have “hands-on” responsibilities with regard to risk management in the federal government (but no actual experience) – two very different audiences.  The problem with the pilot course is that it tried to cover both audiences at the same time. 

Now I’m not knocking NIST here.  Course development is not as easy a task as it may seem.  There are many different types of learners as well as different levels of detail required depending upon the audience.  I’ve been developing and delivering similar training for over five years now so I know first hand how hard it can be.  When you sit down to prepare the material it can often become difficult to accurately judge the level of detail needed so my hat is off to NIST for opening themselves up to criticism.   

The level of expertise and experience of the people sitting in that room was daunting.  With over 10 years of experience I was probably one of the more junior people there.  Just about everyone else had just over 15 years and came from a variety of different backgrounds.  If you were looking for constructive criticism, I can’t think of a better group to get it from though. 

Now when you typically get that many smart, experienced people in the room there is always someone who wants to promote their own agenda – it didn’t happen this time though.  Everyone listened and gave very good advice and their considered opinions.  It was very collegic and team oriented.   I think that everyone felt that they were contributing to the greater good and was happy to be able to do so. 

We occasionally had a hard time not getting caught in the weeds.  When you’ve been doing this for a while you tend to know which minutiae are important and what isn’t.  The problem becomes squaring that with the level of detail required by the target audience.  NIST’s presentation had that same problem.  At times it was just right for an executive level of detail and at others it dove down into the weeds.  While everyone in the room followed along, I’m not so sure a new person would have.  The group’s comments reflected that opinion too. 

One new thing that I heard (and it’s possible that I haven’t been paying attention as I’ve been focusing on the private sector for a while) is that NIST plans to release what they call Quick Start guides.  These are intended to be the “Cliff Notes” for the special publications.  They showed us one as an example and I thought it was just the right level and length for an executive summary.  It was enough to give you a context and an idea of what you needed to know before you dove deeper into the content of the actual Special Publication. 

All in all it was a pretty good few days.  NIST has a very difficult job.  When most people sit down to develop standards and guidelines they have a specific audience in mind.  That audience tends to be somewhat specific – either a specific industry or a specific organization.  NIST’s audience must span the entire federal government with all the different organizational cultures from all the different agencies.  What they come up with must be applicable in all those different environments.  Give too much information and it isn’t applicable in some environments; give too little and it isn’t applicable in any environment. 

This course will probably go a long way towards rectifying some of the criticism thrown at NIST over the years.  This week was a great opportunity to talk with the authors of the document and learn what they went through in order to create the documents.  Many of the issues we brought up were debated by NIST when the documents were created and we were able to gain the insight of their intent.  I hope in turn NIST will incorporate these insights into their Risk Management course.  That will go a long way to reducing some of the confusion that is out there.  I have every expectation that it will. 

All in all I had a great couple of days.  I met some wonderful and knowledgeable new colleagues, renewed old friendships, and gained a little more insight into this topic that we call Risk Management.

A few questions have come in from some readers.  Since some of them are similar I felt that it would be best to answer them here. 

Can anyone really defend themselves against hackers or dishonest insiders? For example, if data leakage is invisible (because there may be no evidence left behind that information has been copied without authorization), how can one possibly defend against it?

Welcome to the Information Age!  Knowledge is power; he who has the knowledge has the power.  Intellectual Assets have become more valuable than physical assets.  The simple text file that contains the formula for a prescription drug could be worth tens of millions.  Individuals, companies, and governments are impacted when their information gets into the wrong hands. 

Information Warfare involves everything from personal identity theft to corporate espionage to offensive attacks against government assets.  The control of information is critical to the new Information Age.  Is it worth the risk interacting with this digital age?  We hear daily about vulnerabilities discovered in the operating systems that we use for work and play.  The applications we trust to hold our data, to view the world with our digital eyes, to pay our bills are fraught with bugs and backdoors.  Our Inboxes are filled with e-mail trying to entice us to provide our personal information.  Malware abounds throughout our interactions.  All around us are threats to our personal information.  With this focus on information, is it truly possible to defend against information warfare attacks when the attacks are just as varied as information warfare itself?

Life is about risk.  We all take risks when we get up in the morning and start our day.  We take risks as we drive our cars.  Our lives involve a mixture of risk avoidance and risk acceptance.  Defending our information against information warfare attacks is also an exercise in risk. 

Can we avoid all information warfare attacks?  No.  Information Systems are too embedded in our lives.  Even were we to hide all our money under our mattresses and never leave the house, the energy we use, the water we drink, the government that provides us services are all provided in some way using information systems.  We cannot avoid all risks therefore, we must decide which risks we can accept and which risks we try to avoid.  We can take efforts to insist that the companies we deal with conduct business securely.  We can petition our government to enforce common sense measures to protect its information systems.  We can ensure that we use good judgment when surfing the Internet. 

It all comes down to levels of acceptable risk.  We need to determine how we go about our lives and conduct business in a way that reduces the level of risk to our information and information systems.  What we cannot reduce or eliminate we must accept.  Much like the Age of Exploration, the Information Age is fraught with pitfalls and unknowns.  The mariners of old stocked their ships with the materials they might need should the unexpected come up.  They did what they could to minimize the impact of unforeseen circumstances and continued onward.  We should take a lesson from them and continue onward.