A famous leadership coach said, “Only Superman can leap tall buildings in a single bound, the rest of us must chip away at our goals one day at a time.” What a befitting quote for the position of Federal CISO! This role of organizing, equipping, training and leading the nation’s cybersecurity programs is not only ominous, it has thus far been an utter failure when historically approached.
Breaches of personal data have big consequences. Ask any user of Ashley Madison. Ask executives at Sony. Ask Hillary Clinton’s campaign. And, as we learned from the recent Wikileaks dump, all those private messages you’re sending may not be so private.
So, if you had to choose, who would you rather have view what is on your phone? The government? Or your significant other?
Many years ago when Distributed Denial of Service (DDoS) attacks were becoming a more common problem, I had a meeting with a government agency (not to be named here). The discussion was broad in terms of challenges they faced around cyber security, but it was their response to how they handled DDoS attacks that stuck out more than any part of the meeting. “Oh, we just shut down the servers that are being attacked until the attack subsides,” was their input on DDoS defense strategy. Now, to be fair, this was in the early days of advanced thinking on DDoS defense, and also in the context of a broader climate where the view was if there’s a DDoS attack going on, it might signal an attempt to breach data from the server so best to lose availability than lose data confidentiality.
Times have changed since then and most any government agency now has to more evenly balance the availability threats with those targeting data confidentiality or integrity. Indeed, a few recent situations have highlighted the impacts of a loss of availability and the constituent reaction to security strategies that don’t effectively balance staying connected with staying secure.
The U.S. Senate is currently evaluating a bill that would require companies to break encryption under a court order. There is much controversy around this bill, in fact several organizations have already spoken out against it, including the CTA.
Schools are getting more sophisticated; there is no doubt about it. My kids recently had an "emergency study exercise" in grade-school where they needed to log in to the school system from home and participate in an online classroom, listen to a session and answer some questions. The idea was to see if the school was prepared for emergency situations, where the kids couldn’t attend school for some reason, but they could continue studying remotely. I thought that was pretty cool.
I also learned recently about a high school in our area where all the classroom activity is conducted online. The students have no books, no notebooks – only their laptop.
Not in favor of the new law that was just passed, immigration policies too racist, the Catholic Church too corrupt, it is possible or organize a demonstration or take the fastest, easiest and most effective way and launch a virtual attack on the offensive website. Take down the parliament portal to protest unfair laws or policies, shut down the local police’s website or the website of any offensive organization. Hacktivists have been very effective launching attacks on government websites and their motivation increases with each successful attack.