As the U.S. intelligence community prepares to militarize its cyber-units for warfare in a virtual world, the rest of us are left to wonder how can we protect our asset resources from a “virtual-attack.” Cyber-warfare and espionage have now supplanted terrorism as the greatest threat to our national infrastructure. As a result of more mainstream media coverage, the daily digital assault on our government and private sector IT infrastructure has begun to show the level of vulnerability perpetrated by advance persistent threats (“APTs”), and the economic impact to the U.S. economy is in the tens of billions of dollars. Intelligence officials testified Tuesday that computer technology is evolving faster than security experts can respond, and if the anticipated budget cuts from the Sequestration are allowed to proceed, then the outlook for preventing a cyber-attack becomes more challenging.
The reality of our cyber-world today is a Dr. Seussian-like “thinga-ma-jigger” of patches and fixes that dissuades a direct attack, but allows the resulting response, by the perpetrators, to flank the targeted organization or individual. The negatives to this existing mind-set is namely (1) very costly to keep updated; (2) costly to consumers; and (3) other areas of the organization become underfunded. Our existing IT infrastructure fails miserably at securing mission-critical data, because it is too rigid and static. Because of this, a “Maginot Line” of useless fortifications and obstacles has been constructed by our military and technical leaders.
The Maginot Line is named after the French Minister of War, Andre Maginot (1877-1932), and was a line of concrete fortifications, tank obstacles, artillery casemates, machine gun posts, and other defenses, which France constructed along its borders with Germany and Italy, in light of its experience from World War I, and in the run-up to World War II. The Maginot Line was considered state of the art at its time, and was impervious to most forms of attacks, however, a weakness of it was its ability to be flanked, and the rest, as they say, is history.
In order to better prepare for a cyber-attack, the U.S. government and organizations should consider a paradigm shift in responding to threat vulnerabilities. The shift should be from a defensive, or reactive, policy management structure of Dr. Seuss-like readiness, to a proactive comprehensive data governance framework that underscores our commitment to the preservation and protection of our mission-critical data, good will, intellectual property, trade secrets, and other proprietary information. A proactive data governance policy framework is a realistic outcome that private organizations and individuals can work towards.
From the outset, a data governance framework requires active C-level participation in order to create accountability and ownership to the various stakeholders, regulators, and general public at-large. The message is one of commitment that senior management is actively engaged in its daily management functions. Moreover, in “leading by example,” senior management is in the best position to (1) articulate the importance of mission-critical data protection; (2) define the scope and objectives fundamental to the framework’s success; and (3) quantify the business value of the framework to the employees and business partners. Upon successful implementation of such a framework, private organizations (for-profit and non-profit alike) will have created a compliance-based culture, centered on information protection, which will increase productivity and embolden consumer confidence.