CIO - In Cyber War: The Next Threat to National Security and What to Do About It, you write about how vulnerable America is to electronic attack. Is it possible to create an effective deterrence policy against cyberwar, as was done for nuclear war?
That doesn't work in cyberspace for lots of reasons. In the nuclear era, there were more than 2,000 tests worldwide. Nations demonstrated they could do damage. It's hard to demonstrate cyberweapons in advance. In a nuclear war, you see missiles. In cyberwar, it's not clear who's attacking. People can pretend to be other people. (See our review of Cyber War.)
How can the federal government protect companies?
Do more. As a matter of law and policy, the federal government should actively counter industrial espionage.
Most U.S. government counterintelligence operations are focused on intelligence against the government, not companies, and most of those are focused on spies. It's a very 20th-century approach.
Until someone makes law or policy changes that say the U.S. Cyber Command can defend AT&T or Bank of America, it doesn't have the legal authority to do that. I think it should. The government also has to explain the threat to corporations. The British government sent a letter from the head of [intelligence agency] MI5 to the CEOs of the top 300 companies in Britain telling them they'd been hacked by the Chinese.
What should companies do?
Corporations need to figure out what their crown jewels are. You can't protect everything and defend your entire corporate network equally. It's not all equally important, either.
So is it your intellectual property? Your marketing plans? Your research and development? Isolate them and provide them with special defenses and recognize that the other stuff will escape or be stolen.
Why don't companies do this?
Until CEOs and boards of directors are faced with black-and-white evidence that they have lost a terabyte of information and that this has resulted in some other company beating them to market, until they have their noses rubbed in it, they're reluctant to do anything special. They just say, "The CIO will do that," and assume the CIO is doing a good job.
Often, the CIO really needs board-level commitment and CEO commitment, not just of resources but to policies necessary for protection. Most of the time, all people want the CIO to do is keep the network up and costs down. As a result, many CIOs have been hired for their expertise in those areas, not for expertise in figuring out how to make a resilient network that resists attack.
The common refrain is that attack-proof security is expensive.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
