23 September 2010

Cyber-Security. What is it?

Yesterday's Wall Street Journal included a damning criticism on the state of America's cyber security.  Yet, what's striking about the debate on cyber security curious lack of detail.  Aside from vague promises to "strengthen" cyber security and calls for more funding, there's little of substance in the public debate.  Anyone care to fill me in? 


Ray said...

It's a question of funding, but it's more a question of priorities. People would rather use a defective "user-friendly" system than a secured one, so we hook up defective systems with known vulnerabilities, yea, even into the Secretary of Defense's personal email (hopefully they've got on fixing that one).

Nobody wants some outside expert coming in and making "their" sysadmins lives' difficult, so we have no coordination worth speaking of when it comes to situational awareness.

Nobody in the corporate/civilian infrastructure world wants to hear they can't have their savings by hooking up their controls to the internet using insecure communications, so hackers can get at power, sewage treatment, gas flow, and other controls.

The technical expertise exists, but it's mostly not listened to or stonewalled behind endless fact-finding committees. After all, nobody's Pearl-Harbored us yet, right? So it can't happen. Alarmists, the lot of them, cybersecurity types.

infosec_jedi said...

"Cyber" is one of those unfortunate buzz words that media types have latched onto. Whenever I see it in an article I know that the journalist is sensationalizing something rather than discussing something they have knowledge of.

Generally by cyber security we mean information security, information assurance or any other number of terms. This means defense in depth, to include properly configured routers, firewalls, intrusion detection/prevention systems, anti-virus systems, segmentation, access lists, authentication, etc.

I think one of the main reasons the US is so vulnerable is because many of the people who are at the top of their organizations Information Technology section lack an understanding of Information Assurance. They are simply bureaucrats, bean counters, who just run down their required checklists and that's it.

greg said...

A lot of the concern is more on infrastructure security -- protecting the power grid, water supplies, etc. Because those things are set up by individual companies, there is a wide variance in how secure their computer systems are, both internally and from external threats. I have been meaning to do more reading on the subject. If you find any good books on the topic, be sure to share 'em.