My Deputy CIO for IT Security, Jerry Davis recently asked if I thought he was paranoid. I assured him that he wasn’t really paranoid if we really are operating in a compromised environment.
Some pop psychologists refer to the BAR Cycle when advising clients dealing with our emotional insecurities or personality challenges. The BAR Cycle – belief, action, result – says that what we believe leads to how we act and thus produces certain results in our lives. To produce different results, we have to change our beliefs. We need to do the same thing for our cyber insecurities.
We have struggled in the area of cyber security because of our belief that we are able to obtain this ideal state called – secure. This belief leads us to think for example, that simply by implementing policies we will generate the appropriate actions by users of technology and will have as a result a secure environment. This is hardly the truth. Not to say that policies are worthless, but just as the 55 mph speed limit has value though it does not eliminate traffic fatalities, the policies in and of themselves do not eliminate cyber security compromises.
Army General Keith Alexander, the nation’s first military cyber commander, described situational awareness as simply knowing what systems’ hackers are up to. He goes on to say that with real-time situational awareness, we are able to know what is going on in our networks and can take immediate action.
In addition to knowing our real-time state, we need to understand our risks and our threat environment. Chinese General Sun Tzu said that, “If you know the enemy and know yourself you need not fear the results of a hundred battles.” It is through an understanding of the state of our specific environment and the particular risks and threats we face where we can take the right actions to produce the results that we need.
Those results need to be mission relevant, however. Data leakage or unauthorized access, for example, may be acceptable for scientific data that is readily open and available to the public. However, integrity of the same data must be trusted in order to prevent inaccuracies and maintain confidence in conclusions.
I suppose that agency computer security executives face the same dilemma as Jerry – worry and be hopelessly paranoid; or worry and face the certainty of a cyber security doomsday. Either way, the path forward to different results will start with changing our beliefs about our current state.
Linda Cureton, CIO, NASA