Our Insecurities or: How to Stop Worrying and Love Compromised Cyber Environments

My Deputy CIO for IT Security, Jerry Davis recently asked if I thought he was paranoid.  I assured him that he wasn’t really paranoid if we really are operating in a compromised environment. 

Some pop psychologists refer to the BAR Cycle when advising clients dealing with our emotional insecurities or personality challenges.  The BAR Cycle – belief, action, result – says that what we believe leads to how we act and thus produces certain results in our lives.  To produce different results, we have to change our beliefs.  We need to do the same thing for our cyber insecurities. 

We have struggled in the area of cyber security because of our belief that we are able to obtain this ideal state called – secure.  This belief leads us to think for example, that simply by implementing policies we will generate the appropriate actions by users of technology and will have as a result a secure environment.  This is hardly the truth.  Not to say that policies are worthless, but just as the 55 mph speed limit has value though it does not eliminate traffic fatalities, the policies in and of themselves do not eliminate cyber security compromises.   

Army General Keith Alexander, the nation’s first military cyber commander, described situational awareness as simply knowing what systems’ hackers are up to.  He goes on to say that with real-time situational awareness, we are able to know what is going on in our networks and can take immediate action. 

In addition to knowing our real-time state, we need to understand our risks and our threat environment.   Chinese General Sun Tzu said that, “If you know the enemy and know yourself you need not fear the results of a hundred battles.”  It is through an understanding of the state of our specific environment and the particular risks and threats we face where we can take the right actions to produce the results that we need. 

Those results need to be mission relevant, however.  Data leakage or unauthorized access, for example, may be acceptable for scientific data that is readily open and available to the public.  However, integrity of the same data must be trusted in order to prevent inaccuracies and maintain confidence in conclusions. 

I suppose that agency computer security executives face the same dilemma as Jerry – worry and be hopelessly paranoid; or worry and face the certainty of a cyber security doomsday.  Either way, the path forward to different results will start with changing our beliefs about our current state. 

Linda Cureton, CIO, NASA

31 thoughts on “Our Insecurities or: How to Stop Worrying and Love Compromised Cyber Environments”

  1. Considering that Life is our fossil of death.

    Well, obsession or obsessions disorder our system of security…

    No sense has to live with the fearless fear, but to be a fanatical of security dynamics lay on the bottom of a black hole.

    I don’t recognize the ambition of maintaining a secret by the moral of disclosure; but it’s radical or fundamental that the treasure of the culture of the science of nature remains always untouchable for security reasons, clearly.

    Evasion????

  2. A factor of uncertainty is the hostile environment. Moreover, is the major factor of insecurity. If you live in a society dominated culture and education to give greater value to individualism, where people are selfishly closed in themselves, where the respect and courtesy become secondary before the fruitful result, where people truly believe they can cover all forecast results, and support all of them, is doomed to eternal insecurity.

    The Cyber environment is no different, since only a reflection of the Royal Society. Insecurity is personal. Insecure people become selfish and close. They are afraid because unconsciously they know their own weaknesses. They are closed. How to discover them, but surprend them? When they are asked to close and open, for fear they become violent. It’s paranoia. Modern society is experiencing a paranoia of insecurity because they are not able to be a mutually beneficial society. This is a poor planet.

  3. Just because you’re paranoid, doesn’t mean they are not out to get you!

    In all seriousness, this is well put. Many agencies need to move from being risk adverse/risk avoidance to risk management. That is an entirely different mindset.

  4. I can’t agree more with your comments.

    I believe there is a function to the amount we spend in resources ($$’s and time) and the amount of “security” we put in place that has to take into account cultural and environmental needs. It’s definitely situational. I was VP, Tech for a on-line education firm and while there were many competing needs with security being near the top. We had to pick our battles so to speak as resources seemed to be scarce yet the needs immense. We had regular battle planning sessions where titles and seniority were checked at the door to spot as many high risk areas as possible. It goes along with General Alexander’s comments on situational awareness. I’m sure the same is true for day-to-day security risk management in all of our government’s agencies.

  5. I love this, Linda – “To produce different results, we have to change our beliefs.” The is certainly true, as you mentioned, about cyber security – it’s also true about every aspect of our lives. If, for example, we believe that people are supposed to “pay their dues” or “just work hard,” we miss out on the opportunity to activate their brilliance and cash in on their loyalty. If, however, we believe each person wants to contribute and means well, we’ll find a way to help them shine.

    You’re posts are awesome – so authentic – thank you!

    Misti Burmeister – http://www.InspirionInc.com

  6. Read this article feel good, I learned a lot, I feel good this site, I will come back

  7. Dear Linda ,

    Superb Article….Your blog is getting better and better …!!!

    warm regards

    Sooraj Prabhakaran

  8. This is nice nasa blog. visitor added a comment on your blog post.
    hmm, i liked that, a lot, yes i did

  9. I have liked your thoughts, I am going to subscribe your blog and will come here again
    to know more. thanks,
    Your discussion is exactly the same i agree for . I will scribe your blog and will come back.

  10. I have liked your thoughts, I am going to subscribe your blog and will come here again
    to know more. thanks,
    Your discussion is exactly the same i agree for . I will scribe your blog and will come back.

  11. Finally, I was looking forward to your blog on the coquí! The Hawaiian wall of sound was somewhat louder than in Puerto Rican urban areas. Have never spent the night in our rain forest, El Yunque, where I imagine the amphibian cacophony might have been similar to that in the South Pacific. I still believe it has a musicality of its own, but I’m prejudiced.

    On other issues–like the use of the air conditioning and architecture in Hawaii versus Puerto Rico, I must confess that Puerto Rico is much more humid and we have become too dependant on air conditioning. We no longer build our houses in a way to take advantage of the tradewinds. The high ceilings, wooden structures are a thing of the past. That might be related to the threat of Caribbean hurricanes in Puerto Rico.
    So kudos to Hawaii for preserving their Island paradise.

  12. Suppose you are on a jury and the prosecution brings out expert witnesses in DNA analysis, finger print analysis and ballistics, all giving evidence of the defendant’s guilt, and all the defense attorney says is “Science does not appeal to authority!” You’d find his client guilty. If you think the people with expert knowledge are wrong about climate change, it is up to you to show us where they went wrong. We as a people have to make some tough choices. Do we go by the best available evidence or rely on a few contrarians and bloggers?

  13. You will never feel yourself secure while we have all these technologies, like PCs and internet. There is cannot be some kind of absolute secure system.

  14. I AM ABLE TO USE THIS BLOG TO GET DIRECTIONS ON HOW TO LOCATE A PARTICULAR SUBJECT THAT I AM TRYING TO FIND A BOOK ON SO I CAN GET SOME ANSWERS ON QUESTIONS THAT HAVE COME UP AT WORK AND NO ONE IN MANAGEMENT IS WILLING TO TAKE TIME TO FIND.

  15. Surfing the web. Social networking. Shopping. Even the most innocuous online activities can pose a threat to our
    nation’s cybersecurity, and all Americans should play a part in protecting it.That’s the message behind the seventh
    annual National Cybersecurity Awareness Month this October.Sponsored by the Department of Homeland Security (DHS), National
    Cybersecurity Awareness Month encourages the practice of good ‘cyber hygiene’: taking simple precautions to reduce the
    cyber risks to our national and economic security.

  16. Surfing the web. Social networking. Shopping. Even the most innocuous online activities can pose a threat to our nation’s cybersecurity, and all Americans should play a part in protecting it.That’s the message behind the seventh annual National Cybersecurity Awareness Month this October.Sponsored by the Department of Homeland Security (DHS), National Cybersecurity Awareness Month encourages the practice of good “cyber hygiene”:taking simple precautions to reduce the cyber risks to our national and economic security.

  17. This article enumerates some simplifying assumptions the security community has made in its effort to gain traction with the access control problem. For many environments, a dramatic and painful mismatch seems to exist between these simplifying assumptions and reality.The authors argue that effective security in these environments might therefore require rethinking these assumptions.http://boilertreatment.com

  18. I am often asked why on earth do I blog; why would a federal CIO want to blog; and where do you get the courage to do this. All fascinating questions that I thought about when I started and revisited as I got an email from a CIO colleague last week.

  19. Remarkable post and will look forward to your future update.I procrastinate alot and never seem to get something done.
    I recently came across your article and have been reading along.

    ,
    ,

    ,

    ,
    ,

    ,

    Thanks a lot for sharing the article on cash. That’s a awesome article. I enjoyed the article a lot while reading. Thanks for sharing such a wonderful article.

  20. There must be copious amounts of comfort at NASA.

    NASA’s Goddard Space Flight Center FTP server hacked | ZDNet
    May 18, 2011 … A Romanian attacker known as TinKode has compromised a FTP server belonging to Goddard Space Flight Center.
    http://www.zdnet.com/blog/security/nasas-goddard-space…ftp…/8660 – Cached

    NASA website hacked – Times Of India
    May 11, 2011 … WASHINGTON: Software scammers offering cheap Adobe software have hacked into numerous web pages of NASA, just days before its final launch …

    Infosecurity (USA) – NASA flunks cybersecurity audit
    Sep 23, 2010 … NASA audit warns of “catastrophic” consequences from lax … “We found that NASA’s IT security program had not fully implemented key FISMA …

    NASA IG Warns of “Catastrophic Adverse Effect” — Calls for …
    NIST’s “Capstone” FISMA Publication Provides Superb Understanding of Risk … An Audit Report by NASA’s Office of Inspector General found that “six computer …

    Still on the Hook for FISMA Compliance
    Sep 20, 2010 … Specifically, the IG audit focused on whether NASA met annual IT … only one quarter of audited systems met FISMA requirements for annual …

Comments are closed.