The More Things Change - Information Security and Corporate America

Security threats have evolved from curious probing to corporate espionage and economic warfare.

John B. Weaver shares his thoughts ...

The New York Times recently published an article about ties between China’s People’s Liberation Army and the compromise of systems and networks at a number of high-profile organizations. The link between attacks originating in China and compromises of these organizations is detailed in a report by Mandiant, a US-based information security firm. The level of detail contained in the report and the level of attention it is receiving is remarkable but what is unremarkable is that this isn’t a new story.

Individuals, driven by a variety of motives, have been attempting to compromise systems and networks for decades. In the late 80’s and early 90’s the motivation for perpetrating such compromises was curiosity and intellectual challenge. But as the Internet evolved from a communications path for academic institutions and research agencies to a channel for commerce, the motivations and the perpetrators changed. 

The collapse of the Soviet Union in 1991 put a lot of Cold War technologists out of work. The skills they’d used in electronic intelligence gathering for the KGB transferred very nicely to freelance work attacking targets in the West for fun and profit. 

The next step in this progression to electronic espionage is a simple extension of economic policies of many world nations, friend and foe. There are countless examples of foreign governments helping companies at home plunder trade secrets and proprietary information from US companies at a cost of billions to the US private sector. Research and development dollars spent by US companies is not easily recovered when foreign competitors benefit from that work and compete directly in the global market place.

Now US Legislators are jumping into the fray by attempting to legislate information security. This effort is well-intentioned but misguided. I’m reminded of the challenges with implementation of the Communications Assistance for Law Enforcement Act (CALEA) passed in 1994. This poorly considered legislation was intended to assist law enforcement agencies with electronic surveillance; pen registers (numbers called by a phone number under surveillance), tap-and-trace (numbers that call the phone number), and court-ordered wiretaps. In passing this legislation, Congress allocated $440M to be divided among the seven Regional Bell Operating Companies (RBOCs, resulting from the breakup of AT&T in 1984). After CALEA was signed into law and the planning for implementation of the requirements began, it quickly became apparent that this allocation would be a tenth of the amount required to retrofit the nation’s telephone switch network. At the same time, bad guys were also starting to use email and the Internet to perpetrate crimes which was not even considered under the initial CALEA requirements.

I will leave the topic of “Cyber warfare” and “Digital Pearl Harbor” for another time but I do have a point in this nostalgic walk down Memory Lane. It is that the executive leadership of US companies must address information security as a key component of managing enterprise risk and a critical component to the survival of their organizations. Many executives in the corner office have awakened to this reality but they are in the minority. Frequently, in speaking with senior leaders we hear “Information Security?  Go talk to IT.” Technology is important but it is only part of the right answer. Ask any experienced information security professional if they’ve ever done a repeat vulnerability assessment engagement with a client and found that nothing cited from the previous engagement had been addressed in the intervening time. I’ll bet they’ll nod in the affirmative. This reflects a lack of management commitment, period.

The bottom line is that issues impacting information security are here to stay and are growing more complex, driven by highly motivated individuals, crime syndicates and unscrupulous nations. It is unrealistic to expect that the government can make the problem go away. It is the responsibility of executives in the public and private sectors to learn about information security risks their organizations are facing and take action to reduce their exposure as part of the overall enterprise risk management strategy.

John B. Weaver is President and CEO of JBW Group International with 25 years’ experience in dealing with reluctant executives and tech-challenged legislators.