It’s been a privilege to sit down with C-level leaders of companies who are providing the talent and the tools to secure our nation’s critical infrastructure; it’s encouraging to see the ways that CISO’s and other security leaders are finding the respect (and the dollars) from their organizations, as technical security has moved from a grudging deliverable barely tolerated to an absolutely indispensable strategic differentiator for corporations, governments and nations. All of this has taken place in just a few years.
A few weeks ago I was in D.C., reading the home-court Washington Post, and came upon the story, “U.S. Cybersecurity Plans Lagging, Critics Say” by Ellen Nakashima.
Among other assertions, the writer opined that “more than a year after President Obama made a White House speech proclaiming that the protection of computer networks was a national priority, the federal government is still grappling with key questions about how to secure its computer systems as well as private networks deemed critical to U.S. security . . . the administration is still debating whether it needs new legal authorities – to strengthen the government's ability to defend private sector networks, for example – or whether existing law allows such actions. Critics also say that officials have not adequately assuaged privacy concerns or determined the extent to which the government should regulate or collaborate with the private sector to ensure that telecommunications firms, electric utilities and other critical industries are protected against hackers . . . officials have warned of the dangers of failing to address the threat, saying that a sophisticated cyber-attack could cripple U.S. computer networks.”
Earlier, CNet News observed that “Homeland Security is weathering a deluge of criticism of its lackluster cybersecurity efforts on grounds that they have proven to be inefficient, bureaucratic and not even able to do a decent job of monitoring federal computer networks . . . Homeland Security can no longer be trusted with its cybersecurity mission and it should be handed to another federal agency.”
Cyber-attacks on the increase; U.S. response slow and ineffective; “failing to address the threat”; “inefficient, bureaucratic, not able to do a decent job”; “federal government still grappling with key questions,”; “administration still debating.” Change the subject from cybersecurity preparedness to the city of New York, and it almost sounds like the same sort of apocalyptic threats echoed by “scientists” a generation ago:
Dr. Peter Venkman: This city is headed for a disaster of biblical proportions.
Mayor: What do you mean, "biblical"?
Dr. Ray Stantz: What he means is Old Testament, Mr. Mayor, real wrath of God type stuff.
Dr. Peter Venkman: Exactly.
Dr. Ray Stantz: Fire and brimstone coming down from the skies! Rivers and seas boiling!
Dr. Egon Spengler: Forty years of darkness! Earthquakes, volcanoes...
Winston Zeddemore: The dead rising from the grave!
Dr. Peter Venkman: Human sacrifice, dogs and cats living together... mass hysteria!
Before we all run out to dust off the bomb shelters our fathers built in the late 1950s, a bit of balance may be in order. Since the folks “doing cybersecurity” for the feds and the private sector do not generally have large budgets for their PR campaigns, their efforts tend to go unnoticed. But make no mistake about it—the focus and effort on providing systemic solutions to meet the cybersecurity challenges of today and tomorrow are ongoing, and to folks who are looking carefully, they are changing the landscape for the better.
Let’s make a few observations that probably won’t get picked up by the mainstream media, because it just doesn’t scare us into attention:
- Collaborative efforts to meet the cybersecurity threat are ongoing, comprehensive, and will be effective. The demands for agencies and security professionals to collaborate with all constituencies (government, private sector, law enforcement, education & training providers, etc.) are clear; U.S. cybersecurity czar Howard Schmidt’s recent statement that a “collaborative partnership” is the only structure for providing tangible results is spot-on. Quietly and without a great deal of fanfare, the principals are gathering the best talent, training with the best methods and gradually raising the bar for cybersecurity in ways that will only be widely understood years from now. I have witnessed it at government agencies; at the top-flight providers of talent who secure and manage America’s critical infrastructure, including the three major government networks; I have been in the meetings where hundreds of two- and four-year colleges and universities carefully have laid out their strategies to train and provide the tens of thousands of cybersecurity professionals who will be needed to secure our networks in the immediate future. Folks, people are working on this, and they are good. Even CompTIA is working behind the scenes to bring the major providers of cybersecurity credentials together in support of greater engagement with governments and IT professionals worldwide (more on that soon).
- Rash “Chicken Little” warnings will grow louder and grab eyeballs; quiet and incremental progress generally will be both unreported and ignored. Suggestions by some pundits that the U.S. issue “declaratory” responses to certain cyber exploits (in other words, if a foreign nation attacks us via a cyber-exploit, we promise that our response will be “kinetic”—real bombs and analog destruction if you touch our networks, etc.) may provide a cold-war comfort for some, but unwittingly could be destabilizing, inviting more lethality in a first-strike digital attack against an advanced digital war-making capability. Some of the reporting reflects the mistaken notion that cybersecurity strategy is a "once-and done" process that will not survive a rapidly-evolving threat matrix. Cybersecurity is far more like washing your car than building a building. What is more painful, more regular, more necessary, but conversely far more rewarding is the slow and steady growth of a network of collaboration, training and coordination that is occurring without fanfare across our nation’s cyber infrastructure. Calmer, more reflective voices are going to the whiteboards around our world to protect the complex relationships and interconnectedness of the networks that move our global supply chain, inform our citizens, provision our water and power, and yes, defend our nation; they are coming up with specific plans and comprehensive strategies that are addressing the problem. Folks, people are on it, and they are good.
- Organizations and governments are quietly but unmistakably changing. Claims that we are being "outmaneuvered” by others may reflect a lack of appreciation for the institutional redirect now taking place across our society. We see tighter corporate and financial networks, more rigorous protection for federal systems (increasingly managed in collaboration with the private sector), and measurable progress in preparing, educating and provisioning the citizens, security personnel and the CISOs of this and the next generation. I’m proud to work with the people who are increasingly asking CompTIA to sit down at their tables and discuss how we can better provide some of the cybersecurity foundation to help to credential the present IT professional and the future cybersecurity warrior who will keep our networks safe and trusted. Make no mistake, CompTIA’s certs are not the only credentials needed, nor are they the most complex or specialized—but just as a soaring skyscraper needs a firm foundation, our networking and security credentials are being rediscovered as a vital tool for a workforce who needs skills, knowledge and experience to take their places on the digital walls that defend our nation and our way of life.
- In cybersecurity, America is going to be all right. Like the turn of a battleship, U.S. cybersecurity strategy may take time and distance to appreciate as it maneuvers; but just like that same naval dreadnaught, our formidable national strengths—our purpose, technical ingenuity and innovation, our ability to merge public and private providers to solve national challenges, our long-standing determination to preserve individual rights without draconian legislation— also will swing into clear relief. On this strategic course, we think that our nation and its cybersecurity strategy are headed in the right direction.
So folks, before we run for the exits in panic, keep in mind that some of the best people are on this, and they are good.