The Pentagon is supposedly mounting a new cyber security initiative following the loss of 24,000 files. They were actually stolen from a defense contractor but, as in any organization, the organization is ultimately responsible for the actions and activities of all subordinate elements: contractors; vendors; solutions partners; individuals.
I also use the word “loss” for a very important reason: Whether the Pentagon still has copies of the breached, stolen, files or not – they are lost in the sense that their exclusivity, their protection, and their discretion has been stolen.
The files truly are not what they once were – and that is theft and loss.
Here in the BTW, we often speak of The Responsible Forward Edge (RFE). It’s a proactive, aggressive, forward posture regarding survey of risk, mounted protections, and the comport with best business/IT practices. Best practices means constantly updated practices in accordance with evolving threats and the evolving security measures to counter them.
The responsible organization does this pragmatically, for sure: There’s budget to consider. Other resources factor too: time, available personnel for implementations and support, etc. But today, there simply has to be a schedule of survey of liabilities – even if none seem to exist today, tomorrow they will: Our environment is not static, and the number and nature of threats are not static either.
What makes the Pentagon’s hack so dismaying is that “foreign intruders” made the theft. According to Deputy Defense Secretary William Lynn, terabytes of data have been stolen over the past decade, involving “our most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems and network security protocols.”
In this case, Lynn didn’t specify a country for the attack, or even whether it was a country versus the work of simple criminal hackers. However, a large part of the Pentagon’s new cyber security initiative is to share classified threat intelligence between defense companies. Hmmm… someone couldn’t have thought to do that a decade ago?
This should have been routine. A lesson for all organizations is to get your people thinking, imagining, and working together. Organizations should have, at a minimum, quarterly meetings with a significant block of time dedicated to security. Employees, security oriented and otherwise, should volunteer what they’ve heard regarding threats, solutions, other outcomes. Qualified personnel can vet ideas and threats – but it’s a nice exposure, and gets the organization thinking. Remember too to solicit and share ideas between regional offices, and between all partnering-organizations.
At the same time, IT can warn of social networking liabilities, breach conditions to avoid, and so forth; they can reinforce Acceptable Use, Content, Security, and other policies.
On this day, July 16th: In 1926, National Geographic takes the first natural-color undersea photos.