It’s Worse Than You Can Understand

June 19, 2011
Cyber Security, FedCyber Wire
No Comment

via Strategy Page

The U.S. Department of Defense is trying to improve its network defenses, and those of companies that supply weapons and equipment. The new plan is to pool intelligence, and defensive techniques with the major defense companies. This is being done as a pilot project called DIB (Defense Industrial Base) Cyber Pilot. This is a long shot, as the organizations with the best Internet security are not inclined to share. That’s because the most dangerous vulnerability is someone knowing how your defenses are organized, and what kind of intelligence you are collecting (and how you do it) on the hackers. When it comes to security, the net is a very paranoid place.

Firms with the most to lose, like financial institutions, guard their data most successfully. They do this the old-fashioned way, with layers and layers of security, implemented by the best (and most highly paid) people and pushed by senior managers who take the time to learn about what they are dealing with, and what it will take to stay on top of the problem.

It’s different in the defense business. If the Chinese steal data on some new weapon, there might be a problem years down the road, when the Chinese offer a cheaper alternative to an American weapon, for the export market. But even that problem has a silver lining, in that you can get away with insisting that those clever Chinese developed your technology independently. Meanwhile, everyone insists that there was no espionage, cyber or traditional, involved. As a further benefit, the American firm will get more money from a terrified government, in order to maintain the American technical edge. It’s the same general drill for military organizations. But for financial institutions, especially those that trade in fast moving currency, derivatives and bond markets, any information leaks can have immediate, and calamitous consequences. You must either protect your data, or die.

Because of the shortage of high-end Internet security people (it’s complex stuff, and a lot of the best people are lured away to the dark side), there is not enough talent to go around. Then there’s that disinclination to share. Sharing with the government or defense contractors is seen as a particular waste, as these organizations lack sufficient short term incentives to stay alert and reliable.

Continued here.