Yesterday I had the pleasure of attending “Supply Chain Security - Do you know who your insiders are?” by Bob Hutchinson, Senior Manager, Sandia National Laboratories’ Information Security Sciences Group.
The key aspect of his presentation that I took away was the National Labs’ ability to control and prevent compromise of the Nuclear Weapons supply chain. And that the lessons learned from almost 7 decades of experience could be applied to the supply chain risk of Information Technology. We’ve solved most problems before it simply takes effort to find where.
This analogy led me to investigate a bit more and I discovered Bob’s statement to the United States House of Representatives Committee on Energy and Commerce, Subcommittee on Communications and Technology. His 4 key points are:
- While strategic data theft of intellectual property and national secrets has become a focus recently do not lose sight of the malicious data modification threat.
- Examine and be aware of your Information Technology aspects of your supply chain; from the software applications and patches to the sub-components of each piece of hardware (and it’s obvious supporting software -firmware).
- While developing the manner and mechanism for Cyber information sharing between Government and Industry there must be a strategy associated with it. This strategy could then be used to assist in an adversary “self-identifying.”
- Identifying the Nation’s noted “profound shortage of qualified cyber security experts.” He adds that having been tasked by DoE, Sandia to has built “a program that’s more like a medical residency than a trade certification” and that this model is much more appropriate to creating the requisite cyber security experts for the nation.
If you’re reading this blog and don’t know who Bruce Schneier, shame on me for not introducing him earlier.
With heavy roots in Cryptography he is a current day leader in security, especially in the information realm. I recommend checking out his blog (and it should be required if you work in this sector). He has written a whole host of Books including Liars and Outliers: Enabling the Trust that Society Needs to Thrive which was just released in February, 2012.
Some of the things Bruce points out in the video above is that we overestimate risks in environments we do not control. Remind you of what is going on with cyberspace and my recent comments? He also notes that in security “feeling must equal reality” in order to be both secure and successful. I have felt this way for several years but had yet to qualify it in this succinct manner. I fully agree that in order to really accomplish security the equation must look like this:
Feeling of Security = Security Reality
If this equation is biased toward one side of it or another you have an offset that will ultimately lead to a security failure. What do you think of this philosophy and equation?
“You should never never doubt what nobody is sure about!” -Willy Wonka (from Willy Wonka & the Chocolate Factory)
I find this a perfectly applicable quote for the Cyber realm as of late. Everyone seems to want to discuss this area and yet very few have any actual expertise to do so. We’ve got everyone striving for the Information High Ground from performing contractors to dueling Senators. That is great and all but more government or rules and regulations have rarely solved significant issues let alone aided in providing a solution (especially in the near term).
So what does that mean? We’ll continue to get a large potpourri of “experts” clamoring on about things they have little knowledge about which will really only help cloud the real issues. Who have you seen helping to cloud or hinder the issues?