A few weeks ago, the US Department of Defense issued a press release announcing new rules for the private-sector firms it deals with. Contractors will be required to maintain “established information security standards”, and report breaches that result in data loss.
So far so unsurprising, you might say. We’d expect arms dealers and other firms involved in the defense industry to maintain good security practices.
It would be a bit of an eye-opener to hear our governments saying to banks, “Please keep your cash in vaults, not plastic bags.” Or saying, “Hey hospitals, when you have blood-stained waste, don’t leave it lying around the cafeteria, dispose of it safely.”
The odd thing here is not that the DoD has set these rules, but that it’s had to do so now. In 2013.
Not, say, 20 years ago when people were starting to use computers to create, store and share sensitive information of the sort that defense firms routinely deal with.
Not, perhaps, five years ago when state-sponsored hacking and online industrial espionage started becoming big news. But now, long after the requirement for cyber security became, you might think, fairly obvious to everybody.
Admittedly, the new rules mainly cover “unclassified controlled technical information” and networks that hold such data. Presumably anything considered “classified” will already be covered by much stricter regulation. But still, the unclassified stuff could well be pretty sensitive.
Defense firms are a treasure-trove for hackers. For a start, there’s an insane amount of money involved – on the same day as the rules were announced, the Pentagon granted a $5.3 billion contract, while a day that saw $109 million worth of deals done can be called “slow“.
There are also a lot of secrets, both technical information of the sort targeted by nation-state-sponsored or industrial espionage hackers, and politically-sensitive data like the hoard harvested by Mr Snowden.
Everyone should be taking at least industry standard precautions
So they should expect their networks to be the target of attacks, and secure them appropriately. If you’re a small firm that doesn’t hold much valuable technical or financial information, you should be taking “industry standard” precautions just in case. If you’re dealing in valuable technology and handling large amounts of money, you should perhaps be going several steps further than this.
And you should have been doing so for years. Ideally, in fact, from before you connected your first computer to the internet.
The problem here seems to exemplify the way security has been applied to the computer world, not as a basic first step integral to how everything else works, but as an optional add-on.
The Windows systems most of us are using may have a lot of security features these days, but for the most part they’re tacked on to the original design.
Linux, Unix and Mac OS platforms are seen by many as inherently more secure, and they may have a more ground-up attitude to security, but many aspects of this are still dependent on circumstances and need to be properly applied, something which seems to come far down the priority list in many organisations.
“Get it working” comes first, “get it working securely” only later on.
How do we expect our contractors, visitors and supply chain to behave?
I’m sure the DoD has been maintaining strict cybersecurity internally for a long time now. The worry is that it’s only now that it has demanded similar precautions from the firms it outsources work to.
Everyone we do business with, share data with, outsource operations to, sell things to or buy things from forms a part of our own security chain. A breach at any point in the chain can have an impact on the privacy and integrity of our data.
So we should demand the same levels of security from all of them that we expect to maintain ourselves. Security should be part of any negotiation for new business, any contract that we enter into, ensuring that those we deal with are doing things right and not putting us at risk through their own sloppiness.
This applies to individuals as well as firms. We should be considering the security of the websites we give our information to, be they online businesses or banks, government portals or social tools and networks. We should be giving this consideration the weight it deserves. “Is it safe?” should be only a fraction below “Does it do what I need?” in our mental processes.
We should be demanding more openness from third parties too. Everyone should be required to confirm their conformity with security best practices, and rapidly inform the world of any incident which may have jeopardised the security of data they hold.
If we can all get it into our heads that security is a basic requirement, not an optional extra, maybe we’ll all live safer and happier lives.