Here's my contribution to the current cyber-security FUD thread. I've been
mulling this piece over for a while now, and it can certainly apply to a few
different companies in this particluar market. Seeing the current debate, I
feel justified in posting this essay to NANOG.
-rf
Security Through Soundbyte: The 'Cybersecurity Intelligence' Game
Richard Forno
Essay #2002-12
(c) 2002 Richard Forno. Permission granted to reproduce and distribute in
entirety with credit to author.
Some say that cyberspace is the new battlefield, with its own unique rules,
challenges, and concerns for those charged with defending it. If one does
consider cyberspace a modern battlefield, intelligence must naturally play a
key role in developing appropriate, proactive defenses. Regarding
battlefield intelligence, military strategist Sun Tzu wrote that "what is
called foreknowledge cannot be elicited from spirits, nor from gods, nor by
analog with past events, nor from calculations. It must be obtained from men
who know the enemy situation." That's sound advice.
During recent months, hardly a week goes by without some reference to some
firm's findings or statistics on hackers, crackers, cyberterrorists, and the
general state of internet security as they see it. Many times these reports
are marketed as cybersecurity "intelligence."
As a security professional - and someone 'on the front lines' of the
cyberspace battlefield - I'm both curious and dubious about the whole
'cybersecurity intelligence' business concept, and wonder what it takes to
both become a 'cybersecurity intelligence' expert and make money at it, too.
:Here's my contribution to the current cyber-security FUD thread. I've been
:mulling this piece over for a while now, and it can certainly apply to a few
:different companies in this particluar market. Seeing the current debate, I
:feel justified in posting this essay to NANOG.
After reading the rest of the essay I thought, what a luxury it
must be to afford so much integrity.
Most of the people quoted in the news media on IT security issues
earned their credentials in the military or policing worlds.
Many of them have a very specific worldview as a result of
their professional background. If you have encountered many of them,
you might agree that their perspective on technology is often
a little more mullet-and-moustache than cloak-and-dagger.
I have not seen the intelligence business model done very well, with
the exception of a couple that I think are truely excellent.
It is pretty evident that most of the people in that business
think that CIO's want to spend money catching hackers instead
of selling more widgets. I can see why, seeing as that's what
they did for a living before retiring into the private sector.
They are highly experienced professionals, it's just that some
of the expertise sometimes doesn't translate as well as one
would hope.
However, what the mullet-and-moustache crowd knows and alot of the
IT security industry doesn't, is that when CNN says cyberattacks are
imminent, businesses will want to get what they pay for, and free geeky
editorial isn't going to cut it.
It's a question of authority, and when it comes down to an ex-spook vs.
"an area consultant" when they're writing a story, the one with the most
cachet and authority wins.
So, to all the crusading FUD-busters out there: You've been had. While
you've exasperatedly been trying to convince your boss that there are
more serious technical problems and that this FUD is a red herring,
she's been watching CNN trying to figure out what her customers are
going to do.
Date: Thu, 21 Nov 2002 16:04:50 -0500
From: Richard Forno
Here's my contribution to the current cyber-security FUD
thread. I've been mulling this piece over for a while now,
and it can certainly apply to a few different companies in
this particluar market. Seeing the current debate, I feel
justified in posting this essay to NANOG.
Sadly, more people will read the "Terrorists Plan to Blow Up the
Internet on 1/11!" article I saw on the cover of a tabloid while
in the checkout line tonight. Have we finished recovering from
all the doomsday damage that occured when 1/1/2000 came?
