Thursday, November 15, 2012

Information Security is National Security - My Take on Breakfast With Former DHS Secretary Michael Chertoff

PART I – The Problem Space: The Vulnerability of the United States' Corporate Electronic Information Management Networks and Infrastructure.

  1. Many companies don’t know that they have been attacked and are infected by malware.
  2. Those who do know that they have been attacked and infected are placing unwarranted faith in malware detection tools that cannot effectively identify the nature and source of the infection they have.
  3. The majority of attacks on U.S. non-governmental (private sector) interests originate from China and are “military grade” in nature, far surpassing the detection ability of  U.S. “commercial” malware and anti-virus software applications.
  4. The weak points for attack by infiltrators are not necessarily faults in infrastructure per se, rather the weak points targeted are an organization’s cultural and behavioral dimensions which implicate policy and governance around security and data management.
  5. The majority of attacks on U.S. interests have shifted over time from attacks on “governmental” type targets, to defense industry targets, to high value IP private sector targets.
  6. Law firms, especially those with significant IP and international trade practices are prime targets for attack. Law firms are not in the information security business and many lack the distinctive competencies and IT budgets to holistically “bullet proof” their environments.
  • Chertoff Group - Consulting, business development, policy and governance. 
  • DW Legal - Legal document review, analysis, litigation readiness.
  • DiscoveryLogix, LLC - Information governance, e-Discovery best practices consulting and enterprise records management. 

Yesterday morning I was privileged to participate in a breakfast briefing given by former DHS Secretary Michael Chertoff. The event was sponsored by the leading network security auditing and defense consultancy, Mandiant.  In attendance were numerous corporate information and network security experts representing major financial institutions, law firms and other organizations with a vested interest in learning more about the evolving nature of information security risk.

While many of us in the IT and legal world have a visceral sense of the present danger posed by information espionage, appropriation and data leakage, without a national clearinghouse of metrics and data aggregating threat information, the ability to empirically quantify threats on a national level, much less strategically address them, is greatly limited. Today most organizations are relegated to handling issues in an institutional silo - without the benefit of the collective learning process that would take place if such a national cyber threat warehouse existed.

The shocking truth about the vast majority of organizations that are targets for hackers and information appropriation is that:                                 

Without holistic coordination between the stakeholder roles responsible for protecting an organization’s IP, CEIMI (corporate electronic information management infrastructure) and physical records, there will always be weak links.

As I listened to Secretary Chertoff and the other speakers discuss the state of affairs around U.S. corporate and energy sector network and information security generally, it confirmed my longstanding belief that the IT market’s next greenfield opportunities will require an amalgam of e-Discovery and network / data security skills. As an e-Discovery and information governance professional, much of my work has focused on the mapping, identification, extraction and classification of data behind corporate firewalls for litigation, compliance, RIM and M&A activity. My network security counterparts have within their purview the creation, implementation and maintenance of physical and logical barriers designed to keep data secure and prevent intrusion. In the new hybrid white hat / e-Discovery role paradigm, the skills sets are intersecting with palpable and immediate effectiveness.

Based on recent analysis of attacks on corporate networks, it is clear that we can no longer keep our heads in the sand. Awareness of a foreseeable situation creates a duty to act, and with lowered thresholds of pecuniary and fiduciary liability, it’s just a matter of time before a senior corporate executive or board member gets pilloried as an example. Based on the outcome of the recent election and heightened rhetoric about regulation, this statement should come as no surprise. The fact of the matter is that while IT and governance professionals have to continue to be ever vigilant and on top of prophylactic measures intrusion prevention, based on both known and unknown infection and attack mutation rates, we must bolster traditional measures with equally strong skills and policies that focus on intrusion management.

It’s time to face up to the fact that if and organization is in possession of information of value or has the corporate profile of a company that does, i.e. IP ligation or patent prosecution firm, there is a very strong possibility that your network has already been hacked and an even stronger possibility that it will be hacked again. Moore’s law applies to the bad guys as well as the good guys. Roughly paraphrased, Moore’s law states that hardware and software power will increase exponentially every two years. The implications of this are clear for all involved.

The private sector problem in aggregate has risen to the level of a being significant national security concern and it is now a hot button topic which has the full attention of bi-partisan committees in Washington. 

For additional information on service relevant to information security and data classification, please visit the following sites:

Please check back for PART II - How the Human Metadata Model Helps Shore Up Data Leakage Points

No comments: