Last month the big focus in cybersecurity was the agreement reached between China and the United States. It’s correct to call the U.S. – China cyber security deal historic, but it would be far from correct to call it complete. There’s simply too much that the agreement leaves out.
The biggest failure of the U.S. – China cyber security deal is that it neither defines nor enforces anything. International treaties such as this typically rest on frameworks of well understood concepts and language. We in the IT security world know that there are no such things for cyber warfare today. Even if it were well defined, it would not matter since there are no teeth. There are no inspections, no corrective actions, no means to keep everyone on track.
It feels like there is a bit of a shell game going on. The deal is being trumpeted as the US and China agreeing to act responsibly about cybersecurity. In reality, it only defines a narrow patch of things that may be off limits. Of course, since we all know how hard it is to explain the complex issues of information security at individual, organizational, national and international levels, it’s not too hard to see why so many are so easily fooled.
People Still Misunderstand Their Enemy
It’s only recently that the image of the cyber bad guy has changed from the lone wolf in his mother’s basement chugging caffeine and eating chips to the professional cyber attacker. Now many will include the shadowy agents of foreign governments as bad guys that may come after them. However, they often feel that these bad guys aren’t really out to get them specifically.
The reality is that the bad guys are after everyone and everything. Anything that can be snatched by bad guys will be taken. They will take it all now and sort out what they have later. If there’s any doubt of this, just look at the numbers at Norse. The scale of the cyber attacks going on constantly is clear. The only way to achieve these numbers is through sophisticated, professional automation.
Why would people go through the trouble? How does $400B (that’s B for billion) sound for a good reason? That’s the number that is estimated to be lost to cybercrime and other cyber malfeasance. McAfee confirmed this yet again in their most recent Threats Report. The number is estimated to be much higher by some. In any case, there is a clear financial motive for this. That means there’s a lot more to this than the bad guy in mom’s basement and governments spying.
Real Cyber Defense Means Real Change
If the strategy your organization has to defend itself is to wait for the government to step in and make deals to protect you, then the wait will be long and filled with pain. The only way to build formidable cyber defense is to start taking the advice IT security experts have been giving for years. This means putting a security voice at the executive level – maybe even at the board level.
The visibility needs to be that high because the fact is that only executives can force real cyber security improvements. Many of these choices are about what your organization values. If you just want a check box to keep the CIO out of jail then that’s different than wanting to protect your assets and your customer’s data. We all know that the latter means sweeping policy and operational, spending, and behavioral changes. Priorities like these can only be established from the top down.
If you’re not the executive, then what can you do? You can be a change agent and convince your executives of the need for improvement. Most CIOs simply won’t have the time to dedicate to see these problems fully. Ultimately change will need to come from the top, but you can be the champion that takes it to the top. They may label you a pain in the short term, but when it’s your competitor and not you that ends up breached, you’ll know exactly what to say to them. And that might be a good day to talk about a raise, too.
What are your thoughts on the U.S. – China cyber security deal? Leave a comment below.