We’re at War – Cyberwar

In case you’ve not been following the news with regards to *government* breaches:

All three of these news articles released within the past few weeks. The reality is that our networks are being probed and attacked regularly. This isn’t a FUD (Fear, Uncertainty, and Doubt) post. Rather, it’s an awareness post. Typically you have to be aware of a problem to be able to deal with it successfully. Every first world nation is aware of the level of warfare that’s going on nowadays. However, when talking with folks who aren’t in IT security, I get a sense that most “regular” folks don’t. That needs to change.

America_the_VulnerableThe reason it needs to change is because part of what allows the attackers to be successful is our own ignorance and lack of action to take reasonable steps to tighten things down. By the way, none of this is new. There’s a whole host of books on the topic, like America the Vulnerable, which cover previous breaches… at least what’s been publicly reported. The amount and type of data that has been stolen is simply astonishing.

The attacks are not going to slow down. In fact, as we tighten down certain parts of our infrastructure, attackers are going to look for an easier way in. That’s potentially why the USPS and NOAA were hit. Also, nation state players are not going to stop at military and diplomatic secrets. Industrial and economic espionage is important, too. If I, as “Big Bad Nation,” can assist my own country’s industries by passing on the secrets my government operatives stole from other corporations, why wouldn’t I? After all, if I am already okay with sending attackers after those corps, I won’t have a moral conflict with sharing the stolen information with my countrymen.

Which all means we need to continue to be serious about security, seek ways to tighten things down that make sense, and in general become better educated and more aware. It’s easier to prey on an ignorant, unaware adversary than one who is watching and ready to fight back. That’s common sense. It behooves us to transform our organizations to be that aware and ready opponent.

Guest Editorial Live on SSC

My guest editorial is live on SQLServerCentral.com. My argument is a simple one: we don’t care about data and IT security. I don’t just mean IT folks. I mean most everybody. I include myself in this characterization. I know a few exceptions, but they are truly exceptions.

In the editorial I include links as to why I make such an assertion. The TD;DR version: despite repeated breaches, our behavior hasn’t changed. Therefore, while we say we care, what we put into practice shows that we don’t.