5 Current Myths in Cyber
These myths are holding us back. We need to think more critically of the implications and impacts
Myth 1: “Information Sharing” is the Answer
This is a really big myth that emerged after the 9-11 Attacks. If only the CIA and FBI had shared information about the attackers being tracked, maybe the terrorists would have been stopped.
We have made only minimal progress in information sharing, and the problem is not the information (or intelligence) itself, it is the ability to understand it, and to take decisive action. We can only progress once we have a cadre of professionals who understand and have the authorities to act will info sharing truly be a benefit.
Myth 2: Attribution is impossible
Actually, we have become much better with regards to attributing acts of nation-state actors as well as individuals. Using other forensic clues such as MAC addresses, hops, etc., we know better the bad-guys location even if masked with, for example, TOR (The Onion Router).
The real issue is that the bad-guys DON’T CARE. China and Russia even if identified, have not been dissuaded to freely penetrate both governmental and private servers worldwide. Recent indictments by both Administrations show that it is possible to identify them. The real concern is if and when they cross the line from cyber-espionage to para-kinetic (or even kinetic) effects against another country. The Rules of War continue to be hotly debated. Let’s see how that changes in the near future.
Myth 3: Privacy is the Same as Security
Privacy is about “data protection.” The emergence of NIST 800-171 and the National Cybersecurity Framework (NCF) are about protecting Controlled Unclassified Information (CUI), Personal Health Information (PHI), etc. Security/cybersecurity is much much broader and requires a network-mindset, not just a data protection priority.
Your Privacy Officer will certainly have no interest in patch management, continuous monitoring, or risk assessment challenges. These two are not equal and their protections are far different.
Myth 4: It’s about keeping the bad-guys out
As Mr. Snowden, the bad-guys can be either on the outside or are “trusted” individuals inside your security perimeter. The insider threat is real. It requires not just the actions of security personnel, but leadership.
We need to stop treating cybersecurity as a problem only for the cyber-specialists. It requires the support and resourcing by leadership truly committed to protecting the network.
Until senior leaders are fired for failing to protect the company or agency. THANKS MARRIOTT for making my point.
Myth 5: The Offense is Easy
Yes, we could slip into the offense, but would be the costs? It crosses us into the Rules of Warfare and the implications of many international treaties that open the government, as well as our businesses, to potential civil and criminal liabilities.
While are military, for example, is protected under Title X of the United States Code (USC), the same cannot be said for companies or agencies that decide to hack-back. Any offensive actions should be left to the US government.
Do not be dragged to the Hague. Leave that for current and future Administrations.
Dr. Russo is currently the Senior Data Scientist with Cybersenetinel AI in Washington, DC. He is a former Senior Information Security Engineer within the Department of Defense’s (DOD) F-35 Joint Strike Fighter program. He has an extensive background in cybersecurity and is an expert in the Risk Management Framework (RMF) and DOD Instruction 8510, which implement RMF throughout the DOD and the federal government. He holds a Certified Information Systems Security Professional (CISSP) certification and a CISSP in information security architecture (ISSAP). He has a 2017 Chief Information Security Officer (CISO) certification from the National Defense University, Washington, DC. Dr. Russo retired from the US Army Reserves in 2012 as a Senior Intelligence Officer.
