|< Day Day Up >|| |
It is human nature not to take precautions or mitigate risk until after something bad occurs. Who would choose a steady diet of celery sticks over greasy fries unless cholesterol levels prove to be life threatening? Why carry terrorist insurance or conduct airport shoe screenings in the absence of a 9/11-type event? Even in circumstances where there is no first-hand misfortune, we implement protective measures because the threat is so likely that precaution becomes a social norm-like keeping Band-Aids in the medicine chest, storing a flashlight in the car, or printing hard copies of valuable contracts created on a computer-or because legal or market forces create repercussions that outweigh our reasonable beliefs that the harm will not touch us. For instance, we are incentivized to carry auto insurance by virtue of laws that take away our money or privileges if we fail to buy coverage.
The core motivator behind any precaution and mitigation activity is the belief that we are individually or collectively more secure. Regardless of whether the measure actually decreases the risk, if we believe that we can affect our physical, social, or financial security, we will embrace those assurance mechanisms. As a wise friend once said, 'I don't need to know I'm right, I just need to know I believe I'm right.' Enter homeland security. . . .
The components of our national infrastructure are not new- agriculture and water, public health, emergency services, telecommunications, energy services, transportation, banking and finance, government and defense facilities, and commercial entities have existed since the origin of our country. Why is it that they are now deemed critical infrastructures and key assets that require coordination between government, private citizens, and industry? One pivotal reason is that the proliferation of computer networks and information technologies (IT) has created a cybernervous system connecting these national entities. Modern information technology advances have enhanced the individual and collective functioning of critical infrastructures, while creating a tight coupling between them that challenges our traditional security-assurance mechanisms.
This book addresses the precautions, prevention, mitigation, and recovery-mechanisms that will help companies enhance IT security at an organizational level, while contributing to the security of the larger national critical infrastructure. As such, it is the first of its kind to endeavor to translate The National Strategy to Secure Cyberspace and The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets into practical instructions for securing our cybernervous system. Although these authoritative documents do not have legal teeth, they nonetheless wield much influence on forthcoming requirements and incentives that target enterprise IT security. Without measurable processes, tools, and know-how to implement IT security requirements, organizations are deprived of the belief that they can affect their individual and collective physical, financial, and social security assurances. This book takes on the responsibility of bridging the gap that currently exists.
Although this book focuses primarily on the who, what, when, where, and how of implementing homeland security initiatives, it is helpful to remind ourselves why our organizations should stock our proverbial IT medicine chests with cyber-Band-Aids.
Our increasing dependence on technology has brought about enhanced business functionality and productivity, while exposing our organizations to more frequent and severe threats. Securing organizations in this Internetworked society demands better cooperation with law enforcement and national security operations, since they are uniquely positioned to provide critical and specialized information services beyond the capabilities of any single organization. Cyberattacks on businesses and communication networks can crush a company's bottom line and destabilize the commercial infrastructure. Law enforcement and homeland security agencies desire to protect companies through prevention measures and the prosecution and incapacitation of criminals committing computer crime.
For private-sector enterprises, business productivity and profitability are driving forces, and law enforcement is chartered with enforcing the laws designed to protect social interests, prevent criminal activity, and promote a sense of security assurance. Unfortunately, our rapidly evolving technosociety has not engaged law enforcement to the extent that we have when responding to traditional crimes and threats.
We need to culture the same trust and partnerships between enterprises and with law enforcement to remediate cybercrime and share information about threats and vulnerabilities. The goal is to reach a stage where reporting a hack or insider compromise of our digital assets becomes as second nature as reporting a breaking and entering of our physical buildings. We cannot expect to abate the frequency and severity of cyberthreats without more components of the infrastructure working together and with law enforcement to track down cyberthreats. In the end, this interface will enable more effective prevention of cyberthreats that impair your business functionality. This crosscutting of information will help your organization understand why sharing information and involving law enforcement to help resolve a cyberincident is not counterproductive to business goals.
This book can help advance public-private cooperation by identifying essential elements of an organization's policies and procedures, incident response plans, and IT security awareness programs, and partnerships that will further the goals of your organization, law enforcement, and homeland security.
In order to believe that we can take steps to enhance our homeland security, we must strive to live the model advocated in this book at an organizational level and to engender a social norm of sharing information and taking precautionary measures.
Erin Kenneally, M.F.S., J.D.
San Diego Supercomputer Center
|< Day Day Up >|| |