Is Draconian Security the Answer?
Let’s face it—the US is losing badly in a cybersecurity and information warfare struggle (even through President Obama’s cybersecurity czar seems to be in a state of denial concerning this situation). US and UK government systems have been repeatedly riddled with data extrusion attacks that began years ago with the onslaught of attacks dubbed the “Titan Rain” attacks (or possibly even before). US corporations have not been spared from the same fate, either, as evidenced by the more recent so-called “Aurora” attacks. Organizations have implemented firewalls, intrusion detection systems, intrusion prevention systems, network access control, identity management systems, data loss prevention systems (some of which are decisively better than others), virus walls, password filters, password checkers, anti-virus software, Trojan detection software, endpoint security measures, and more. Although these measures have done some good in terms of repelling attacks, they have failed to adequately safeguard systems, applications, data, databases and networks from a large a percentage of attacks, particularly those originating from the Peoples Republic of China, currently the number one international cybersecurity saboteur nation.
The information security community has not idly watched the events and trends that have occurred. Many information security professionals have warned the organizations that they serve about current information security risks, only to be scoffed, rebuffed, ignored, and/or chastised. At the same time, these organizations have often taken a “soft shoe” approach to information security. Information security policies and standards may be in place, but when “push comes to shove,” there is often little chance that they will be enforced. Given the data security breach-related statistics and the immense number of government-sponsored security incidents that have occurred, however, at some point of time in the not-too-distant future it is extremely likely that executive-level management will turn to the information security function to obtain information concerning options for a new direction concerning information security. Given what has happened in the past, what should information security professionals say?
I wish that I had a perfect answer, but, unfortunately, I do not. One approach advocated by a growing number of information security professionals is to implement “draconian” security. Draconian security means that organizations “play hardball” with respect to security. Right now, if a system administrator fails to configure systems according to baseline security standards or patch systems in which new vulnerabilities have been discovered, little if any consequences to the administrator normally occur. If a user opens an attachment that appears to be from someone the administrator knows, but the attachment is from a spoofed identity and it results in the installation of malicious code on the user’s machine, the incident is typically dismissed as “just another user incident.”
What if organizations got really serious with respect to information security? What if system administrators who “slacked off” with respect to their security-related duties were severely reprimanded or even terminated for failing to perform their responsibilities? What if users who open a deadly attachment that ultimately resulted in every PC within their local area network were to be dealt with similarly? Would there be fewer information security incidents, and more importantly, would there be fewer high impact incidents?
The answer is “yes,” but would draconian security measures have a negative impact upon employee performance and morale? The answer again is “yes.” At the same time, however, draconian security is not exactly a new concept. A member of the armed services or a defense contractor can easily end up in prison for leaking defense secrets. The “terms of endearment” are readily understood by armed services members and contractors. Given the present hugely elevated level of cybersecurity threats, why should not the same level of understanding be conveyed to and then enforced among employees and contractors of organizations?
The counterargument is as follows–information security is too often viewed as the “business prevention department,” the “department of no.” Would draconian security cause an uprising that could result in the widespread demise of information security programs? I leave the argument here—your opinions are always welcome.