It is interesting to read the developments in the recent attack against Google a.k.a. “Aurora”
What I find as perplexing is the fact that even after a recent formal protest by the US State Department to the Chinese authorities, many concede that there is little or nothing the US government can do to retaliate. Apparently, this is not the first time. According to State Department spokes person, Phillip Crowley, …”Similar concerns have been raised in the past on numerous occasions”.
So what can we really do?
This is an example of the complexities the world faces with the proliferation of the internet. While the political ramifications are many and complex, and outside the realm of the technological debate, the question that we need to pose is – “What can we do technologically ? ”
Technologically corporations need to become self reliant in matters of information security which includes everything we have been doing all these years and much more.We need to accept that “zero days” can undo the best work we have done and put the organization at risk. How do corporations balance budgets, corporate responsibility, shareholder value and yet manage this risk effectively when there are known underground sites that openly “trade” in zero days in the name of research!
We need to avoid making security a mere ‘checklist” requirement but rather we need to realize that information security is tied to business and negating one means risking the other. We need to educate knowledge workers, we need to take a proactive stance for matters relating to cyber security and we need to avoid the “EQSM mentality – EQuipment based Security Mentality” that I have been advocating for years.
In addition to that, C level executives need to understand the risks that are involved and cannot expect a major incident to occur before they pay attention what many Infosec professionals have been trying to tell them for years.
In most of my global speaking engagements, one question seems to come up over and over again – “How do I convince the C level executives in my organization about the risks we face so that they will pay attention to the changes I would like to propose ?”
A panacea to this disease could be education based proactive action over and above what we are doing now and we learn painfully that equating the strength of an organization’s security posture to their IT Security budget is nothing but a placebo.
Unfortunately it is incidents like these that remind us of of the fragile state we are in and the vast amount of work that lies ahead of us.