Thursday, March 15, 2012

Commerce Secretary John Bryson Doesn't Understand Cyber Espionage

U.S. Department of Commerce Secretary John Bryson wrote an editorial for Politco wherein he provides a high level overview of cyber espionage entitled "The New Face of Corporate Espionage". While his motive is laudable, his content reveals a not surprising lack of knowledge about the threat. I say "not surprising" because I can count on one hand the number of senior government officials that I've met who understand the complexities of this problem. The give-away in Secretary Bryson's editorial is this sentence: "many cyber-intrusions could be prevented by implementing sound cybersecurity practices."

That's absolutely false. While many companies can do much more than they're presently doing, we're talking about adversaries that are adaptive. If the targeted corporation implements poor security, the attack vector will take advantage of an obvious flaw which "sound cybersecurity (sic) practices" could have remedied. However that doesn't mean that the attack won't happen. It just means that the adversary will find a different attack vector, or build a customized one (aka a "Zero-day") to mount a successful breach. The solution to cyber espionage isn't in implementing "sound security practices", nor will it be found in the passage of any of the cyber security bills currently before Congress. The U.S. will only begin to save its intellectual property from cyber thieves when corporate boards of directors force CEOs to inventory, segregate and monitor their critical data in real time which usually means re-architecting their entire network.

If Secretary Bryson is truly committed to saving American jobs by reducing the amount of cyber espionage being conducted today, then he needs to hire someone who understands the reality of the threat to advise him on the realities of the threat landscape, and then the Secretary should go on the road, visiting board rooms and stressing the need for each corporation who's invested in high value technology R&D to do what it takes to address this problem in an informed, serious, and dedicated way.

No comments:

Post a Comment