One of the interesting things I have observed in the development of personal computing, the development of the Internet, and the rise of our technologically connected world, is the change in our language. Particularly the written, now mostly typed, word.
The language we use is indicative of the way we think. One of the strengths of the English language is its adaptability and its specificity. It is hard to tell by listening to most of us, but the English language is one of the most precise of languages. Which makes the changes in usage and thinking all the more telling.
It appears the most common spelling of the term for securing operations in a technologically networked environment is “cybersecurity.” I have an issue with this spelling, vice cyber security or even cyber-security. Cybersecurity as one word belies a thinking that it is a thing into and of itself, a discreet object, rather than a significant aspect of a much larger and more involved process.
At a recent AFCEA Bethesda Breakfast on Cyber Security I listened as the panelists told us about what they’ve accomplished during the past year, and what is on their agenda for the near future. What struck me as a common theme in this discussion was the reference to the reliance on individual members of the organizations to be a part of the solution. Yet, at no time did any of the panelists articulate a plan for training that workforce.
I have written, said, lectured, screamed, in the past that the greatest gap in cyber security today is the gap between the chair and the keyboard.
During the discussions and collaboration involved in developing the Dept. of Defenses Directive-type Memorandum 09-026 The Responsible and Effective Use of Internet-based Capabilities a uniformed military officer complained, “I hear all this talk of ‘Web 2.0’ and ‘Gov 2.0” but when am I going to get my USER 2.0?” My response was: “As soon as you train them.” Sadly, this has still not happened.
Technology is not the problem. Our failure to develop strategies, tactics, techniques, and procedures to adapt our organizations to the new reality is the problem.
Organizations must decide if their approach to cyber space is a fortress to defend or a field of maneuver. How you approach this environment will determine what resources you put toward the effort. If you believe in the fortress approach, your spending will be on firewalls, encryption, and technology that will be in the hands of a select few while the majority of your workforce will carry on with their day-to-day work usually finding ways to subvert your safeguards because your safeguards block their ability to accomplish their day-to-day work. After all, in his or her minds, someone else is responsible for the cyber security. They have never been asked to contribute other than to take the yearly Information Assurance and Operation Security online training which does very little for them except once a year remind them that it is someone else’s responsibility after I watch this video. In an employee’s mind, if it was so important they would give me better training.
Holistically, cyber space is the actions of human beings facilitated by the technological network. Nothing since hard-surfaced Roman roads have changed human behavior like the World Wide Web. Hard-surface Roman roads were a network technology, built by the government and laid out in public, which gave rise to developments that became the strength of what is now described as Western Civilization. Roman citizens were no longer reliant on subsistence farming. They began building communities at the intersections of the technology and purpose. They devised new was of living and diversifying their wealth. They began to live their lives differently.
In this Networked Age, people are finding they can now do things they have never been able to do before. They are finding ways to be more efficient and effective in the things they do. They have access to information in greater variety, greater quantity and at greater speeds than ever before in human history. They are changing the way they live their lives because of the technology that is now in the palm of their hands.
Do they care if their activity puts your system at risk? Yes, I’m sure they do. Or at least they would if they truly understood where the dangers are. Today, it’s someone else’s problem. The IT gatekeeper and engineer are the ones that keep watch and keep the walls strong. If your mental model is a fortress that must be defended.
I believe cyber space is a field of maneuver. Our adversaries and our children see it this way. In basic infantry training I learned team and squad movement tactics. It was each members responsibility to keep your eyes open and be watchful for obstacles and dangers and when one was spotted or even suspected, it was your responsibility to tell someone; a simple, yet very effective tactic. Why is cyber security not trained the same way? Why have we not established reporting systems within our organizations for members to report anomalies?
US-CERT has a central role in the network of cyber space today. An agency of the Dept. of Homeland Security, US-CERT’s web site is undergoing renovation to become more relevant, more user-friendly, and more valuable to US citizens in cyber space. The US Government is reaching out to citizens in cyber space through the National Institute of Science and Technology’s National Initiative on Cyber Education. These are efforts to help citizens understand and report anomalies and bad behavior that lead to crime in cyber space.
Where are the organizational initiatives that will help train members of the organizations in learning to maneuver in cyber space? Where is our basic cyber infantry training? These are the people who are the edge of our organizations everyday. We need to train, organize, and equip them to better meet our collective needs in this Networked Age.