Nuclear strategy and a new approach for delivering effective information security

I had the pleasure of hearing Joseph Nye speak about the future of power last week. Dr. Nye, former Assistant US Secretary for Defense, has been studying, writing and advising about power – in all its forms – for decades.

He discussed the dispersion of power from central governments, creation of individuals’ “cyber power”, and increase in cyber-terrorism. One of his comments really struck me: he believes that our understanding and management of cyber security issues is about as sophisticated as our nuclear defense strategy was in the mid-1950’s.

Interesting…nuclear defense strategy in the 1950’s…School room instruction to duck and cover. Bomb shelters in the basements of large buildings (and dug into your backyard for only $10,000!). And make more and more, larger and larger bombs. Not very sophisticated.

Some progress in the 1960’s. The US deployed Nike Missiles across the country to destroy Soviet nuclear missiles while still in the outer atmosphere, there was even a Nike site near my home town.

By the late 1970’s, multiple independent re-entry vehicle warheads (MIRVs) on each missile made Nike missiles obsolete and the sites were collecting cobwebs and dust. (This I know from experience – all I can say is: high school kids don’t make the best decisions, mothballed doesn’t mean unprotected, and high voltage electricity will make a hole in your clothes when it exits your body. You will have to buy me a beer to get the rest of the story).

The 1980’s brought particle beams, lasers bouncing off reflectors on the moon and other defensive proposals – thwarted every time by easily implemented offensive tactics. For every defense, there was an offensive maneuver. Sound familiar?

Every day there is a new information security threat. Every day the business requires new electronic capabilities that open up new avenues of attack. The transformational trends of cloud and mobile computing challenge some of the basic information security approaches of the last decade.

Just as with nuclear weapons defense, we need to supplement traditional defenses with something new. And the maturation of nuclear weapons strategy provides some insight on how we should move forward.

In the end a more sophisticated nuclear strategy – not missile defense – resulted in our safety over the past few decades. Understanding that they couldn’t manage a nuclear war, governments realized they must manage the risk of nuclear war. And the nations involved took two major actions to achieve this.

First, they altered their behavior. Nations recognized a need to alter their posturing, negotiation and support of proxy states to ensure that they never had to use nuclear weapons. This is a good lesson for our times as well, though not for governments but for the consumer – because they have become the soft underbelly of the system.

The head of technology risk management for a major bank told me recently that his organization’s focus is on their customers. The firm had built strong firewalls and implemented a DLP system to regulate electronic transmissions in and out of the organization. They had implemented strong access control, provisioning and certification capabilities. The real soft spot, he said, is the customer.

Via old-fashioned social engineering, organized crime has focused on compromising identity and credentials prior to the customer engaging with the bank. When the bad guys came into the bank (electronically), they look just like the consumer!

Consumers need to take more responsibility for their personal information – and hold companies accountable for doing the same. Yet, people put very personal information on the web in blogs, tweets, Facebook, etc….for the whole world to see. Providing the information needed to compromise the system.

Think before you tweet about the exact details of your son’s birth. Think before you write about your trip to your Father’s birthplace in the old country on Facebook (really, are those your 629 *closest* friends?). Think before you use your Mother’s Maiden Name as a security question for the Elementary School website to access your child’s report cards…do you think they have encrypted that information in their database?

OK, I can hear you Information Security executives out there say….so I should tell my teenager for the 100th time that they will live to regret how lax they are in protecting their personal information. Tell me something new.

Well, the second thing that the governments did offers very clear guidance to customers and vendors alike – a new approach for delivering effective information security. More on that in my next blog.

Chris is co-founder and CEO of Courion, a provider of Access Assurance solutions. Prior to Courion, Chris was a co-founder and partner at Onsett International, an IT service and security consulting firm. While at Onsett, he led IT operations re-engineering, enterprise security, and global network architecture programs for several Global 500 customers and led Onsett's marketing and sales efforts to achieve 90% annualised growth over the course of five years. He holds Bachelor of Science degrees in both Economics and Political Science from MIT and a Master of Science degree in Management from the MIT Sloan School of Management.