حول أمن المعلومات : نصيحة من القطاع الخاص للنواب والشيوخ في الكونغرس الأمريكي، ليت في العالم العربي هذا النوع من القطاع الخاص ، وليت في العالم العربي هذا النوع من النواب و الشيوخ
Although this advice was delivered for the US congress, it is actually relevant for every sovergin entity, and every organization in the 21st century.
Mary Ann Davidson is the chief security officer of Oracle, responsible for secure development practices and security evaluations and assessments. She represents Oracle on the board of directors of the Information Technology Information Security Analysis Center (IT-ISAC), has served on the U.S. Defense Science Board, and is on the editorial review board of SC Magazine. Recently, she delivered a presentation in front of the Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology. Here is a short take of her advice on Information Security:
- People must consider the threat environment of software before, not after, deploying it. The flexibility of software leads many people to think you can use anything anywhere, but you can’t. The time to figure out what you really need is during procurement, not after. And although price is always a consideration, it is also true that you get what you pay for in software, as in anything else. Taking an example on this from the military : The Navy does not purchase container ships and then deploy them as aircraft carriers, nor does the Air Force buy Gulfstream Vs and configure them as F-22 Raptors. (Nothing is wrong with container ships or Gulfstream Vs, but they are both designed for different operations and threat environments than aircraft carriers and Raptors.)
- For many organizations, information technology (IT) really is the backbone of their business. Therefore, these organizations absolutely need people who understand what technology can and cannot do. They need to know what technology can do in order to fully utilize it in support of their business, and they need to know what it cannot do so they do not take asymmetric (and unmitigatable) risks. Taking an example on this from the military : The U.S. military’s entire ability to prosecute war rests upon an IT backbone: the military cannot outsource IT, which has become a core mission. It also needs career paths for offensive cyberwarriors as well as those who must maintain and defend their IT systems. General George Patton understood that if the Third Army ran out of gas, it would not be able to perform its mission. Today’s net-centric armies run on information and are equally out of business if the informational supply chain is disrupted.
- You are in a conflict—some would say at war—and should call it what it is. Given the diversity of potentially hostile entities building cadres of cyberwarriors, probing your systems for weaknesses, infiltrating your networks, and making similar attempts against your businesses and critical structures, is there any other conclusion? Whatever term one uses, there are three obvious outgrowths from the above statement. One is that you can’t win a war if you don’t admit you are in one. The second is that nobody wins on defense. And the third is that you need a doctrine for how you intercede in cyberspace that covers both offense and defense and maps to existing legal and societal principles in the offline world. Taking an example on this from the military : you should consider developing a twenty-first-century application of the Monroe Doctrine. The Monroe Doctrine stated that efforts by European governments to interfere with states in the Americas—the Western hemisphere—would be viewed by the U.S. as acts of aggression and that the U.S. would intervene. The Monroe Doctrine is one of the longest-standing U.S. foreign policy tenets, invoked on multiple occasions by multiple presidents. The U.S. has, as the expression goes, sent in the Marines—and the rest of their armed forces—to support it. I noted that the Monroe Doctrine did not detail the same or even specific intervention for each perceived act of aggression but merely laid out “Here is our turf; stay out or face the consequences” language that allowed great flexibility for potential responses. Some may argue that cyberspace is virtual and unsuited to declared spheres of influence, but even Internet Protocol addresses map to physical devices in physical locations—a server for a utility company in New York or a bank in California, for example. Invoking a Monroe-like doctrine in cyberspace would put the world on notice that the U.S. does have cyberturf and will defend it.
- Not all of the above advice is relevant to all organizations, but for many of them, IT is mission-critical. That means that these organizations must know their threat environment, train both warriors and defenders, and draw a line in the cybersand. Too many of us are at war and don’t know it.