As Harry Sverdlove of Bit9 told me at RSA, cyber security tends to be reactive -- waiting for the problem to happen before anyone attempts to stop it. And then we have the problem of where security takes place -- with the end user. A number of security experts at RSA mentioned to me that we tend to put the onus of security (and blame when things go wrong) on the end user.
So who should be taking the lead in cyber security? The government? The private sector? According to an article at nextgov.com, the private sector isn't doing its share. The article stated:
Companies own 85 percent of the critical infrastructure, and they have been unwilling to invest what is needed to protect against cyberattacks, James Lewis, a senior fellow at the Center for Strategic & International Studies, told the Homeland Security cybersecurity subcommittee on Wednesday.
Many companies don't try as hard as banks because investing in cybersecurity just doesn't pay off. It "requires them to spend on nonproductive assets. They will not get an increased return on investment" by installing cyber defenses, Lewis said, so they don't do it.
Anup Ghosh may have put it best on on his Invincea blog: "What the hell are we waiting for?!?" He wrote:
I've heard it discussed by security pundits, some of those within the mainstream press, former White House and Intelligence Community officials, and even certain folks on the Hill on many an occasion – the notion that a seminal event likened to a "Digital Pearl Harbor” or "Digital Katrina” is needed before any significant sweeping changes will occur in InfoSec. The unfortunate reality is that while the Hill and Big Business wait for a "Digital Pearl Harbor” to take InfoSec seriously, we are suffering under "Digital Chinese Water Torture” or perhaps "Death by A Thousand Cuts.” Every day that passes without sweeping change in how we engineer our systems to be secure vs. servicing the problem, means another drip here, another cut there and irreparable losses occurring across industry and government as our networks are pillaged and looted.
Do we need tighter security regulations for the bulk of the private sector, as the nextgov.com article suggests? Maybe the first step should be to determine which end to take the first steps in dealing with security. Should it be from the front end, or should security be left to the end user? I don't think we can make a lot of headway until we collectively decide who should be in charge of cyber security. Yeah, I know, good luck with that.