Since the news of military systems in the U.S. and U.K being breached coupled with the report that the U.S. power grid was hacked and mapped plus the accounts of extortion against utilities and corresponding blackouts, many organizations and individuals have come out and said the cyber threat is overstated. In fact, recently one individual basically called the WSJ’s and its sources’ credibility into question over the article about the power grid being hacked. Many times these individuals carefully select their words and use descriptors like ALL, TOTAL, ALWAYS, NO, EVERY, NEVER, or ENTIRE so never to be wrong. For example one article I just read talked about taking down the ENTIRE power grid. Ok, what if an attack took down Boston, Washington, New York, San Francisco, Miami and Philadelphia – would that not be really bad???? If that is not dangerous enough, many of these same organizations and individuals claim the multiple reports (even the ones U.S. Strategic Command delivered that warned of cyber acts of aggression) are released to further political interests and turf wars in our nation’s capitol. These comment and writings do nothing more that detract from the attention critical infrastructure security is being given. 

Then they take it one step further and claim the stories are made up when officials refuse to answer question due to an on-going investigation or the information is classified. At one conference a man argued with a presenter and when the arguer was asked if he had a security clearance or ever had a clearance he said “I don’t need one.” In one specific cyber event that I was involved in, the internal security folks said, “Our systems are secure – no one can get in.” Well we already knew that the system had been penetrated when he made that statement.   We, were waiting for the ok to inform them given their breach was discovered as part of another investigation.   Last week it happened again! A security event took place and the company’s person in charge of security incisively argued that it had to be an inside job – his security could not be penetrated. Well after losing days looking into the insider accusations and finding nothing, the investigation turned external and low and behold it was a sophisticated hack and attack from outside. If the insiders (employees) who were son incisively accused of perpetrating the hack knew about the acquisitions, I am sure they would take immediate legal action.

 

Almost weekly, I am surprised at one or more aspects of cyber attacks that I had never considered. I am not the only one that experiences such humbling events on a regular basis. In a discussion with a federal agent from a three letter agency he and I talked openly about how most organizations are at risk and don’t even realize it. I will never forget his words. He said, “Many corporate security people suffer from delusions of grandeur. They think they know but really don’t.” If that was not bad enough, there are a lot of security people that are driven because their ego is so big, that they always have to be at the front and no one could beat then and breach their security. I have seen firsthand how those responsible for security allow their ego to interfere with good judgment.  Anyone who thinks their security is beyond the possibility of being compromised should find a new profession. We have had significant success integrating psychological aspects and factors into our work so I asked our Psychological Aspect (News - Alert) Subject Matter Expert (PASME) about this. She told me about a psychological study of security professionals that revealed some interesting dominant personality traits.  People with dominant psychological aspects like self-adulation, intellectual arrogance and selective perception seem to be drawn to the security field.   The developed profile seems to indicate security professionals show a high degree of cooperation, which is unusual given that the field is inherently one of conflict, of defenders versus adversaries. The high level of cooperation might reflect a weakness given the aversion to conflict. Security professionals also scored unusually high on the facet for activity level, indicating the preference for a busy life-style with the need to balance many activities. If security professionals live their lives that mimic their personality preferences, then this could possibly result in the professional missing important security information due to not having the time or inclination to focus on any one particular area.



Conclusion

Not respecting your opponents’ abilities is one of the best ways to compromise our national security and the security of our organizations. I, like most of the people I work with, wake up every single day and wonder – what is it that I don’t know that I need to know about? Are there attacks that are complex, sophisticated and represent a danger to our national security and the security of our businesses and economy? YES. Are there reports that are slanted to drive hidden agendas?  YES. Somewhere in between the two ends of this continuum lies the truth. In a Verizon (News - Alert) report on 2008 data breaches they found there was a staggering 285 million records compromised. This figure exceeds the total records compromised for years 2004-2007 combined. Also in 2008, as many as 93 percent of the security breaches were targeted hacking (front door) attacks. The fact is the time to lock the door and install the alarm system is before you are robbed, not after! Aggressive action is needed now to secure our systems and infrastructure. Let’s not let the egos of some of the rogue security practitioners write a check we have to cash, because it will be a really big one!