During the past 18 months, the topic of security has been explored in the pages of SIGNAL Magazine in dozens of articles and in at least a half dozen commentaries. Security also has been a priority for AFCEANs worldwide whose responsibilities range from ensuring network security to offering professional training, to enforcing disciplines and compliance and investing in technology. We know that we must set the bar very high and demonstrate that intrusions or disruptions of our networks is not an option. As information technology professionals, we recognize that security is a social, legal, technical and cultural issue and are working hard to cover all the bases.
Immediately following the attacks of September 11, 2001, the entire nation went to DEFCON 1 for both physical and cyber security. Acknowledging that the freedoms enjoyed by our society—to travel, to communicate, to socialize—not only left us vulnerable but also facilitated the planning of the attacks, government and law enforcement agencies took a closer look at aspects of everyday life in a way they had never done before. It has been a tightrope walk, with the necessity to increase security on one side and the responsibility to protect citizens’ rights on the other.
Following the attacks, with the visions of burning buildings and destroyed lives fresh in our mind’s eye, we were at a state of high alert that continued for months. Government agencies and corporations, always security conscious about their information systems, pondered the impact a cyberattack could have on their organizations. They realized that losing the information systems they had grown so dependent on could have devastating consequences.
Industry answered the call for security solutions. Whether technologies that verify identity for physical and computer access or collaborative tools to help coordinate intelligence, the capabilities that have sprung forth from businesses have been nothing less than remarkable. The dedication that these professionals, many of them AFCEANs, have shown in securing our nation and our networks demonstrates that many people realize that our nation is at war, and not just in the desert.
The government continues to remind citizens that dangers still exist and the commercial sector has created new security tools, but it is time to take the next step. Threat awareness and weapons of defense are ineffective without action. In cyberspace, we have become content with firewalls and passwords, rarely preparing for the consequences of a cyberattack or the efforts involved in reconstituting data and systems. If organizations are not careful, they will leave themselves open to a catastrophic event that will reawaken them to the security requirements that should be enforced daily.
The U.S. Defense Department knows the value of preparation and persistent vigilance. For many years, the department has conducted training and exercises. Most recently, with the aid of networking technologies developed by industry, the armed forces have engaged in war games that test readiness and yield valuable lessons. Over the past decade, the military has learned about best practices from industry. Now, it is time for the commercial sector to take a lesson from the military.
Because industry is as important as military strength to the security of the United States and the world, it is imperative that protecting the systems on which businesses have come to rely is a top priority. Every company, large or small, should consider setting aside the time and resources to conduct “war games” or drills that test the security of their systems. These events can determine the impact that a cyberattack would have on commerce and reveal what it would take to restore things to normal after an attack.
For its part, AFCEA is prepared to help companies with this very important activity. This month, Rear Adm. Paul E. Tobin, USN (Ret.), executive director and vice president of AFCEA’s Educational Foundation, has been tasked with developing a course that will teach firms how to conduct these cyberattack readiness trials. This class will include network defense, attack response and data reconstitution. Initially, the course will be designed to tackle the special challenges small businesses face. Once refined, however, it may evolve to help medium and large organizations as well.
Through war games, the services examine all aspects of engaging the enemy—from protecting the forces to defeating the adversary to improving tactics. Industry must equally prepare. Security efforts can only be effective if they fuse people, policy, purpose and power. Personnel must be trained, and policies must be developed and enforced. The purpose must be well defined, and courts must have the authority to hold cybercriminals accountable. Neither physical nor cyber security can be assured unless all of these elements are developed and rehearsed. Preparation and practice offer the best means to do this.
Edmund Burke said, “The only thing necessary for the triumph of evil is for good men to do nothing.” Protecting and defending networks requires action. AFCEA’s next action step is to offer a course to aid in self-assessment through war gaming.