• Chief Information Officer, NASA

Facing Our Cyber Insecurities – How To Really Make a Difference

By · February 23, 2011 · 8:35 am

My husband, Doug is from a little coal mining town in West Virginia. It’s actually a camp – Braeholm, West Virginia. When a company would open a mine, a small town typically sprung up at the base of the mine called a camp. Doug was born in such a camp along Buffalo Creek in Logan County. Everyone knew everyone and they all worked for the specific coal mining company that worked the mine. As Doug grew up and left, his home town maintained the closeness and familiarity that made everyone feel safe, secure, and loved. For example, whenever he sent his mother a letter or a package, the whole town knew. Eventually, word got to Ms. Edna that there was something for her from Little Doug in the post office in Amherstdale. Doug went to the General Store to buy an iron for his mother with no money. He told the owner who the iron was for – Ms. Edna. The owner handed him the iron and then said to him, “You one of Pete’s boy’s aint you?”

In the hills and hollows where, at the time, Google or MapQuest had no read, one simply had to go to town and ask where someone lived. We were looking for one of the union stewards and asked a police officer working the town’s only traffic light if he knew where Mr. Langdon lived – “Yes, go down the street, through the alley, his house is next to the barking dog.” But before he told us, he asked with a vague familiarity, “You one of Pete’s boys ain’t you? Which one is you, Ferdinand or Doug?” My husband, Little Doug, authenticated his identity and was given directions to the union steward. People knew each other by sight or their family resemblance, left their doors unlocked and their windows open. People slept safely and securely save for the occasional alert from a barking dog.

Today, as we wring our hands over cyber security threats, we hope for Ms. Edna’s good ole’ days where we trusted everyone and we yearn to recreate those days in our current cyber threat environment. It’s time for us to face it. The good ole’ days are gone. Today’s threat environment requires us to act and behave differently.

We must first realize that the good old days are gone. I’m not from Braeholm, West Virginia, I’m from Washington, DC. In the city, we lock our doors at night and we do not leave valuables visible in our cars. Today’s environment is such that even though I have an anti-theft system in my car, if I leave my music player and my purse on the seat, I will have a broken window and lose my possessions.

We seem to think that if we have a strong enough security system, that we can still leave valuables laying around for anyone to find it. Our data is too valuable to just lay around for someone to find it. Anti-theft systems do not prevent theft, they just slow down a would-be robber, if anything. Whenever we think we have things locked up tightly and securely, new ways of intruding are created. Kevin Coleman in a commentary says that cyber security threats worse constantly. If we are delusional enough to think that we can protect ourselves, he notes that a new strain of malware is created every 0.79 seconds.

How to Really Make a Difference

Personal responsibility really does make a difference. Some people think that a CIO Big Sister will protect them from themselves. Folks will click with the hopes of getting money from a foreign bank account, pictures from attractive admirer, or simply satisfying their curiosity. The best trained users of computer networks fall prey to curiosity or a mistaken click of the mouse. Attackers just keep getting better and better at enticing unsuspecting technology users to ultimately do the wrong thing.

Public service campaigns like what we did for litter or forest fires might be very beneficial to improve awareness of cyber security challenges. Not that signs or posters that say, “Only YOU Can Keep Our Networks Secure” or “Think About It Before You Click It” will be the final solution to our serious challenges, but heightening the awareness of personal responsibility will go a long way.

Layers of defense can help also. I noticed that when I was a tourist in Europe, the security could be described loosely as soft on the outside and hard on the inside. You could cross borders with relative ease, but there are frequent checkpoints with increasingly tight layers of security. A layered defense of our networks with technology users who are both aware of the consequences of their actions and the benefit of countermeasures creates a solid foundation to build from.

You can’t win the game without good execution of the fundamentals. This means staying up-to-date on malware and virus protection, practicing safe computing, and solid technology management practices. Monitor networks continuously for intrusions and have a plan to quickly remediate should an attack occur. Maintain the ability to quickly defend yourself.

Contain any damage or loss that might occur. Don’t walk through a bad neighborhood with your entire paycheck in cash in your wallet. Leave some of your money at home and most in a bank. While consolidation does simplify your environment to reduce the complexities needed to monitor and protect assets, maintain a balanced approach by not putting all of your assets in one place.

Be proactive by understanding the threats in your environment. Some very savvy city-folks know that if someone simply asks you for the correct time, you just keep on stepping. Correctly understanding that threat environment means that you know the desire isn’t for the correct time, but to get you to look down and take your attention off of the environment so that you can get robbed. Understand the environment that you are in, and protect your most valuable assets accordingly. Never look down and always be vigilant.

Of course, all of this is easier said than done. But, the world has changed, and our strategies must change with it. Even Braeholm, West Virginia changed. My mother-in-law passed away and the coal mine on Buffalo Creek has been closed for decades. And the isolation that bred the closeness and familiarity of those with soot under their fingernails is gone. You can even find Braeholm on MapQuest now.

Linda Y. Cureton is the Chief Information Officer (CIO) for the National Aeronautics and Space Administration (NASA). As NASA CIO, she provides the requisite leadership to transform the management of information technology (IT) capabilities and services to support and enable NASA's mission. She ensures that the Agency's information resource management (IRM) strategy is in alignment with NASA's vision, mission, and strategic goals. Accordingly, Ms. Cureton ensures the development of integrated IRM strategies, including standards, policies, NASA Enterprise Architecture, IT security, management, and operations. She has the responsibility, authority and accountability for ensuring that NASA's information assets are selected, controlled and evaluated consistent with federal policies, procedures, and legislation. Ms. Cureton was appointed as the NASA CIO in September 2009. Prior to this appointment, Ms. Linda Y. Cureton served as the CIO of the NASA Goddard Space Flight Center (GSFC) and led the Information Technology and Communications Directorate. As the GSFC CIO, Ms. Cureton was responsible for ensuring that GSFC's information assets are acquired and managed consistent with Agency and Federal Government policies. She was responsible for ensuring that the Center's Information Technology strategy aligns with NASA's vision, mission, and strategic goals. Prior to her arrival at GSFC, Ms. Cureton was the Deputy Chief Information Officer of the Bureau of Alcohol, Tobacco, and Firearms (ATF) and led the Office of Science and Technology as Deputy Assistant Director. The Office of Science and Technology is responsible for providing leadership in the innovative and efficient application of science and technology used to collect, clarify, and communicate information needed to reduce violent crime, collect revenue and protect the public. As the ATF Deputy CIO, she was responsible for ensuring that the use of Information Technology for the Bureau's mission and business requirements fulfill customer and stakeholder needs. Previously, Ms. Cureton served in executive positions at the Department of Energy and the Department of Justice. As a strong advocate for the practical application of technology, she has served as a member of organizations such as the Government Information Technology Investment Council, the American Council for Technology, and Women in Technology. Ms. Cureton earned a Bachelor of Science Degree from Howard University in 1980 graduating magna cum laude with a major in Mathematics and a minor in Latin. She also received a Master of Science Degree in Applied Mathematics from Johns Hopkins University in 1994, and a Post-Master's Advanced Certificate in Applied Mathematics from Johns Hopkins University in 1996. She performed extensive research in numerical analysis and has been published in the "Journal of Sound and Vibration." She currently resides in Maryland with her husband and mother.

  • http://ctovision.com Bob Gourley

    Thanks for the great post, this is full of lessons, including great analogies relevant to identity management in cyberspace. If we all knew each other in cyberspace like we do in the real world wouldn’t the online world be a safer place?

  • Pingback: Tweets that mention Facing Our Cyber Insecurities – How To Really Make a Difference | FedScoop -- Topsy.com

  • Rolling Thundar

    What a delitefully informative, and yet entaining Article.
    It is always a pleasure to read such wisdom, when it is
    told on a level that even a simple man as myself, can
    understand. So many others that are in similar positions
    such as yourself, seem to always talk above those with
    whom they need to actually connect to. And they always
    seem to miss the mark.
    Hopefully Fedscoop, will take the opportunity to invite you
    to do more guest articles in the future.
    You are a breath of fresh air.
    R.T.