As the cyber world of information comes more and more under threat, as the theft of information continues to increase, the irony is that perhaps the best way to counteract cyber threats is actually by sharing information.
Effective cyber security requires that public and private institutions from government agencies to colleges and corporations not only share information, but share policies as well. A well structured set of policies that are the same across many different systems can create an effective barrier. They can defend against cyber attack, providing that part of those policies is to share information on various threats and possible backdoors that can lead to data theft, hacking and the spread of computer viruses.
Some elements of the cyber security world are advocating an elimination of compliance based models that require everyone to follow the same protocols. They wisely realize that this simply won’t work in the long run. They are advocating a more adaptive model where information sharing allows real time adaptation to evolving threats. While this type of approach would actually work and be able to function long term, it does have one drawback. It requires a whole lot of smart people, who can think outside the box, to always be in the right positions at the right time. There aren’t that many think outside the box people, even in the cyber world. Sooner or later, you will run up against an unimaginative fellow who simply follows the manual. He then becomes the weak link in the chain.
Do we need policies? Yes we do. But, there is a problem with across the board policies, even if we need them. Any skilled intelligence agent will tell you, once you’ve gained his trust, is that policy itself is a backdoor. It doesn’t matter what form it takes, as long as it’s spread wide enough. Policy creates predictability. Predictability means that people are behaving in a particular manner. That behavior can then be analyzed for faults and weaknesses. And, since nobody’s perfect, there will be faults and weaknesses.
Cyber warriors, just like any other warriors, want to know the enemy and an enemy operating under strict policies is easier to know. You know that if you do “A” he will respond with “B” every time. That means the enemy can be manipulated, once you find out what his policies are. You can give him what he expects to see and have him chasing his tail while you are undermining his security by doing things that he doesn’t expect or that his policies don’t cover. Human beings need rules; and policies are necessary for security. However, when you come right down to it there is no substitute for initiative and imagination. This is especially true in the data management field, where whole swaths of technology and management systems can become vulnerable or obsolete over night. While policy can help, it can never fully protect cyber space from one smart guy with a keyboard.