Consider the information technology and security environment. Since 1999 and late 2000 the economic engine of the information age has eroded until in 2008 the stock market plunged. The market since then really hasn’t recovered. Sure the points go up and up <then crash>, but volatility remains and trust has not. People continue to shockingly pay off credit cards and save money rather than spend. There might be a bit of sarcasm in that last point. Finally summarizing the economic state the bastion of American systems the information age economy has been outsourced, down-resourced, insourced, and in general messed with by dark suiters sitting in c-suite wings until you’d have to be crazy to get into information technology as a career and specifically information security. Here are some crazy ideas of where we may be going.
Now, I admit I teach information technology and specifically I teach government and military students information security. So I have a dog in this fight, and I like eating vittles and drinking warm beer. So, understand that the following discussion is a story on a website you didn’t pay squat to see and an opinion on what is happening and not necessarily what I’m going to teach in a class. So no hanging the professor from the light post because you disagree. Just move along and go keep doing the same infosec garbage we’ve been doing for 40+ years with the same failing results.
Some opinions you might take as facts:
- Information technology is costly and is becoming increasingly integrated into business processes.
- Information security was defined and has evolved as a computational and technology discipline since the 1960s.
- Increasing unemployment, volatile stock markets, globalization, information age changes in products, and declining industry in America make for a fluid market.
- Technology continues to converge into smart devices and the monolithic desktop and laptop have given way to distributed task and pervasive technology like cell phones and tablets sometimes anchored by a laptop.
This has led to a set of concepts or theories that I think the federal government will follow in information technology acquisition. Now to be sure I have zero visibility into the acquisition processes of the federal government and I like it that way. I think and have seen with my own experiences (anecdotal evidence only) that some of these concepts that follow are being done in industry or are appearing as patterns of behavior in the general information technology world.
Concept 1: Before there were cell phones we made you buy your own land line for your home
The ubiquitous BlackBerry on the hip of so many government employees is a badge stating I’m important to all. The leather case that is basic issue takes on significance and has social implications to other co-workers. The problem is that not only are senior leaders carrying the device it is carried by the janitor.
Prior to the pervasiveness of cell phones people were required to have a home phone so that work could contact them in case of emergencies. This was true at all levels of the organization. When I was a young Marine before I could move off base I had to have a phone line for recall. Where did the principle of me providing that service become they provide that service? Well, the cell phone and BlackBerry are special. You see even though most 8 years olds own one the government employees see it as a benefit and enterprise architects add it as a part of the government organizations information technology infrastructure. Security is one principle that is cited but that is quickly eroded as you realize loss of the device decreases security considerably, and utility of the device suffers so people have a tendency to work around it or carry a second device doubling or more likely exponentially decreasing security. The cost of this device in service and up front costs when put into about any risk management framework inclusive of the reality of loss and subsequent exposure makes nearly zero sense.
If it was good enough for Grandpa it is good enough for me. The cost alone of the BlackBerry and associated service in government could radically reduce the government information technology budget if done away with. You are required to have a phone we call and it is up to you if it is going to be a cell phone. You are required to answer it though if you want a job.
Concept 2: I can make you buy a laptop it is part of the dress code
This idea is part of a much larger concept which is information codes of behavior. The basic premise is that the current way of making people use monolithic devices in the information technology realm is completely unsuited to people, technology, or information security. The castle wall doctrine of information security is very well suited to humans with limited cognitive ability and conceptual skills best rooted in the recipe of information security strategy. The “recipe – strategy” what is that you ask? Open any Security Technical Implementation Guide (STIG) from NIST and you’ll get a good idea what that is… I digress.
Simply put, the current way of doing things is completely backwards from what could be the reality and the way we do things is very expensive. I have a dress code where I work I should have an information code. I should provide my laptop and the information technology environment should support that. We are interested in protecting information not systems, and we want people to use what they want to use. Unfortunately we are locked into three or four year refresh cycles that are very expensive. The management of help desks and the poor support that we get from them is one indicator of how wrong this problem can get.
The information age employee is a spoiled pig. I mean that in the lovingest terms. Go to any mechanic, plumber, carpenter and ask them who buys their tools. It is the craftsman, the person who does the work. You think that information age workers are so special? Go explain to a middle America working guy that you spend upwards of $5K a year in infrastructure per information worker in some areas and see what they say about who should be spending the money. I averaged to get this number but understand Gartner has great numbers behind their pay wall and bet government is higher.
I make you wear a suit, I can make you buy a computer. I know nobody likes that, but too bad. There are other benefits to this such as protection of assets, one place for everything (Franklin Covey principle) and all of that. If there is interest some day in the future we can dissect all of the ills in the current market place of ideas and information technology and why the entirety of the industry is all messed up. You have to start with 1950 and lab coats and work your way up through IBM weanies singing the company song.
Concept 3: Ubiquity usability and pervasiveness increase security
What you say? These are hallmarks of insecurity in our networks! Pervasiveness and usability can decrease confidentiality and inhibit integrity within the network! InfoSec corruption is so obvious as the tired anecdotes are trotted out. I think we can agree that a distributed denial of service is a systemic disruption that is acting against the availability service within security. However, we don’t often consider availability when it is the information technology staff that are creating the distributed denial of service. Egregious passwords, large complicated systems that fail often, failure to take resilience into account and so much more are systemic disruptions against availability from the user perspective. You have to ask what cost is the real problem of information technology security and how much does my internal denial of services actually cost.
A senior leader in the federal government started requiring costs be tracked for meetings. How much did taking people out of productive pursuits costs for an hour meeting? In the business world one of my previous employers did something similar and you had better be able to show how it fed profit or decreased losses if you called a meeting. If it takes a computer 15 minutes or more to boot, or the software load requires multiple reboots a day due to the security software loaded on it, and it decreases worker time by that much. That is an information technology tax on the organization. In a world peopled by holistic thinkers we’d be charging that amount back to the information technology department. Adding or layering security with similar or exactly the same capabilities may be a belt and suspenders approach but it harms the users. This feeds back to the monolithic systems structure of information technology in general.
In legal circles courts are not interested in hearing 9th amendment challenges. If the 9th amendment is considered to deeply everything then becomes a right and courts fear anarchy in general will result. Information security professionals try and limit availability to be considered except for specific corporate needs and ignore their own attacks against this service. They throw up the word SECURITY as it is a shield against logic and reason. If they take availability into account across the operating cases that we have to be considered the picture is none to rosy.
The availability service has to be considered when designing and managing systems. If systems are unavailable then you’re going to have people going around the security mechanisms completely. There was spying and data breaches long before information technology became computational or automated. This is a new way of thinking about information security for this generation, but you have to start thinking about protecting the information and flattening or distributing the systems so the environment is relatively benign. Currently information technology (CIO, CTO) leaders are incentivized to grow empires and the vendor army is ready to support that. Sooner rather than later the juggernaut of centralized data processing will have to fall to the distributed model and cloud structure. The future is now.
These concepts are driving a substantial shift in how information technology and security will be considered in the future. The leadership of information technology and information security are going to be totally against changing the model which is based on strict control and very brittle. Hierarchical systems have a tendency to build more hierarchical systems within their span of control. This leads to cronyism, and various forms of graft and self-perpetuation. The cost model is no longer sustainable, but people won’t accept the strict controls if they own the devices so the model must change. I think the model will change, but we’ll continue to teach and talk about how to perpetuate the model. We’ll continue down that path until we look up one day and whammo… The world will have changed and everybody is wondering how. There are opinions, fact, and what you will likely do. There is also what will be done to you. Information technology is becoming a service like water, electricity, sewer and cable television. You don’t have to like it, but the reality is in the wave of change cascading over you right now. Information technology and information security will never be perfect and the pursuit of perfection will only create failure.