Why The Difference of Opinion on Cyber Threats?
Despite the rash of recent high profile cyber attacks, a clear difference of opinion remains on the potential danger of cyber threats. Some individuals, governmental agencies, and organizations stress the growing threat of cyber attacks. Others have not yet fully grasped this reality and either by underestimation or lack of relevant knowledge, believe there is no greater danger now than there ever was.
How can these two contradictory conclusions be drawn for the same set of facts? Well, the truth is that there is no one set of facts. In fact, given our current system of classification, some organizations are blissfully (or dangerously) unaware of the number or scale of cyber threats to which we as a country are exposed.
Having worked in the federal government for many years, I know that agencies tend to categorize every discussion, including e-mails, as classified. It becomes standard to label these discussions as secret or confidential, without any real thought behind the sensitivity of the material.
Once information pertaining to a cyber attack or data breach is stamped with this classification, private-sector contractors have a difficult time obtaining information on these cyber threats. The intelligence is usually classified for a minimum of ten years.
Without knowing this classified information, it’s very difficult for companies to truly understand the prevalence and gravity of the cyber threat. Even with a Freedom of Information Act (FOIA) request, the details are extremely difficult to obtain; and that FOIA request takes time, sometimes years, to be completed. At that point it is too late to do anything about the initial or subsequent threats.
Government Policies Kick Start Discussion on Cyber
The Executive Order on Cybersecurity is a chance to open the lines of communication between government and the private sector. It aims to have agencies, companies, and system integrators address the issue’s significance.
As private contractors and government agencies continue to work together, their communication needs to address cyber security. And this includes, perhaps, modifying the current codes, norms or procedures for classification. When the target is no longer just the government, the government needs to provide sensitive information to the private sector in a more expedient manner. Cooperation and coordination, not classification, will be the keys to thwarting the cyber threats we most certainly face.