It seems that we are so focused on the information and technology for answers to cyber security and mitigating risks, we forget our first priority should be the people who are using and abusing these systems and information. It is especially necessary to focus not only on the outside threat agents but also on those people who have authorized access to those systems and information.

In today’s information world environment that a cyber security officer must work in, it is much more than just high technology. You, as a cyber security officer, must understand this world and also us humans, as all these topics have a direct bearing on the protection of information and information systems—cyber security. They include such things as:

To be successful, the cyber security officer should have a varied background not only in such things as computer sciences but also in psychology, criminology, social science, geopolitical matters, international business, world history, economics, accounting, and finance. Also, the more foreign languages the cyber security officer knows, the better. Volumes have been written about each of these topics. It would behoove the cyber security officer to have a working understanding of each of these topics, as they all affect the cyber security officer’s ability to successfully establish and manage a successful cyber security program. There are few professions today that offer the challenges that face the cyber security officer, whether that person is in a government agency or business—no matter what country or business that person works for.

Cyber security officers must understand the world in which they will work in order to be successful. In the past, this understanding was generally limited to the company or government agency in which that person worked, and to its computer systems, which were isolated within the company or government agency or even just in one’s home. The cyber security officers generally were once concerned only with the events that took place within their respective working environment or living environment or even just within their country, as what happened outside of that limited world usually did not affect their work or life. However, that was in the past.

The environment of the cyber security officer that may affect the protection of information and information systems is now global in scope, and high technology and global networking are changing more rapidly with each passing year. This new global environment and its associated high technology must be clearly understood. This is because it is all integrated into a driving force that will dictate what must be done to protect the information systems and the information that they store, process, display, and transmit. It will also determine how successful the cyber security officer’s information systems security program, now generally referred to as cyber security program, will be in providing protection at the lowest cost to the business or government agency.

Today’s computer system environments—networks that span the globe—are all based on the microprocessor. Microprocessors have become cheaper and more powerful at the same time. This is the primary cause for their proliferation throughout the world. Some say that today’s cell phone has more computer power than the computer systems in the vehicle that landed on the moon.

When we think of computers, we sometimes look at them as very complicated devices, when in fact it is not that difficult to understand the basics at least. Computers are composed of hardware, the physical pieces; software, the instructions to the computer, which can be altered; and firmware, which are instructions embedded on a microprocessor. The process includes input, process, output, transmit, and storage. Your cyber security program can be broken down into these elements and each looked at to defend as a separate entity and then in a holistic manner.

Of course the more a cyber security officer knows about how hardware, firmware, and software work, the better position that person will be in to protect those systems and the information they process, store, display, and/or transmit.

In many of today’s information-based nation-states, we have been able to network thousands of systems because of the rapid advances in high technology and cheap hardware. We have built the information systems of the nation-states’ businesses and government agencies into major information infrastructures some call national information infrastructures. A stand-alone computer system (one with no external connections between it and other computers) today is relegated to a small minority of businesses and government agencies. We cannot function in today’s business world and in our government agencies without being connected to other information systems—both national and international.

The protection of information systems and the information that they process, store, display, and/or transmit is obviously of vital concern in this information world. Many nation-states are already in the Information Age, progressing into what some call the “Knowledge Age,” with many other nation-states now entering the Information Age and yet many more close behind. This will obviously complicate the problems of the cyber security officer, as in this case the phrase “the more the merrier” describes something a cyber security officer does not want to deal with, because it means more threats, more vulnerabilities, simply by connecting to their systems.

The cyber security officer must understand that the cyber security program, once it is too costly, is outdated, and does not meet the service and support needs of the business or government agency, will be discarded or ignored. So, one of the cyber security officer’s challenges is to facilitate the networking of systems nationally and internationally while protecting company information and systems, but mitigating the risks in a cost-effective manner.

To provide a cost-effective cyber security program, the cyber security officer must continually keep up with high technology. That person must be familiar with technological changes in general and intimately familiar with the technology being planned for installation within his or her business or government agency.

The cyber security officer must understand how to apply information protection (cyber security) and integrate it around, and onto, the new high technology. Failure to do so would leave the information and his or her systems vulnerable to attack. In that case, the cyber security officer would have a serious problem—possibly a job security problem—if a successful attack occurred owing to the new-found vulnerability brought on by the newly implemented technology.

The cyber security officer could delay installation of the new high technology until a suitable information protection “umbrella” could be installed. However, in most businesses, this would be considered a career-limiting or career-ending move. In today’s business world, the phrase “time is money” is truer than ever. In today’s and tomorrow’s highly technology-based environment, innovation and flexibility are key words for the cyber security officer to understand and apply to the company’s or government agencies’ information protection program.

Thus, the cyber security officer has very little choice but to support the installation of the new high technology and incorporate information protection as effectively and efficiently as possible. And one of the ways to successfully provide that service and support is to keep up with technological changes.

The global collection of networks that evolved in the late twentieth century, and continue to evolve in the twenty-first century, to become the Internet represents what could be described as a “global nervous system,” transmitting from anywhere to anywhere facts, opinions, and opportunity. However, when most security and law enforcement professionals think of the Internet, it seems to be something either vaguely sinister or of such complexity that it is difficult to understand. Popular culture, as manifested by Hollywood and network television programs, does little to dispel this impression of danger and out-of-control complexity.

The Internet arose out of projects sponsored by the Advanced Research Project Agency in the United States in the 1960s. It is perhaps one of the most exciting legacy developments of that era. Originally an effort to facilitate sharing of expensive computer resources and enhance military communications, over the 10 years from about 1988 until 1998 it rapidly evolved from its scientific and military roots into one of the premier commercial communications media. The Internet, which is described as a global meta-network, or network of networks, provides the foundation upon which the global information superhighway will be built.⁸

It was not until the early 1990s, however, that Internet communication technologies became easily accessible to the average person. Prior to that time, Internet accesses required mastery of many arcane and difficult-to-remember programming language codes. However, the combination of declining microcomputer prices, enhanced microcomputer performance, and the advent of easy-to-use browser software created the foundation for mass Internet activity. When these variables aligned with the developing global telecommunications infrastructure, they allowed a rare convergence of capability.⁹

It has now become a simple matter for average people, even those who had trouble programming their VCRs, to obtain access to the global Internet and with the access search the huge volume of information it contains. The most commonly accessed application on the Internet is the World Wide Web (Web). Originally developed in Switzerland, the Web was envisioned by its inventor as a way to help share information. The ability to find information concerning virtually any topic via search engines from among the rapidly growing array of Web servers is an amazing example of how the Internet increases the information available to nearly everyone. One gains some sense of how fast and pervasive the Internet has become as more TV, radio, and print advertisements direct prospective customers to visit their business or government agency Web sites.

An important fact to understand, and which is of supreme importance for security and law enforcement professionals, is that the Web is truly global in scope. Physical borders as well as geographical distance are almost meaningless in “cyberspace”; the distant target is as easily attacked as a local one. This is an important concept for security and law enforcement professionals to understand because it will affect their ability to successfully do their jobs. The annihilation of time and space makes the Internet an almost perfect environment for Internet robbers. When finding a desired server located on the other side of the planet is as easy and convenient as calling directory assistance to find a local telephone number, Internet robbers have the potential to act in ways that we can only begin to imagine. The potential bonanza awaiting the Internet robber, who is undeterred by distance, borders, time, or season, is a chilling prospect for those who are responsible for safeguarding the assets of a business or government agency. As the ISSO, you have responsibility for deterring these miscreants, as well as helping security and law enforcement personnel investigate them.

It also is unprecedented when we consider the increasing percentage of the world’s population that enjoys this access. More and more information moves online and becomes available to more and more people, causing fundamental changes in how we communicate, do business, and think of the world we live in. Consequently, there are also fundamental changes in how criminals and miscreants commit crimes.

Throughout much of human history, the educated elites of every culture have jealously guarded their knowledge. Access to knowledge, whether in written or spoken form, was often the source of the elite’s privileged position and often allowed them to dominate or control the great uninformed masses of uneducated humanity—information was and still is a means to power. “Outsiders” were never granted accesses to the store of wisdom unless they were inducted into the privileged elite. Now, however, the average Internet traveler, wherever resident, with little more than a fast modem and a mediocre microcomputer, can access, analyze, and/or distribute information around the world on almost any topic.

Some pundits decades ago had concluded that we now live in an era in which there are “no more secrets.” By some estimates, early in this century there will be more information published and available online than has ever been accessible in all the libraries on earth. How this torrent of information will be managed to ensure that Internet robbers do not wreak havoc and dominate the Internet, or have power over others, is now (or should be) the primary objective of every security and law enforcement professional whose business or government agency travels the Internet.

So, what do you think of our current environment? Are we winning or losing the cyber security battles and wars?

When multiple computers (whether microcomputers or larger) are linked together by various communications protocols to allow digital information to be transmitted and shared among the connected systems, they become a network. The combination of tens of thousands of organizational networks interconnected with high-capacity “backbone” data communications and the public telephone networks now constitutes the global Internet. However, there is a major difference in this environment that is important to consider for security and law enforcement professionals.

When the isolated byways of individual business or government agency networks become connected to the global Internet, they become an “off-ramp” accessible to other Internet travelers. The number and diversity of locations that provide Internet “on-ramps” are vast and growing. Today, one can access the Internet from public libraries, cybercafés in many cities around the world, even kiosks in some airports. These and other locations provide Internet on-ramps to anyone who has a legitimate account—or an Internet robber can hijack one from an authorized user.

Typically a business or government agency will use centrally controlled computers, called servers, to store the information and the sophisticated software applications used to manage and control its information flow. These systems could be equated to a superhighway interchange.

Commonly business and government agency networks are considered private property and the information they contain as proprietary for the exclusive use of the organization. These business and government agency networks are connected to large networks operated by Internet service providers who provide the equivalent of toll roads and turnpikes—the highways for the flow of information.

Too often careless managers fail to take adequate measures to safeguard sensitive information, which results in premature disclosure with attendant adverse impact. The major part of the controllable risk arises from inadvertent disclosure to the ever-vigilant eyes of Internet robbers and others, such as competitive intelligence analysts with Internet access.

When the Internet was limited to scientists, academic researchers, and government employees, such a collaborative framework was probably a very cost-effective means of controlling the virtual world. However, in the early 1990s, for the first time there were more commercial sites than educational and governmental sites using the Internet. Since that time matters have become increasingly complex. The informal array of social sanctions and technical forums for cooperation is no longer capable of ensuring a modicum of civilized behavior.

Almost everyone working in America has been exposed to some form of computer technology. From the front-line retail clerk at the local fast-food franchise, to the Wall Street analyst, to the farmer planning his crop rotations, individual work performance has been substantially enabled by the widespread proliferation of microcomputer technologies. But the macro impacts on organizations are in some ways less remarkable than they have been for individuals. Go to any good computer store, or better yet, if you have Internet access, browse the Web sites of major microcomputer manufacturers. You will discover a wide range of systems with memory, speed, and storage capabilities that would have been descriptive of large, mainframe-type computers in the early 1980s. For example, a large regional bank in southern California in the late 1980s operated its electronic wire/funds transfer machine with only 48 MB of RAM and 120 MB of disk storage, and the system transferred billions of dollars nightly for the bank. Now a much greater performance is available to anyone with a few hundred dollars in a cell phone.

In business, it has become in some ways a David versus Goliath world, in which the advantages do not always accrue to the organization that can field the bigger battalions. Advanced information technology was once the province exclusively of governments, the military, universities, and large corporate entities. This is no longer true. Now anyone with a modest investment in hardware and software can acquire a powerful processor and attach it to the Internet. It should be obvious that criminals and those with criminal intentions also have access to powerful information technology. The question remains: How will they use it?

As we consider the potential for criminal actions directed against organizations, it is critically important to consider these factors. The same information technology we use to manage our organizations can and will be used by savvy Internet robbers to the detriment of governments, businesses, and others.

When powerful microcomputers are networked, the communication capabilities inherent in these arrangements multiply their value. A single microcomputer standing alone is little more than a sophisticated typewriter or calculating machine. The real power comes when individual machines link together to create networks that will allow the flow of information from one person to the entire world. As a case in point, consider the story of Russia’s transition from communism. When the military coup against Gorbachev occurred in the early 1990s, the military plotters seized control of all the classic means of communication: newspapers, telephones, and radio and TV stations. However, the anti-coup forces quickly drove their message on the Internet to get word to the outside world of the situation, and timely communications played a significant part in defeating an attempt by the most powerful military and police apparatus on earth to regain power over the Russian people.

The capabilities brought to the individual by the Internet are considerable and growing almost daily. One example is the ability to sign up for investment services from low-cost brokerages and stock market advisors and enjoy the kind of timely advice that for generations has been the perquisite of the rich and powerful classes. Grass-roots political organizing and civic action are also enabled. For example, in California, a concerned parent scanned into a database and posted on a Web page the details of the state’s list of sexual predators/pedophiles, thus allowing average people to determine whether there was a registered sex offender residing in their neighborhood.

From shopping for homes and automobiles, where online services promise to eliminate the brokers’ monopoly of information, to traffic, weather forecasts, and directions prior to trips, the Internet is providing more information to more people every day, and we are only at the beginning of that process! The major trend here is clear: There will be more information accessible to more people than has ever been possible in the past. How this information power will be used ultimately depends on the ethics and motives of the individual: Internet robbers can use such power negatively.

Whereas the innocent e-mail user sees only increased speed and volume of communication, security and law enforcement professionals must understand how damaging even one message could be to a business or government agency. A single e-mail message could contain the whole strategic business plan of the organization or the source code to a breakthrough product and could be transmitted anywhere on earth in a nanosecond.

To show that this threat is much more than theoretical, consider the allegations involving two leading Silicon Valley software companies, A and B. Company A accused rival Company B of theft of trade secrets and proprietary source code. Company A’s management alleged as one element in their complaint that a former Company A employee used his company-provided Internet access to transfer source code of key products to his own, personal account. The employee then tendered his resignation. Upon arrival at his home-based office, the now-former Company A employee allegedly downloaded the stolen source code to his home computer system. Employed as a programmer consultant by rival startup Company B, he reportedly used the purloined source code as the foundation for a remarkably similar product created at Company B.¹⁰

Another example is a former employee of Company X who was accused of transmitting the source code for a new digital device to rival Company Y. This scheme apparently was discovered only by accident when the highly confidential materials created such a long message that it caused the e-mail system to crash and allowed a system administrator to discover the purported scheme.

These two incidents are drawn from press reports in the media, and it is likely that they are only the very tip of the iceberg. In fact, many organizations do not have the security systems and technologies to detect similar incidents. Because of the adverse publicity and the prospect of a lengthy criminal justice process, even those businesses and government agencies that have been victimized by Internet robbers frequently do not report similar incidents to the proper authorities.

Currently the most common and growing destination for the Internet traveler is the business or government agency Web site. For the Internet traveler, Web sites are a combination of superhighway billboards, banks, shopping malls, rest stops, and even fast-food delivery services. All of these services as well as hundreds of others can be found located at the on- and off-ramps to the Internet.

These Web sites are used by businesses for advertising, public relations, and marketing, as well as to sell or deliver products or services to Internet travelers.

Web sites may contain and dispense government information concerning everything from how to prepare and submit forms, to descriptions of the most wanted criminal fugitives, to recruiting advertisements for future employees. Even the most secretive U.S. government agencies such as the Central Intelligence Agency, the National Security Agency, and others have established Web sites that provide useful information to Internet travelers.

Business and government agency Web sites are often the targets of miscreants, juvenile delinquents, and other Internet robbers. Successful attacks against these Web sites can be disruptive and destructive of the reputation of the sponsoring organization. Therefore the protection of the Web site should be an important part of the business or government agency plan for using this technology.

After all, you must be in compliance with the laws, so obviously, you first must know what they are. In addition, knowing them and working with the legal staff will help support your case to executive management when you show the connection of why you are running a cyber security program or particular parts of it. You should be able to get the legal staff to support your case by having them explain what happens when you do not safeguard the corporate owners’ assets. Yes, assets protection insurance is one way to handle risks; however, the corporation must still be in compliance. An insurance corporation should obviously demand it, as security would still be required.

As the cyber security officer, you should search the Internet and identify such laws and regulations. There are also international standards to consider. Know them and implement them in a cost-effective manner using risk management/risk analyses methodologies.

Another example is from the National Institute of Standards & Technology (The Framework Core):

The Framework Core is a set of cyber security activities and references that are common across critical infrastructure sectors organized around particular outcomes. The Core presents standards and best practices in a manner that allows for communication of cyber security risk across the organization from the senior executive level to the implementation/operations level. The Framework Core consists of five functions—Identify, Protect, Detect, Respond, Recover—which can provide a high-level, strategic view of an organization’s management of cyber security risk. The Framework Core then identifies underlying key categories and subcategories for each of these functions and matches them with example informative references such as existing standards, guidelines, and practices for each subcategory. This structure ties the high-level strategic view, outcomes, and standards-based actions together for a cross-organization view of cyber security activities. For instance, for the Protect function, categories include Data Security, Access Control, Awareness and Training, and Protective Technology. ISO/IEC 27001 Control A.10.8.3 is an informative reference that supports the subcategory “Data during transportation/transmission is protected to achieve confidentiality, integrity, and availability goals” of the Data Security category in the Protect function.