Does anyone really think one person knows everything going on in the shadows of CNA and CND? The short answer is NO! Policy won?t do jack $*(@. What is the policy going to say, ?We have zero tolerance for attacks on our networks.?? Look, you aren?t going to start WWIII with China for hacking networks because for one, they have plausible deniability to state their government computers aren?t the one?s attacking. They have the luxury of allowing private computers and citizens to traverse the great firewall of China and turn a blind eye. It doesn?t take a rocket scientist to deduce that. That is the difference between us and them. They will allow their citizens to launch these attacks but we will put ours under the jail. Secondly, they aren?t going to extradite anyone for hacks traced back to China. The policy dies right there. You can?t afford to impose sanctions on China since they are our industrial might now. This is a moot discussions. Until we can afford to not have any reliance on China, which won?t happen, these attacks won?t stop. If you really have sensitive information put it on a highly secured network that doesn?t have connectivity to outside networks. Anyone reading this knows which networks I?m referring to. The only other alternative is to have strong consequences for having sensitive info sitting on unsecured networks. Put the responsibility on the data owner to secure it. If people need access to the data, then give them accounts on the high security network. Find a new way to do business people. I know you are the government, but there is a great concept called business process improvement and change management. Heck, I know there is a process to move data back and forth between security levels utilizing the security manager. Certify more people in data security handling and use the existing process, but make spillage consequences higher. You'll weed out the idiots.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11547/35337#35337