I suppose me being someone involved in “security” and it being the sixth anniversary of 9/11 (I guess 9/11 has become a noun now, like Christmas or Easter), I’m supposed to put out an obligatory post on my thoughts on the matter related to IT Security. Well, what I would ask of all you IT security folks, similar to Reagan’s campaign pitch in 1980 is “Are our networks and computers more secure” now than pre-9/11 (again, we need a word here for dates before 9/11 and after 9/11, how about B911 and A911). Have we learned anything from this?
Well the short answer is yes and no. We’ve certainly learned there is an industry in IT security. B911, IT security was a niche of former hackers and current geeks putting out stuff for only hyper paranoid companies and people could appreciate. Granted this industry was going to happen anyways, because of the rise of the internet and ecommerce, but 9/11 gave it a shot in the arm, certainly in the government and regulated industries end of the business. We also learned that you can’t legislate good security though that hasn’t stopped the government from trying. Laws make for great headlines and good election fodder, but poor computer security measures. Look at HIPAA, the set of laws that was supposed to secure our private health information. What did we get? More forms to fill out when you go to the doctor and you can’t call in for your test results. Remember that Can Spam law of a few years ago? It sure worked great, didn’t it? Why I cant remember that last time I received a spam.. it must have been like 10 SECONDS AGO!
But mostly, our government went back to same old tired way of doing business, IT Security wise. Doing the CYA IT security things and neglecting the important stuff like training and enforcing policies. The next time I see a government employee get fired for violating an IT security policy will be the first. In fact, the first time I find a rank and file civil employee who can tell me anything about the IT policies, I’ll eat my hat. No, all these gyrations are mostly to make the higher ups feel protected (politically, not computer wise) and satisfy the auditors/regulators/insert bureaucratic functionary here. Many government and military IT system are still woefully insecure as we’ve seen from the spate of cracks, hacks and info breaches over the last few years (remember the VA?, the Los Alamos Labs?). And that should have been the one important lesson to come out of 9/11. There are other areas that need to catch up too. I’ve blogged long and loud about the weakness in our national banking system and the havoc that could be caused there by an organized force. So it may take a digital 9/11 to wake the companies and government into implementing real IT security that doesn’t just inconvenience people but actually keeps out bad guys. So in short, the IT security lessons we have taken away from 9/11 are, well, not much. But at least a lot of IT security venture capitalists are wealthier and wiser.