Misguided CyberSecurity Policies Hurting the War on Terror?
"From an IT perspective, we are losing the war on terror. The bad guys are winning because we have convinced ourselves that our networks are so insecure, and that we are unable to protect information on them, that we don't put information on our systems." – Gilman Louie, President and CEO, In-Q-Tel.

The Black Hat Briefings, a major cybersecurity conference, included a keynote address from the senior executive of In-Q-Tel, an independent, private, and entrepreneurial not-for-profit company. In-Q-Tel's mission is "to deliver leading-edge capabilities to the CIA and the [greater US Intelligence Community] by investing in the development of promising technologies."

The In-Q-Tel official noted that little progress in information sharing had been made since the 9/11 attacks almost four years ago. As the executive explained, "We fundamentally don't have it. We are crippled beyond your wildest imagination. We can't even get a simple thing like e-mail to work across agencies" due to lack of trust.

Mr. Louie also expressed serious concerns about the real world consequences from the failure to appropriately share information. "People are going to die. Attack is imminent. London is coming to the United States."

According to an article in Government Computer News, Mr. Louie has a straightforward solution to at least some of the problems bedeviling US security efforts. "‘Shoot all the lawyers in the room [and] shoot all the Dr. No's' – policy-compliance types who blindly insist on layers of security that inhibit rather than enable the use of information. ‘Either educate them, get rid of them or send them to Siberia.'"

Although many stakeholders may be tempted to simply either cheer or deride Mr. Louie's rather provocative comments, the real challenge for responsible officials throughout government – and industry – is to incorporate the core concepts of the remarks, the need for using not just protecting information, into workable policies.

Developing and implementing more effective IT policies may require a shift in thinking that moves beyond the possible CYA inclinations of some stakeholders. Some officials with policy responsibilities may need to improve their understanding of the real world information needs of various affected parties. However, other stakeholders may need to improve their understanding of how policies are crafted amid often conflicting requirements. Furthermore, stakeholders need to understand the importance of standardized policies that clearly define responsibilities and processes, provide accountability, and, ideally, produce measurable results.