More Than a Job!
Another re-post from my internal NSA blog, from about 2009. A bit of contemporary commentary follows.
I had occasion to dig through some historical stuff, and happened upon a quote I keep printed on a single sheet of paper.
"Information Security (INFOSEC) attacks generally succeed because the attacker has embarked on an adventure, whereas the defenders are just working at a job."
I think this comes from a well known book from "back in the day" (very early 90's??) - "Computers At Risk: safe computing in the information age" - from the National Research Council, Computer Science and Telecommunications Board, which featured many bright folks as I recall, a number of whom are still in the business.
I originally kept this quote around because, frankly, it irritated me. As a lifelong "defender", I refuse(d) to see my job as less worthy or less interesting or less of an "adventure". But sadly, there is a nugget of truth in this. Not because defenders are inherently lazy or don't care, but because we've allowed an ecosystem to develop that overwhelms the defense with mundane, grunt-level tasks just to keep thing operating.
A variation on this quote used by some is
"Attacks succeed because the attacker attacks the system, whereas the defenders are just protecting their turf."
This has an even larger element of truth inside of it. What this implies - that Defense has evolved in a fragmented way, with only local visibility of vulnerabilities and threats, and no unifying controls or even themes for us to fight defense at an enterprise or ecosystem level.
Over time, this quote and the variation have become less of an irritant, and more of an inspiration. A reminder (and a leadership challenge) of my responsibility to make defense an adventure too, equal in spirit and fun to the offense; and to do everything I can to turn our local-turf fight into a system-level defense.
Adventure, anyone?
2021: The differences between attack and defense were a very large part of my primary career at the National Security Agency. If anyone is interested, I plan to write a lot more on the cultural and practical issues of working in a place that had both missions, as well as the unique opportunities that gave me.