What's the cost of bringing down the government? Priceless.
It is as if the world has gone mad. Serene Bali scarred forever, "credible threats" of terrorism at home, Australia's Prime Minister threatening pre-emptive military action in Asia, North Korea declaring its nuclear capability, old foes Iran and the US looking towards military cooperation in an Iraq invasion, the Syrian president in London meeting the Queen, and the US issuing a new nuclear policy threatening the use of "small" nuclear weapons against anyone who uses "weapons of mass destruction" against them (read terrorists or Saddam).
With the world falling apart all around you it is tempting to focus on those nagging technical questions that have been plaguing you and your team. Think again. Your nightmares are about to get 10 times worse.
Ever attended an estimates hearing in your portfolio? Imagine senators Robert Ray or John Faulkner dissecting your every action and decision in front of the nation's media as you try to stumble through an explanation of why your security processes should have stopped the terrorists from bringing down a key element of your system.
It is mid 2003. In the packed committee room on the Senate side of Parliament House, you look to your minister for support against the torrent of questions from the hard men of the ALP. Your minister stares straight ahead with a glassy stare. Then you remember the minister's press release issued back in November with its now common refrain: " . . . on the advice of my departmental advisers I can assure the public that the system in question is robust. Nevertheless the CIO has been requested to ensure reasonable measures have been put in place to deter, defend and defeat an attack."
On your measly budget the actions you took were reasonable, you quickly tell yourself. It is amazing how the word "reasonable" in normal usage becomes so damn unreasonable in front of judges and senators. Then you wonder whether you said that last thought out loud because senators Ray and Faulkner look like they are heading for the kill. Everyone in the room can smell blood - your blood.
With little forensic support you have as yet been unable to accurately identify how your system was penetrated. Holding this hearing now is so grossly unfair. Right now you honestly don't know how all that hugely sensitive personal data on all the families of the Defence personnel serving in the war on Iraq got into the hands of JI. As the troops negotiate a chemical and biological Dante's inferno in Baghdad, your slip-up has exposed the families to a series of threats and attacks that followed the bogus cancellation of a whole month's pay.
The sweat pours down your face: "Damn outsourcing" you scream inside your head in the air-conditioned plushness of the Senate estimates room. You quickly go over who could be responsible . . . Was it a mistake of that gateway mob under DPIE? Did they let the attack through? No, their audit logs prove that they had nothing to do with it. What about your AS06 security expert? No good either: he is obviously nothing more than the electronic equivalent of an airport bag checker - doing his job exactly as the rule book tells him - no imagination, no innovation and no awareness. You cannot let the pregnant silence go on for much longer; Ray is almost shouting now for an answer.
Little do you know that sitting in the public gallery of the committee room is Mark the contract cleaner. As he watches your career collapse beneath you he has a wry smile on his face. No one notices him, no one ever has; Mark and his employers like it that way.
No one noticed when he used his access card to legitimately swipe his way into your office. While busy dusting he plugged a USB memory stick into your PC. No one noticed the tiny device - only the size of a packet of gum but able to carry a gigabyte of data. Mark was dusting alright: he dusted all the critical passwords and access codes right off the system manager's PC.
But Mark was not just cleaning that night, and others gone by. In the seven different departments his company is commissioned to clean, he was delivering malicious code into all the key systems. He was also configuring his wireless PDA to your department's encryption key (which he got from your machine a month back) to enable him to access your LAN from a van outside the building using the tools of the trade - a laptop and Pringles chips tin. A chip tin? Yes. Mark's Web surfing showed him that a Pringles tin just happens to be perfectly shaped to act as a wireless network base station. Cost of a laptop: $2600. Cost of a Pringles tin: $3.50. Cost of bringing down the government: priceless.
Remember how you used to wonder about the quality of life of the ASO4 in corporate services - you know, the nice guy who wanted to chat a little too much at morning tea but was always upbeat and eager to help out? Remember how you used to wonder how he could put up with his nasty, self-important, brown nosing superiors/back stabbing subordinates/office manager? You are about to find out. Personally.
National security is critically important to every CIO in these tense times. There might be the greatest gateways in the world ringing your site off from the rest of the world, but it does not take a very smart spy to penetrate the core of the defence establishment, let alone non-national security government systems that nevertheless have information that could be used in new and threatening ways. Indeed, as the above example shows, your system can be penetrated even if it is totally isolated from the Net.
Security is a living thing; a smart attacker will assess your routines and work with them to their advantage.
Being vigilant is not enough if you do not know what you are looking for. If you are up to your neck in red tape keeping your system alive, perhaps you might save your neck if you spent a small part of your budget undertaking a RED TEAM risk assessment and security audit.
Adam Cobb (PhD Cambridge) is a former director of Strategic Policy in Air Force and now director of Stratwise, an international strategic and security advisory firm based in Sydney (www.stratwise.com)
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.