CIOs Uncensored: CIOs Should Be Fired For Foolish Security Breaches
It's time for CIOs to step up, allocate resources, and make cybersecurity airtight.
Imprisoned hacker Robert Moore says it was child's play to dig into thousands of corporate systems because most IT groups don't follow basic hygiene such as resetting default passwords and keeping logs. While one consultant says it's the vendors' fault, I lay the blame squarely on CIOs: if they don't allocate resources and create and enforce behavior that promotes airtight cybersecurity, they should be fired.
For too long, excuses have been made about conflicting priorities, limited staff, complex processes, a hodgepodge of systems, the relentlessness of hacker punks, uncompliant users, and so on. And also for too long, lots of business-technology executives have complained about not being taken seriously by other execs within their company, about the IT organization not getting the respect it deserves, about being told what to do instead of being asked to help formulate strategy, and about being regarded as costly overhead that should perhaps be outsourced. But the two sets don't match up -- we can't lean on our list of convenient excuses if we want to be taken seriously. At some point, it's about accountability and responsibility. Let's take a quick review of what the prison-bound hackerpunk had to say about how easy IT made it for him to do his dirty work, and then we'll scrutinize those tired rationales for why IT can't fix the problem.
My colleague Sharon Gaudin broke this story and brought to light the passive complicity of IT in these highly preventable break-ins via a series of exclusive conversations with Robert Moore, the convicted cyberpunk. Moore revealed to Sharon an astonishing variety of anecdotes about how and why it was so easy for him to penetrate thousands of supposedly secure databases, and for your reading pleasure -- or disgust -- here are some of the highlights as reported earlier by Sharon:
"Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords."
"I'd say 85% of them were misconfigured routers. They had the default passwords on them. . . .You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box..."
"We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips."
"AT&T reported to the court that Moore ran 6 million scans on its network alone."
"It's so easy. It's so easy a caveman can do it," Moore told InformationWeek, laughing."
"I think it's all their [the hacked companies'] fault," he added. "They're using default passwords and their administrators don't even care. . . .There are so many people out there who are malicious hackers who look for these vulnerable boxes. All this information is right on the Web and it's easy to find. . . .There were thousands of routers that were compromised in this, just from my scans alone."
"If they [the hacked companies] were just monitoring their boxes and keeping logs, they could easily have seen us logged in there," he said, adding that IT could have run its own scans, checking to see logged-in users. "If they had an intrusion-detection system set up, they could have easily seen that these weren't their calls."
And finally, from a followup piece Sharon did called "Would You Hire This Hacker?" comes this slice-of-life philosophy from our intrusive convict:
"The cool thing about cybercrime is when you get this much publicity it's pretty much like a resume when you get out," said Moore, who hasn't gone to college and doesn't hold a degree. "When they say, 'Where's your degree?,' you just show them your prison record."
Well, that's pretty nauseating stuff. And what's particularly disturbing about it is Moore's repeated refrain that IT is his indispensable co-dependent: without IT doing its part in his crimes by failing to fully secure corporate systems, then I guess he'd have nothing to do but look at porn all day instead of cracking into your customer data and costing you time, money, trust, and soiled reputation.
No doubt a lot of you are saying, "Now hold on, you don't understand, it's not really our fault!" OK, let's review the list of usual excuses:
Conflicting priorities: Who sets the priorities -- isn't it the CIO? Who funds those priorities -- isn't it the CIO? Who allocates people -- isn't it the CIO? So who's making the excuses -- isn't it the CIO?
See "conflicting priorities" above. Seems pretty simple: either cybersecurity is a priority, or it's not. If it is, put more people on it; if it's not, well, be prepared to deal with the consequences.
No doubt this is true, and no doubt they'll get more complex as more and more parts of your business become totally enmeshed in your systems and networks and software. And as your customers move increasingly deeper into your processes, the complexity will multiply. Again, it comes down to this question: Who's in charge here?
Hodgepodge of systems:
Surely an ugly problem, and one that fiercely resists standardization and automation. But again, who's in charge here? Who decides -- and fights for and leads -- the move toward standardization? And who can speak as eloquently and forcefully as the CIO about the business benefits of standardization?
Relentlessness of hackerpunks:
Maybe they'd be a little less relentless if their IT co-dependents didn't make it so easy and attractive to do their dirty work. They're not going to just disappear, and so it's the CIO's job to make their experiences as unrewarding as possible -- hope is not an option.
Before moving over to HP a couple of years ago, Randy Mott was CIO at Dell. And under his direction, Dell instituted a comprehensive set of security-compliance policies, and that compliance was monitored daily. If you were uncompliant and didn't get things fixed within 24 hours, you got a yellow flag. If another 24 hours went by and you were still uncompliant, you got a red flag. And that, Mott said, meant you had to go explain to the CEO why you believed your personal convenience was more important than the cybersecurity of the entire corporation and its customers. "And that is one conversation," Mott said at the time, "you're not going to want to have."
Great CIOs have found and will continue to find ways to change the behavior of the organization so that every employee embraces cybersecurity -- the preservation and protection of some of the company's most valuable assets -- as part of his or her job at all times. Mediocre CIOs will look to chop away at the statistics cited above by the hackerpunk, and hope that nothing really bad happens. And incompetent CIOs will, once again, pull out their handy laminated list of excuses and insist that they're doing everything that can be done but it doesn't really matter because nothing can be done and while we're at it why don't we just transfer responsibility for cybersecurity over to the Facilities Department.
Our legal system will deal with hackers like Robert Moore. But what about those mediocre and incompetent CIOs and IT managers? They share a huge portion of the responsibility for these ongoing crimes, and there's only one way to deal with them: They should be fired as soon as possible.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.