When a long-standing member of the intelligence community says expectations of privacy and security on the Internet are gone, it pays to listen.
"It has become apparent to all of us, as it did in the early 2000s, there are no secrets. We ought to just give up the notion of secrets, [and also] no such notion of security," said Stephen Cambone, former Undersecretary of Defense for Intelligence, Thursday at SAP NS2's National Security Summit.
Cambone added that anyone getting online through a network should approach it "with the idea that someone is already there or can find their way there."
The conference focus was to discuss national security in the post-Snowden era, following the contractor's release in early 2013 of thousands of documents from National Security Agency networks. Speakers made clear that they are frustrated the public does not understand the truly serious dangers posed by the lack of Internet security.
[Here's why federal agencies must digitize records: In Government, No Excuse For Missing Documents.]
Michael Hewitt, former Navy staff member for the Joint Chiefs of Staff and now CEO of HSH Analytics, said the intelligence community has spent the last eight years doing what he calls "discovery learning."
"Just eight years ago we had an ungoverned space," Hewitt said. "I think we've done a really good job [over that time] defining … where the thresholds are."
But intelligence agencies don't really have the tools to do what they're called upon to do, he added. "We haven't defined what the shared situational awareness requirements are, [or] for the private sector, what is their role in protecting themselves."
Adam Karcher, FBI deputy director, Office of Data Exploitation and the National Cyber Investigative Joint Task Force, said, "One reason the intelligence community doesn't have the [security] toolset is because the public doesn't understand the nature of the threat."
Karcher said that the public in general doesn't understand what cyberspace is. "'Cloud' means something different to the public than to engineers. The Internet outpaces our ability … to understand the implications of implementing [a new technology] as soon as it's invented."
"I hope it doesn't take a catastrophic event to make us understand the shared risks," Hewitt said.
Cambone agreed, calling the issue of Internet security one of "critical national importance. It is at the heart of our everyday lives."
The Target incident - when the retailer was forced to reveal that millions of its customers' accounts had been hacked -- did manage to elevate the issue in the public's consciousness, the panelists agreed, but the incident also demonstrated the weakness of the current system of laws and regulations, both for cyberspace and in the financial world, to tackle the challenge.
Companies are reluctant to share information about attacks on their networks because of existing laws that might consider it a form of collusion. They also worry about damage to their businesses and reputations with customers.
Cambone said that getting past the private sector's reluctance actually is an issue for Congress, "to bring the right people [in] both chambers together to see where legislation will help."
He said congressional action should focus on "framing legislation, not trying to solve each individual problem."
Taking action is critical, said Alan Wade, former CIO of the CIA, because "the threat environment is so unpredictable that it's [impossible] to position [our IT] systems against threats."
Wade said the promise of cloud computing "is that we'll be able to do that at the speed of reconfiguring infrastructure, rather than the speed of moving people."
How cloud, virtualization, mobility, and other network-altering trends impact security -- and the IT pros responsible for infrastructure protection. Get the Network Security Career Guide issue of Network Security today.