Today I read an article about US investments in cyber security, with the US Department of Defense (DoD) budget requesting 3.4 billion US$ by itself. The US Cyber Chief, Army General Keith Alexander, commander of U.S. Cyber Command and director of the NSA (National Security Agency) is quoted as saying “Nation-state actors in cyberspace are riding a tide of criminality.

I believe he is wrong in one very important point: It is not about a tide, it is about a continuous rise. So it would have been better had he chosen the comparison to the (potential) long-term rise of the sea-level caused by global warming – with the important difference that the increasing cybersecurity challenge is not happening gradually over a period of dozens of years but more or less as a tsunami, almost immediately. We most likely will see some “decrease in increase” or, in other words, lower growth rates in cybercrime. But I don’t expect to see a decrease in absolute numbers within a foreseeable period of time.

And it is not only about nation-state actors in cyberspace, but about all actors in cyberspace which are causing that rise. States are affected because they are the target of other nation-state actors, but also of organizations like Anonymous or Lulz Sec, and for the classical attackers like script kiddies and other non-organized hackers. On the other hand, they are most likely not the target of that part of cybercrime which is related to organized crime. When looking at other organizations, they are more likely to become the target of all these types of attackers.

The good thing about quotes like the one mentioned is that they prove that at least some states (the U.S. probably more than many European countries) have understood the challenge they are facing. But to me it sounded somewhat too optimistic.

What we have to do is to act on this challenge, by systematically and strategically improving our IT security. That requires a holistic view on the topic. It requires a risk-based approach. We need to understand the risks and act according to these risks. We need to have plans if something happens anyway. It will cost a lot of money. But by doing it right, there is a huge potential for saving at least some of the money which otherwise is thrown out of the window with little or no impact on an improved IT security.

To learn more about Information Security, GRC, and the role IAM plays therein, visit EIC 2012, Munich, April 17th to 20th.