If ever there were a time to affect real change in our country’s cyber security plan, it would be during the upcoming administration of President-elect Barack Obama, who made “change” the foundation of a successful and historic campaign.

However, there does not seem to be much urgency behind genuine, substantial change on this critical front. For instance, the response to Mr. Obama’s official cyber security plan in last week’s CSOOnline.com article entitled “5 Must-Do Cyber Security Steps for Obama” outlined recommendations that fall far short of any radical departure from the norm. Rather, they echoed the same mantra we’ve heard for years: secure Web apps; update existing regulations; improve information security training; intensify fortification of cyber walls; and, last but not least, heighten penalties for those commercial practitioners and government officials charged with protecting data. It’s not that the defensive stance taken by the experts in this article is wrong. It’s quite simply that their perspective on cyber security has been warped by an industry more concerned by fashion than substance and mired in a strategy that is destined for failure.

Consider, for example, a call for improved protection for web applications or further fortification of cyber walls that protect valuable data. To answer these demands, infosec professionals would likely beef up on countermeasure detection and prevention solutions—solutions that only account for “known threats,” or those that have already been identified by existing infosec systems.

Now, let’s explore the mentality of attackers. They are driven by the same laws of economics and natural selection that breed innovation in the security products landscape. To survive, they have become increasingly covert, both in the means through which they’re breaching our systems and their intended end result. With their operations “unknown,” they go undetected by the preventative solutions we employ for protection. These solutions and our efforts to implement them rapidly become obsolete; attackers continue to persevere at an alarming rate; and initiatives to secure Web apps and improve cyber walls become a colossal waste of resources.

Further, little deters attackers from ceasing their relentless attacks. Malicious operations function at almost zero cost, except for time, and legal repercussions for attempted hacks are laughable (assuming they’re traced to an actual source). Yet, rather than strengthening the laws against hackers, the article calls for updating the regulations that seek to protect data and enforcing greater punishment, upon failure, on those charged with its protection.

Isn’t the definition of insanity repeating the same behavior over and over, only to expect a different result? The deterministic processes and products on which infosec professionals rely to meet these regulations and prevent data leakages are incomplete and inherently susceptible to failure. Now, according to expert recommendation, those who suffer unavoidable failure should face tougher consequences. And this strategy, which hasn’t worked to date, will somehow work in the future through… better execution?!

Instead, why not take a more realistic and effective route? Stop focusing so much attention and resources on known threats. Acknowledge susceptibility to these security loopholes, or unknown threats, that facilitate failure. Look at cyber security in the broader context of environmental adaption of complex systems, and begin to see that planning for failure is not only important, it’s fundamental in addressing our objective of comprehensive security. It’s time that we admit to failure and begin accounting for it.

This is where one of the five recommendations outlined in this article rings true. It’s time for more education. Infosec professionals must begin exploring the various theories, studies, and incidents that help them understand the inevitability of failure as well as the agility and pervasiveness of threats. Theories such as risk mitigation, breaches such as the Express Scripts extortionist debacle, and standards such as SOX and HIPAA that help define the specific assets and pervasive threats within each industry. As a group, infosec professionals can use this new information and learn how to integrate failure as an inherent component of cyber security procedure and design, and in the process, reduce the overall negative impacts of inevitable attacks. Only when we start accepting failure can we truly implement a more effective and sustainable cyber security advantage.

For more specific musing on this topic, check out an article I wrote in (IN)SECURE Magazine http://www.net-security.org/dl/insecure/INSECURE-Mag-19.pdf (full magazine PDF. Article on page 62 – 9.7 MB file)