Better security requires changes not in technologies, but in user practices
A recent trip to Haiti reminded blogger John Klossner about the sisyphean task agencies face in trying to secure their networks.
I have flown into the Dominican Republic on numerous occasions. When landing in Santiago, the (mostly Dominican) passengers break out into applause. The first time my family and I experienced this it was surprising–and quite different from the scrum that takes place when we land in Boston. Being an American who lives in the Northeastern United States, I assumed the applause was cynical, a sarcastic statement that "we made it."
I have taken the trip enough times now to understand that there is nothing cynical about the Dominicans' cheer. Passengers applaud because they are sincerely grateful for safely returning to their or their ancestors' homeland, and for the anticipated experience they are about to have. I have found that letting go of my cynicism is a useful transition for visiting the country.
By contrast, when landing in Port-au-Prince, Haiti, on a recent trip, I could feel all the passengers physically tighten up, as if to brace themselves for what lay ahead. My family and I were preparing to spend 10 days in Hispaniola visiting a friend and delivering relief supplies in Haiti, and then taking a bus across the island to visit friends in the small Dominican village we spent five months in several years ago. (Nobody on the bus applauded when we crossed the Haiti-Dominican border.)
Our friend Charles has lived in Port-au-Prince for a little more than five years. He grew up there, and told us of riding his bike around the city as a child, taking 20 minutes to cover a route that was now taking us two hours by car. Charles moved to the United States and stayed for 25 years, became a U.S. citizen and then moved back to Haiti in retirement, where he built a house in one of the neighborhoods of Port-au-Prince. His cement home has wooden details–cabinetry he hand-carved himself, trim and furniture–and a spacious yard with walls covered with bushes with bougainvilleas. (I have noted that, in any writing about tropical locales, there is always mention of the bougainvilleas.) Charles' house would not look out of place in Florida.
To get from the airport to Charles' house, we drove though the landscape that has become familiar since the Jan. 12 earthquake: piles of rubble, decimated buildings, tent cities, and people moving about everywhere. The memory that stays with me from my two visits to Haiti are of the movement that takes place in my peripheral vision: No one stands still in Haiti.
Driving us to his house, Charles stops before crossing a busy bridge. He tells me that since the earthquake, he waits for the line of traffic to clear before crossing; he is afraid of being stopped (a frequent happening in Port-au-Prince) on a bridge that might not be safe. Charles' street is a potholed dirt road in a central location in town that has piles of rubble spread around. Some of the houses on his street are standing, some have been reduced to rubble, some are in between. (Charles is very proud of the fact that the house he built himself suffered no damage from the earthquake.) A couple of lots have tents or makeshift shelters that, with their combination of fabric/tarp sidings and tin roofs look like some sort of art class voting booth project, sitting in several inches of water from the recent rains.
Security is real problem in Port-au-Prince, where almost every building was severely damaged by the earthquake.
When we pull up to the gate at Charles' driveway, he tells the young man who has come out to open the gate to leash the guard dog that patrols his yard when he is not home. The walls surrounding his property have broken glass set in the mortar atop them–a security measure we have found throughout Haiti and the Dominican. When we enter the house, he warns us not to go out when the dog is unleashed. He also does not want us to go for walks outside of his property without him. He has a rifle propped against the wall in one bedroom, and I found a handgun under a pillow on the mattress he sleeps on near the front door.
Despite this level of security, Charles had six solar-panel batteries stolen from his home–before the earthquake.
I describe all this not as an excuse to share recent travel experiences, but because I found myself thinking about security on my trip. More specifically, thinking about the various needs for security, and what a sisyphean task we all face. The security needs for a home in Port-au-Prince, obviously, are not the same security needs for a home in Maine. My first visit to Haiti was to a small town outside of Cap-Hatienne, in the north of the country, and the residents' security needs are different from those of Port-au-Prince. To get even more specific, the security needs of Charles' property are not the same as the needs of someone living in a voting booth-like shelter in four inches of water next door.
So why do people get so upset over security efforts–or a perceived lack of them–in the agency world? To quote a recent comment to an FCW article requesting better security standards for federal systems, is (cyber)intrusion detection/prevention even possible on such a diverse network as used by the federal government? This is not meant to be seen as a "what-can-you-do" angle, more a suggestion that simple security standards are just that, and not nearly enough to deal with the complex challenges agencies face. Security will require changes not in technologies but in user practices. I would venture that this is an education issue more than a technology issue. (I could have fun here and try to align specific agencies' security practices with world communities, but that wouldn't be doing a favor for either Port-au-Prince or the agency compared to it.)
On our ride to the bus station in the Petionville suburb, my daughter and I were riding in the back of Charles' pickup truck, watching Port-au-Prince recede into the distance. We heard a strange sound approaching us, a beautiful sound that felt out of place amid the devastation, like finding an orchid growing in a rockpile. It was a church that was overflowing with people in Sunday dress, with the crowd backed up out of all the entries. When we mentioned this to Charles at the bus station, he told us that it wasn't a full church; since the earthquake, many people stand near the doors or outside of buildings.
NEXT STORY: Committee approves cybersecurity bill