My hat is off to our politicians since as a general rule, they have an amazing gift of speaking without really conveying any substance. Simply watch any political speech or news conference and leave still having the questions unanswered despite listening to a long response. Hence, I am not surprised that politicians now have applied this remarkable gift to cyberspeak.
A couple of days ago, Representative Barbara Comstock who represents Loudoun County, Virginia published an Op-Ed titled: “Cybersecurity—A 21st Century War“. While the Congresswoman makes some excellent points, I was left with still unanswered questions about details after reading her key steps which are unfortunately nothing more than broad strokes without any substantive plans to address. Her points, as well as my response and opinions follow:
“There must be a healthy partnership between the public and private sectors to share information and best practices”
In principle, I, along with many others would agree. However, the operative word here is “healthy.” The relationship between the public, business and government is beyond paranoid. Worse, government is in no position to provide leadership given the realities that (1) they have yet to come clean on the real extent of spying on its citizens, (2) government continues to advocate ‘exceptions’ to allow them to spy by such means as backdoors to encryption, and (3) government cannot even secure their own house as 19 of 24 agencies fail to meet basic cybersecurity standards.
Government honesty and transparency is a necessary prerequisite to a healthy partnership.
“A focus on “cyber hygiene,” which is day-to-day maintenance and monitoring of devices and IT systems using widely accepted cybersecurity best practices”
Of course, there is plenty to agree with here. Yet where are the actions and the leadership focusing on cyber hygiene?
Over a decade ago, I can recall the Cisco commercials about the “self healing network,” yet we still do not have that vision as a reality today. Technology and application development occur at such a rapid pace, nearly everything hits the market with flaws, some of which represent security risks. We also are vulnerable to flaws which are at least a decade old and can still be exploited today. Lastly, to the point above about government agencies, setting an example for the rest of us would go a long way towards establishing credibility vs. telling the rest of the country to implement “best practices.”
A few useful practices:
- Bake security into new technology and applications instead of trying to bolt it on later. Security does not have to be reactive, and in a business context, could potentially be used as a competition advantage in the marketplace for vendors and companies who build security into their technology and application offerings.
- As business and individual consumers, question access requirements for apps. How many times do we ignore the EULA and click “Agree,” or fail to read and fully understand everything that Smartphone app is requesting access to? If the marketplace demands security then the vendors will ultimately get the message.
- Patch and update. There are many cases where this practice can be fully automated and others where testing and care needs to be exercised first. By knowing which systems can be automatically kept up to date and configuring them to automatically update, we can eliminate much of the low hanging fruit and free up cycles to focus on the rest.
- Harden business systems. The government does publish very good guides available at NIST.gov and there is absolutely no reason short of laziness to not tighten down a production system in any business.
“We should not only focus resources on defending against cyberattacks, we must also bolster our ability to detect vulnerabilities, and limit the damage of a breach”
Of all of the Congresswoman’s points, this one comes closet to real substance as it calls out the common thread of many high profile breaches over the last few years. There are plenty of resources applied to protecting our critical assets. However, the detection gap is a very real issue as in many cases, even when systems had ‘detected’ a breach, the people running those systems were slow to react and in some cases, took months to react or had to be told by external parties that their systems were breached.
The three legged stool of people, process and technology has people as the weakest leg since the other two depend upon people applying the processes or correctly operating the technology.
We are going to be breached, that is reality and the threats will no go away. Crime has been with us for thousands of years and has simply evolved into the digital age. The emphasis should be to detect and RESPOND before we suffer substantial harm.
“We must continue to upgrade cybersecurity forensics so that we may quickly identify the perpetrators of these attacks and successfully prosecute them”
Updating the forensics capability to more quickly catch criminals is only part of the challenge. Even when caught, crime still pays because millions can be hidden away and the perpetrators only do a few years in prison.
The other action needed is to revise sentencing and penalties. More years in jail is not the answer, but restitution and financial penalties need to commensurate and once caught, criminals need to be required to repay all of their victims. What are a few years in jail when millions may have had their identities stolen and suffered tremendously? Let’s make the financial penalties severe and send the message that the risk is too high for crime to pay.
“More research and development is needed on new technology for preventing and responding to cyberattacks, particularly in identity authentication”
If we all had a dime for every time a politician came out and said “more research is needed.” Heck, let’s form a committee or even appoint another czar.
What we need to do is get away from passwords as our dominant means of authentication. If government wants to pass a law, how about making businesses liable if they do not offer strong authentication to their customers? Strong authentication is inexpensive these days.
As for passwords? Microsoft, and others who limit a password to 15 characters need to up their game. Long passphrases are far superior to even a 15 character, nonsense password of upper/lower case and numbers.
“We must do more to educate and train a cybersecurity workforce, as demand for professionals is expected to rise to 6 million by 2019, with a projected shortfall of 1.5 million.”
A statement such as this concerns me more than a little. In my mind, I am making a connection between the military industrial complex and digital warfare of the 21st century. We don’t necessarily need another army of digital solders. What we need is to properly train the existing workforce to use the tools already in place which would go a very long way towards taking out the low hanging fruit for cyber criminals.
Take for example one view expressed to me by a candidate for a security analyst position. When I asked him in the interview to tell me what he knew about security, pretending that I knew nothing on the topic, his response was “we need to defend against all threats.” Really? The world is full of threats; we need to defend against relevant threats and to detect and respond quickly when our defenses fail. Let’s educate our workforce a bit more on common sense. Then, we can add to the already well-educated workforce.
“Leaders in government and the private sector must create a culture that ensures everyone considers cybersecurity a high priority.”
Here, we need a two-faceted approach. (1) We need to change and shift the existing culture, and (2) we need to instill the proper culture into the next generation.
Our existing culture presents us with stark contrasts between baby boomers and millennials. The baby boomer generation is a bit more cautious albeit somewhat technically challenged having grown up with black and white television, land line telephones and slide rules. Millennials on the other hand, are well documented as more than willing to give up privacy and share far too much information online. The amount of personal information shared by some on social media at times defines rational thought. Changing this culture will be a challenge yet nevertheless needs to happen.
We should also think ahead and as children of today grow up through the school system, increasingly inter-connected, they should be taught common sense as the older generation was taught such as “don’t talk to strangers.” Teaching children today to value and guard privacy, and to engage in secure behaviors, will go a long way toward solving the cyber security problems of tomorrow before they become a crisis.
Have I been hyper-critical here and more than a bit sarcastic? Guilty as charged. In fairness, I do respect and appreciate Congresswoman Comstock’s efforts and willingness to confront these problems. Why not go where no politician has gone before and take real leadership, with real actions and real results? Talk is cheap, results matter. Else, in ten years we will hear this same political cyberspeak again from yet another politician and still have the same problem; only bigger.