Threat Intelligence

1/3/2018
10:30 AM
100%
0%

A Pragmatic Approach to Fixing Cybersecurity: 5 Steps

The digital infrastructure that supports our economy, protects our national security, and empowers our society must be made more secure, more trusted, and more reliable. Here's how.

Today's headlines are depressingly familiar: wide swaths of personal data are stolen; ransomware locks out access to vital medical records; hostile nation-states exploit social media to influence our political system; electrical grids are compromised; another company loses intellectual property to a foreign competitor. 

Despite over $90 billion spent per year on cybersecurity, progress in securing our business systems, protecting our critical infrastructure, and ensuring consumer data is safe appears to be halting. Clearly, we are at an inflection point. The digital ecosystem that supports our economy, protects our national security, and empowers our society must be made more secure, more trusted, and more reliable. We propose government and business leaders take the following steps immediately.

Step 1: Rethink the distinction between critical and noncritical infrastructure. The economy runs on data and digital networks, from hospitals reliant on electronic medical records to serve patients to sophisticated payment networks that power small businesses. The proliferation of these digital ecosystems across all facets of our economy and society make it very difficult to differentiate between critical and noncritical systems. We need to rethink our risk models in such an interdependent environment. 

Step 2: Make more use of market and legal incentives to drive adoption of best practices, and harden our digital infrastructure across all industries. The key to securing and making networks more resilient is the greater use of market incentives and less reliance on regulation. Currently, most businesses spend enormous resources satisfying the requirements of dozens of cybersecurity frameworks and standards. This compliance-based approach adds to the cost and complexity of security with a questionable reduction in risk. A case in point: most of the large data breaches over the last several years occurred at organizations that were "compliant" with government and industry control standards.

Step 3: Leverage the efforts of the National Institute of Standards and Technology (NIST). The federal government should take the lead by creating and promulgating one framework with associated controls standards, measurable performance criteria, uniform audit approaches, and breach disclosure criteria to replace the myriad of federal, state, and industry regulatory models. Liability protection should be extended to those entities that adopt this framework, which then can be translated into action by leveraging the purchasing power of the private sector, government, and consumers using market-based incentives.

Businesses need to hold their vendors and suppliers to a better standard in terms of protecting sensitive data, and ensure that digital services are safe from disruption, destruction, or tampering. They can leverage their tremendous purchasing power to demand a higher level of cybersecurity and resilience in the same manner they currently screen vendors for financial soundness and their ability to deliver goods and services.

The US government spends hundreds of billions on suppliers and vendors as well. This purchasing power should be translated into contract language requiring basic levels of digital security. NIST's current efforts are a good start but need to be fully implemented into the federal government's acquisition and procurement systems to be effective.

US consumers spend over $600 billion per year on information technology and telecommunication services. To improve consumer awareness of the level of security of digital products and services, the government and industry should create the cyber equivalent of Energy Star — a rating system to inform consumers about the level of security of the products and services they buy. This would compel companies to improve the security of their products and services using market mechanisms.  

Step 3: Improve information sharing and collaboration. One of the lessons learned from our war on terror is not only the need to share information between government agencies and between the private and public sectors, but also the need for greater collaboration. We propose the creation of a National Cybersecurity Center that would include the various federal government cyber centers, the private sector's information sharing and analysis centers (ISACs), and nonprofit entities. The goal of the center is to co-locate a diverse group of stakeholders to work collaboratively to better prepare for, prevent, detect, respond to, and recover from cyber threats.

Step 4:  A "Manhattan Project" to improve the research and development of next-generation technologies for the sensitive systems that drive our modern economy. This private-public initiative will require the government to lead efforts to ramp up R&D, in concert with the private sector and academia, with particular focus on securing Internet of Things technologies, quantum computing and cryptography, and improving the security of autonomous systems.

Step 5: Make a large investment in our cybersecurity human capital base. Currently, over 500,000 cybersecurity jobs are unfilled, resulting in substantial gaps in key industries and bidding wars for talent. We need the equivalent of the National Defense Education Act passed after the Sputnik launch in 1957 to produce the tens of thousands of cyber specialists we need each year. Not only would this produce high-paying jobs, but it would ensure the United States maintains its competitive advantage in cyberspace for decades to come.

What we are proposing here is not new; in fact, it is been part of recommendations from dozens of previous studies and task forces over the last 25 years. What has been missing is the leadership and commitment to translate these recommendations into action.

Related Content:

Mike McConnell, Senior Executive Advisor, Booz Allen Hamilton & Former US Director of National Intelligence Mike McConnell was appointed Director of National Intelligence (DNI) under Presidents George W. Bush and Barack Obama and served as a member of the National Security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/11/2018 | 10:04:50 AM
The C-Suite Gap
All excellent points and timely - the problem (and I am guilty of over-posting this comment) is that the executive suites only see IT as a salary and benefit expense line item.  Accounting department reports numbers and as long as everything is up and running, no corelation is made between results and cost.  As an independent consultant, I told my clients that I am the guy you pay NOT to see in the office - that if I am effective, I am doing my job pro-actively and behind the scenes, ergo = no problems on your side.   Management, though, all too often listens to the siren song of low cost workers from Tata, Wipro, Infosys ----- and shareholder value.   Replacement of quality American workers.  And the points in your essay NEVER make it to the table. 
You Break It, They Buy It: Economics, Motivations Behind Bug Bounty Hunting
Ericka Chickowski, Contributing Writer, Dark Reading,  1/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.