Threat Intelligence

1/3/2018
10:30 AM
100%
0%

A Pragmatic Approach to Fixing Cybersecurity: 5 Steps

The digital infrastructure that supports our economy, protects our national security, and empowers our society must be made more secure, more trusted, and more reliable. Here's how.

Today's headlines are depressingly familiar: wide swaths of personal data are stolen; ransomware locks out access to vital medical records; hostile nation-states exploit social media to influence our political system; electrical grids are compromised; another company loses intellectual property to a foreign competitor. 

Despite over $90 billion spent per year on cybersecurity, progress in securing our business systems, protecting our critical infrastructure, and ensuring consumer data is safe appears to be halting. Clearly, we are at an inflection point. The digital ecosystem that supports our economy, protects our national security, and empowers our society must be made more secure, more trusted, and more reliable. We propose government and business leaders take the following steps immediately.

Step 1: Rethink the distinction between critical and noncritical infrastructure. The economy runs on data and digital networks, from hospitals reliant on electronic medical records to serve patients to sophisticated payment networks that power small businesses. The proliferation of these digital ecosystems across all facets of our economy and society make it very difficult to differentiate between critical and noncritical systems. We need to rethink our risk models in such an interdependent environment. 

Step 2: Make more use of market and legal incentives to drive adoption of best practices, and harden our digital infrastructure across all industries. The key to securing and making networks more resilient is the greater use of market incentives and less reliance on regulation. Currently, most businesses spend enormous resources satisfying the requirements of dozens of cybersecurity frameworks and standards. This compliance-based approach adds to the cost and complexity of security with a questionable reduction in risk. A case in point: most of the large data breaches over the last several years occurred at organizations that were "compliant" with government and industry control standards.

Step 3: Leverage the efforts of the National Institute of Standards and Technology (NIST). The federal government should take the lead by creating and promulgating one framework with associated controls standards, measurable performance criteria, uniform audit approaches, and breach disclosure criteria to replace the myriad of federal, state, and industry regulatory models. Liability protection should be extended to those entities that adopt this framework, which then can be translated into action by leveraging the purchasing power of the private sector, government, and consumers using market-based incentives.

Businesses need to hold their vendors and suppliers to a better standard in terms of protecting sensitive data, and ensure that digital services are safe from disruption, destruction, or tampering. They can leverage their tremendous purchasing power to demand a higher level of cybersecurity and resilience in the same manner they currently screen vendors for financial soundness and their ability to deliver goods and services.

The US government spends hundreds of billions on suppliers and vendors as well. This purchasing power should be translated into contract language requiring basic levels of digital security. NIST's current efforts are a good start but need to be fully implemented into the federal government's acquisition and procurement systems to be effective.

US consumers spend over $600 billion per year on information technology and telecommunication services. To improve consumer awareness of the level of security of digital products and services, the government and industry should create the cyber equivalent of Energy Star — a rating system to inform consumers about the level of security of the products and services they buy. This would compel companies to improve the security of their products and services using market mechanisms.  

Step 3: Improve information sharing and collaboration. One of the lessons learned from our war on terror is not only the need to share information between government agencies and between the private and public sectors, but also the need for greater collaboration. We propose the creation of a National Cybersecurity Center that would include the various federal government cyber centers, the private sector's information sharing and analysis centers (ISACs), and nonprofit entities. The goal of the center is to co-locate a diverse group of stakeholders to work collaboratively to better prepare for, prevent, detect, respond to, and recover from cyber threats.

Step 4:  A "Manhattan Project" to improve the research and development of next-generation technologies for the sensitive systems that drive our modern economy. This private-public initiative will require the government to lead efforts to ramp up R&D, in concert with the private sector and academia, with particular focus on securing Internet of Things technologies, quantum computing and cryptography, and improving the security of autonomous systems.

Step 5: Make a large investment in our cybersecurity human capital base. Currently, over 500,000 cybersecurity jobs are unfilled, resulting in substantial gaps in key industries and bidding wars for talent. We need the equivalent of the National Defense Education Act passed after the Sputnik launch in 1957 to produce the tens of thousands of cyber specialists we need each year. Not only would this produce high-paying jobs, but it would ensure the United States maintains its competitive advantage in cyberspace for decades to come.

What we are proposing here is not new; in fact, it is been part of recommendations from dozens of previous studies and task forces over the last 25 years. What has been missing is the leadership and commitment to translate these recommendations into action.

Related Content:

Mike McConnell, Senior Executive Advisor, Booz Allen Hamilton & Former US Director of National Intelligence Mike McConnell was appointed Director of National Intelligence (DNI) under Presidents George W. Bush and Barack Obama and served as a member of the National Security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/11/2018 | 10:04:50 AM
The C-Suite Gap
All excellent points and timely - the problem (and I am guilty of over-posting this comment) is that the executive suites only see IT as a salary and benefit expense line item.  Accounting department reports numbers and as long as everything is up and running, no corelation is made between results and cost.  As an independent consultant, I told my clients that I am the guy you pay NOT to see in the office - that if I am effective, I am doing my job pro-actively and behind the scenes, ergo = no problems on your side.   Management, though, all too often listens to the siren song of low cost workers from Tata, Wipro, Infosys ----- and shareholder value.   Replacement of quality American workers.  And the points in your essay NEVER make it to the table. 
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Major International Airport System Access Sold for $10 on Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  7/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3090
PUBLISHED: 2018-07-18
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compr...
CVE-2018-3091
PUBLISHED: 2018-07-18
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compr...
CVE-2018-3092
PUBLISHED: 2018-07-18
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In T...
CVE-2018-3093
PUBLISHED: 2018-07-18
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In T...
CVE-2018-3094
PUBLISHED: 2018-07-18
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In T...