Imagine a U.S. economy without Google, Microsoft, and Apple. These organizations rose out of a culture that encouraged innovation and harbored a willingness to embrace new technology and new ways of using it. Today, in the face of advanced cyberthreats and widespread compromise of sensitive data, we must take care not to dismantle this culture in the name of safety.
There is little doubt that the way the U.S. government approaches cybersecurity research needs to shift. A series of data breaches at all levels of government, which included the well-publicized leak at the Office of Personnel Management that compromised the personal information of over 21.5 million people, has highlighted the disparity between attackers and government security.
The U.S. government has long had a somewhat passive-aggressive approach to cybersecurity research, where new business is welcomed but new research that could lead to better security solutions is often kept at arm’s length -- or in the case of reverse engineering or breaking encryption, actively worked against. Net neutrality, for example, has had a stormy past with interested parties pushing their agenda over public interest.
Another counter-productive governmental tendency is the implementation of overly simplified or broad regulations. This is most recently exemplified by the proposed U.S. Bureau of Industry and Security enforcement of updates to an international arms agreement called the Wassenaar Arrangement. The updates ask for regulating technology connected to “intrusion software,” which is defined as software specially designed to avoid detection by “monitoring tools” or defeat “protective countermeasures” and either extracts and modifies data or modifies the execution path of a process to allow the execution of externally provided instructions.
Woah! We just outlawed threat intelligence, host-based intrusion detection systems, many forms of cyber security research, and who knows what else.
[For more on the Wassenaar Agreement from Katie Moussouris, read View From the Top: Government’s Role In Cybersecurity]
Towards a healthy security culture
The cyber security landscape has changed drastically over the last decade, and the U.S. government could be an important leader as consumers and organizations learn to cope with sophisticated threats and an ever-increasing amount of digitized personal information. The challenge will be finding a balance between consumer confidence in our ability to conduct commerce, communicate and organize safely via the Internet, and maintaining the open innovation of the Internet that kick-started the Information Age in the first place.
There are several things the government can do to encourage security research and to maximize the results, creating a safer Internet in the process. Being open and welcoming to new ideas from less formal sources is a must-have. In particular, there needs to be safe harbor for those conducting legitimate security research including exposing vulnerabilities. We’ve seen researchers get in trouble for doing vulnerability research, and if that trend continues, it will hurt our ability to be an incubator for new ideas.
There also needs to be a greater focus on enabling security information sharing instead of mandating it. The Department of Homeland Security’s Cyber Information Sharing and Collaboration Program (CISCP) is a shining example of this. CISCP allows operators of critical infrastructure systems to coordinate threat intelligence with the government and each other. This is only possible because CISCP takes care to remove identifiable and proprietary information and excludes data in the program from being used in regulation investigations, which allows the participants to share information without fear of economic disadvantage.
Lastly, we need to reform science, technology, engineering, and mathematics (STEM) education to create a strong cyber workforce. The U.S. used to have a strong IT career path that fed security organizations with smart, well-educated, and IT-savvy people. In the last 10 years, that has been dried up or offshored, and we now have a huge skills gap. Furthermore, those studying any field of computer science should receive security education.
Government, heal thyself
As for its own systems, the government needs to shift its approach to security, especially in light of how much sensitive data it holds on citizens. We have critically underfunded these areas in government. They have been handed to the lowest bidder and requirements are often out of date. In addition, government purchasing regulations need to be opened up. Because the process is so lengthy, we often see parts of the U.S. government five years or more behind in release cycles due to certification issues.
The government needs more security professionals as well, and this will require heavier funding. The skills gap we’ve created and the rapid of evolution of threat actors have placed a premium on cyber security know-how. Qualified professionals are getting snatched by private-sector organizations that can pay more than a government position. France has attempted to tackle this problem by scrapping normal government salary scales to be able to hire the best and brightest professionals from the private sector.
We are reaching a turning point in the realm of cybersecurity. Threat actors appear to be winning on multiple fronts, and actions taken today have the potential to shape the future of the Internet. The U.S. government is in a unique position to become a global leader in cyber security, but it must take care that it is promoting a culture of innovation where legitimate research can take place without fear of legal backlash. After all, this freedom to study and create is what gave rise to the technology we have today, and it is what will give rise to the security solutions of tomorrow.
Editor’s Note: Gavin Reid recently participated as a panelist in the “National Conversation – A Trusted Cyber Future” community engagement conference organized by the U.S. Department of Homeland Security Science and Technology Directorate (DHS S&T). Notes from his presentation can be found here.