Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:55 AM
Gavin Reid
Gavin Reid
Connect Directly
E-Mail vvv

We Can Allow Cybersecurity Research Without Stifling Innovation

The U.S. government is in a unique position to become a global leader in cybersecurity. But only if it retains the open spirit of the Internet that kick-started the Information Age.

Imagine a U.S. economy without Google, Microsoft, and Apple. These organizations rose out of a culture that encouraged innovation and harbored a willingness to embrace new technology and new ways of using it. Today, in the face of advanced cyberthreats and widespread compromise of sensitive data, we must take care not to dismantle this culture in the name of safety.

There is little doubt that the way the U.S. government approaches cybersecurity research needs to shift. A series of data breaches at all levels of government, which included the well-publicized leak at the Office of Personnel Management that compromised the personal information of over 21.5 million people, has highlighted the disparity between attackers and government security.

The U.S. government has long had a somewhat passive-aggressive approach to cybersecurity research, where new business is welcomed but new research that could lead to better security solutions is often kept at arm’s length -- or in the case of reverse engineering or breaking encryption, actively worked against. Net neutrality, for example, has had a stormy past with interested parties pushing their agenda over public interest.

Another counter-productive governmental tendency is the implementation of overly simplified or broad regulations. This is most recently exemplified by the proposed U.S. Bureau of Industry and Security enforcement of updates to an international arms agreement called the Wassenaar Arrangement. The updates ask for regulating technology connected to “intrusion software,” which is defined as software specially designed to avoid detection by “monitoring tools” or defeat “protective countermeasures” and either extracts and modifies data or modifies the execution path of a process to allow the execution of externally provided instructions.

Woah! We just outlawed threat intelligence, host-based intrusion detection systems, many forms of cyber security research, and who knows what else.

[For more on the Wassenaar Agreement from Katie Moussouris, read View From the Top: Government’s Role In Cybersecurity]  

Towards a healthy security culture

The cyber security landscape has changed drastically over the last decade, and the U.S. government could be an important leader as consumers and organizations learn to cope with sophisticated threats and an ever-increasing amount of digitized personal information. The challenge will be finding a balance between consumer confidence in our ability to conduct commerce, communicate and organize safely via the Internet, and maintaining the open innovation of the Internet that kick-started the Information Age in the first place.

There are several things the government can do to encourage security research and to maximize the results, creating a safer Internet in the process. Being open and welcoming to new ideas from less formal sources is a must-have. In particular, there needs to be safe harbor for those conducting legitimate security research including exposing vulnerabilities. We’ve seen researchers get in trouble for doing vulnerability research, and if that trend continues, it will hurt our ability to be an incubator for new ideas.

There also needs to be a greater focus on enabling security information sharing instead of mandating it. The Department of Homeland Security’s Cyber Information Sharing and Collaboration Program (CISCP) is a shining example of this. CISCP allows operators of critical infrastructure systems to coordinate threat intelligence with the government and each other. This is only possible because CISCP takes care to remove identifiable and proprietary information and excludes data in the program from being used in regulation investigations, which allows the participants to share information without fear of economic disadvantage.

Lastly, we need to reform science, technology, engineering, and mathematics (STEM) education to create a strong cyber workforce. The U.S. used to have a strong IT career path that fed security organizations with smart, well-educated, and IT-savvy people. In the last 10 years, that has been dried up or offshored, and we now have a huge skills gap. Furthermore, those studying any field of computer science should receive security education.

Government, heal thyself

As for its own systems, the government needs to shift its approach to security, especially in light of how much sensitive data it holds on citizens. We have critically underfunded these areas in government. They have been handed to the lowest bidder and requirements are often out of date. In addition, government purchasing regulations need to be opened up. Because the process is so lengthy, we often see parts of the U.S. government five years or more behind in release cycles due to certification issues.

The government needs more security professionals as well, and this will require heavier funding. The skills gap we’ve created and the rapid of evolution of threat actors have placed a premium on cyber security know-how. Qualified professionals are getting snatched by private-sector organizations that can pay more than a government position. France has attempted to tackle this problem by scrapping normal government salary scales to be able to hire the best and brightest professionals from the private sector.

We are reaching a turning point in the realm of cybersecurity. Threat actors appear to be winning on multiple fronts, and actions taken today have the potential to shape the future of the Internet. The U.S. government is in a unique position to become a global leader in cyber security, but it must take care that it is promoting a culture of innovation where legitimate research can take place without fear of legal backlash. After all, this freedom to study and create is what gave rise to the technology we have today, and it is what will give rise to the security solutions of tomorrow.

Editor’s Note: Gavin Reid recently participated as a panelist in the “National Conversation – A Trusted Cyber Future” community engagement conference organized by the U.S. Department of Homeland Security Science and Technology Directorate (DHS S&T). Notes from his presentation can be found here.

Gavin Reid is VP of Threat Intelligence for Lancope Inc., where he is a driving force behind data analytics and research for threat identification and remediation. Prior to Lancope, he was Fidelity's VP of threat intelligence and responsible for preventing, detecting and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend...
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS build 20210202 (and later) QT...