Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:55 AM
Gavin Reid
Gavin Reid
Connect Directly
E-Mail vvv

We Can Allow Cybersecurity Research Without Stifling Innovation

The U.S. government is in a unique position to become a global leader in cybersecurity. But only if it retains the open spirit of the Internet that kick-started the Information Age.

Imagine a U.S. economy without Google, Microsoft, and Apple. These organizations rose out of a culture that encouraged innovation and harbored a willingness to embrace new technology and new ways of using it. Today, in the face of advanced cyberthreats and widespread compromise of sensitive data, we must take care not to dismantle this culture in the name of safety.

There is little doubt that the way the U.S. government approaches cybersecurity research needs to shift. A series of data breaches at all levels of government, which included the well-publicized leak at the Office of Personnel Management that compromised the personal information of over 21.5 million people, has highlighted the disparity between attackers and government security.

The U.S. government has long had a somewhat passive-aggressive approach to cybersecurity research, where new business is welcomed but new research that could lead to better security solutions is often kept at arm’s length -- or in the case of reverse engineering or breaking encryption, actively worked against. Net neutrality, for example, has had a stormy past with interested parties pushing their agenda over public interest.

Another counter-productive governmental tendency is the implementation of overly simplified or broad regulations. This is most recently exemplified by the proposed U.S. Bureau of Industry and Security enforcement of updates to an international arms agreement called the Wassenaar Arrangement. The updates ask for regulating technology connected to “intrusion software,” which is defined as software specially designed to avoid detection by “monitoring tools” or defeat “protective countermeasures” and either extracts and modifies data or modifies the execution path of a process to allow the execution of externally provided instructions.

Woah! We just outlawed threat intelligence, host-based intrusion detection systems, many forms of cyber security research, and who knows what else.

[For more on the Wassenaar Agreement from Katie Moussouris, read View From the Top: Government’s Role In Cybersecurity]  

Towards a healthy security culture

The cyber security landscape has changed drastically over the last decade, and the U.S. government could be an important leader as consumers and organizations learn to cope with sophisticated threats and an ever-increasing amount of digitized personal information. The challenge will be finding a balance between consumer confidence in our ability to conduct commerce, communicate and organize safely via the Internet, and maintaining the open innovation of the Internet that kick-started the Information Age in the first place.

There are several things the government can do to encourage security research and to maximize the results, creating a safer Internet in the process. Being open and welcoming to new ideas from less formal sources is a must-have. In particular, there needs to be safe harbor for those conducting legitimate security research including exposing vulnerabilities. We’ve seen researchers get in trouble for doing vulnerability research, and if that trend continues, it will hurt our ability to be an incubator for new ideas.

There also needs to be a greater focus on enabling security information sharing instead of mandating it. The Department of Homeland Security’s Cyber Information Sharing and Collaboration Program (CISCP) is a shining example of this. CISCP allows operators of critical infrastructure systems to coordinate threat intelligence with the government and each other. This is only possible because CISCP takes care to remove identifiable and proprietary information and excludes data in the program from being used in regulation investigations, which allows the participants to share information without fear of economic disadvantage.

Lastly, we need to reform science, technology, engineering, and mathematics (STEM) education to create a strong cyber workforce. The U.S. used to have a strong IT career path that fed security organizations with smart, well-educated, and IT-savvy people. In the last 10 years, that has been dried up or offshored, and we now have a huge skills gap. Furthermore, those studying any field of computer science should receive security education.

Government, heal thyself

As for its own systems, the government needs to shift its approach to security, especially in light of how much sensitive data it holds on citizens. We have critically underfunded these areas in government. They have been handed to the lowest bidder and requirements are often out of date. In addition, government purchasing regulations need to be opened up. Because the process is so lengthy, we often see parts of the U.S. government five years or more behind in release cycles due to certification issues.

The government needs more security professionals as well, and this will require heavier funding. The skills gap we’ve created and the rapid of evolution of threat actors have placed a premium on cyber security know-how. Qualified professionals are getting snatched by private-sector organizations that can pay more than a government position. France has attempted to tackle this problem by scrapping normal government salary scales to be able to hire the best and brightest professionals from the private sector.

We are reaching a turning point in the realm of cybersecurity. Threat actors appear to be winning on multiple fronts, and actions taken today have the potential to shape the future of the Internet. The U.S. government is in a unique position to become a global leader in cyber security, but it must take care that it is promoting a culture of innovation where legitimate research can take place without fear of legal backlash. After all, this freedom to study and create is what gave rise to the technology we have today, and it is what will give rise to the security solutions of tomorrow.

Editor’s Note: Gavin Reid recently participated as a panelist in the “National Conversation – A Trusted Cyber Future” community engagement conference organized by the U.S. Department of Homeland Security Science and Technology Directorate (DHS S&T). Notes from his presentation can be found here.

Gavin Reid is VP of Threat Intelligence for Lancope Inc., where he is a driving force behind data analytics and research for threat identification and remediation. Prior to Lancope, he was Fidelity's VP of threat intelligence and responsible for preventing, detecting and ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
PUBLISHED: 2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...
PUBLISHED: 2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.
PUBLISHED: 2019-12-12
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrat...
PUBLISHED: 2019-12-12
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.