Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

9/1/2015
10:55 AM
Gavin Reid
Gavin Reid
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

We Can Allow Cybersecurity Research Without Stifling Innovation

The U.S. government is in a unique position to become a global leader in cybersecurity. But only if it retains the open spirit of the Internet that kick-started the Information Age.

Imagine a U.S. economy without Google, Microsoft, and Apple. These organizations rose out of a culture that encouraged innovation and harbored a willingness to embrace new technology and new ways of using it. Today, in the face of advanced cyberthreats and widespread compromise of sensitive data, we must take care not to dismantle this culture in the name of safety.

There is little doubt that the way the U.S. government approaches cybersecurity research needs to shift. A series of data breaches at all levels of government, which included the well-publicized leak at the Office of Personnel Management that compromised the personal information of over 21.5 million people, has highlighted the disparity between attackers and government security.

The U.S. government has long had a somewhat passive-aggressive approach to cybersecurity research, where new business is welcomed but new research that could lead to better security solutions is often kept at arm’s length -- or in the case of reverse engineering or breaking encryption, actively worked against. Net neutrality, for example, has had a stormy past with interested parties pushing their agenda over public interest.

Another counter-productive governmental tendency is the implementation of overly simplified or broad regulations. This is most recently exemplified by the proposed U.S. Bureau of Industry and Security enforcement of updates to an international arms agreement called the Wassenaar Arrangement. The updates ask for regulating technology connected to “intrusion software,” which is defined as software specially designed to avoid detection by “monitoring tools” or defeat “protective countermeasures” and either extracts and modifies data or modifies the execution path of a process to allow the execution of externally provided instructions.

Woah! We just outlawed threat intelligence, host-based intrusion detection systems, many forms of cyber security research, and who knows what else.

[For more on the Wassenaar Agreement from Katie Moussouris, read View From the Top: Government’s Role In Cybersecurity]  

Towards a healthy security culture

The cyber security landscape has changed drastically over the last decade, and the U.S. government could be an important leader as consumers and organizations learn to cope with sophisticated threats and an ever-increasing amount of digitized personal information. The challenge will be finding a balance between consumer confidence in our ability to conduct commerce, communicate and organize safely via the Internet, and maintaining the open innovation of the Internet that kick-started the Information Age in the first place.

There are several things the government can do to encourage security research and to maximize the results, creating a safer Internet in the process. Being open and welcoming to new ideas from less formal sources is a must-have. In particular, there needs to be safe harbor for those conducting legitimate security research including exposing vulnerabilities. We’ve seen researchers get in trouble for doing vulnerability research, and if that trend continues, it will hurt our ability to be an incubator for new ideas.

There also needs to be a greater focus on enabling security information sharing instead of mandating it. The Department of Homeland Security’s Cyber Information Sharing and Collaboration Program (CISCP) is a shining example of this. CISCP allows operators of critical infrastructure systems to coordinate threat intelligence with the government and each other. This is only possible because CISCP takes care to remove identifiable and proprietary information and excludes data in the program from being used in regulation investigations, which allows the participants to share information without fear of economic disadvantage.

Lastly, we need to reform science, technology, engineering, and mathematics (STEM) education to create a strong cyber workforce. The U.S. used to have a strong IT career path that fed security organizations with smart, well-educated, and IT-savvy people. In the last 10 years, that has been dried up or offshored, and we now have a huge skills gap. Furthermore, those studying any field of computer science should receive security education.

Government, heal thyself

As for its own systems, the government needs to shift its approach to security, especially in light of how much sensitive data it holds on citizens. We have critically underfunded these areas in government. They have been handed to the lowest bidder and requirements are often out of date. In addition, government purchasing regulations need to be opened up. Because the process is so lengthy, we often see parts of the U.S. government five years or more behind in release cycles due to certification issues.

The government needs more security professionals as well, and this will require heavier funding. The skills gap we’ve created and the rapid of evolution of threat actors have placed a premium on cyber security know-how. Qualified professionals are getting snatched by private-sector organizations that can pay more than a government position. France has attempted to tackle this problem by scrapping normal government salary scales to be able to hire the best and brightest professionals from the private sector.

We are reaching a turning point in the realm of cybersecurity. Threat actors appear to be winning on multiple fronts, and actions taken today have the potential to shape the future of the Internet. The U.S. government is in a unique position to become a global leader in cyber security, but it must take care that it is promoting a culture of innovation where legitimate research can take place without fear of legal backlash. After all, this freedom to study and create is what gave rise to the technology we have today, and it is what will give rise to the security solutions of tomorrow.

Editor’s Note: Gavin Reid recently participated as a panelist in the “National Conversation – A Trusted Cyber Future” community engagement conference organized by the U.S. Department of Homeland Security Science and Technology Directorate (DHS S&T). Notes from his presentation can be found here.

Gavin Reid is VP of Threat Intelligence for Lancope Inc., where he is a driving force behind data analytics and research for threat identification and remediation. Prior to Lancope, he was Fidelity's VP of threat intelligence and responsible for preventing, detecting and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5604
PUBLISHED: 2020-07-09
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remoto attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
CVE-2020-5974
PUBLISHED: 2020-07-08
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
CVE-2020-15072
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
CVE-2020-15073
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
CVE-2020-2034
PUBLISHED: 2020-07-08
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect...