Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:55 AM
Gavin Reid
Gavin Reid
Connect Directly
E-Mail vvv

We Can Allow Cybersecurity Research Without Stifling Innovation

The U.S. government is in a unique position to become a global leader in cybersecurity. But only if it retains the open spirit of the Internet that kick-started the Information Age.

Imagine a U.S. economy without Google, Microsoft, and Apple. These organizations rose out of a culture that encouraged innovation and harbored a willingness to embrace new technology and new ways of using it. Today, in the face of advanced cyberthreats and widespread compromise of sensitive data, we must take care not to dismantle this culture in the name of safety.

There is little doubt that the way the U.S. government approaches cybersecurity research needs to shift. A series of data breaches at all levels of government, which included the well-publicized leak at the Office of Personnel Management that compromised the personal information of over 21.5 million people, has highlighted the disparity between attackers and government security.

The U.S. government has long had a somewhat passive-aggressive approach to cybersecurity research, where new business is welcomed but new research that could lead to better security solutions is often kept at arm’s length -- or in the case of reverse engineering or breaking encryption, actively worked against. Net neutrality, for example, has had a stormy past with interested parties pushing their agenda over public interest.

Another counter-productive governmental tendency is the implementation of overly simplified or broad regulations. This is most recently exemplified by the proposed U.S. Bureau of Industry and Security enforcement of updates to an international arms agreement called the Wassenaar Arrangement. The updates ask for regulating technology connected to “intrusion software,” which is defined as software specially designed to avoid detection by “monitoring tools” or defeat “protective countermeasures” and either extracts and modifies data or modifies the execution path of a process to allow the execution of externally provided instructions.

Woah! We just outlawed threat intelligence, host-based intrusion detection systems, many forms of cyber security research, and who knows what else.

[For more on the Wassenaar Agreement from Katie Moussouris, read View From the Top: Government’s Role In Cybersecurity]  

Towards a healthy security culture

The cyber security landscape has changed drastically over the last decade, and the U.S. government could be an important leader as consumers and organizations learn to cope with sophisticated threats and an ever-increasing amount of digitized personal information. The challenge will be finding a balance between consumer confidence in our ability to conduct commerce, communicate and organize safely via the Internet, and maintaining the open innovation of the Internet that kick-started the Information Age in the first place.

There are several things the government can do to encourage security research and to maximize the results, creating a safer Internet in the process. Being open and welcoming to new ideas from less formal sources is a must-have. In particular, there needs to be safe harbor for those conducting legitimate security research including exposing vulnerabilities. We’ve seen researchers get in trouble for doing vulnerability research, and if that trend continues, it will hurt our ability to be an incubator for new ideas.

There also needs to be a greater focus on enabling security information sharing instead of mandating it. The Department of Homeland Security’s Cyber Information Sharing and Collaboration Program (CISCP) is a shining example of this. CISCP allows operators of critical infrastructure systems to coordinate threat intelligence with the government and each other. This is only possible because CISCP takes care to remove identifiable and proprietary information and excludes data in the program from being used in regulation investigations, which allows the participants to share information without fear of economic disadvantage.

Lastly, we need to reform science, technology, engineering, and mathematics (STEM) education to create a strong cyber workforce. The U.S. used to have a strong IT career path that fed security organizations with smart, well-educated, and IT-savvy people. In the last 10 years, that has been dried up or offshored, and we now have a huge skills gap. Furthermore, those studying any field of computer science should receive security education.

Government, heal thyself

As for its own systems, the government needs to shift its approach to security, especially in light of how much sensitive data it holds on citizens. We have critically underfunded these areas in government. They have been handed to the lowest bidder and requirements are often out of date. In addition, government purchasing regulations need to be opened up. Because the process is so lengthy, we often see parts of the U.S. government five years or more behind in release cycles due to certification issues.

The government needs more security professionals as well, and this will require heavier funding. The skills gap we’ve created and the rapid of evolution of threat actors have placed a premium on cyber security know-how. Qualified professionals are getting snatched by private-sector organizations that can pay more than a government position. France has attempted to tackle this problem by scrapping normal government salary scales to be able to hire the best and brightest professionals from the private sector.

We are reaching a turning point in the realm of cybersecurity. Threat actors appear to be winning on multiple fronts, and actions taken today have the potential to shape the future of the Internet. The U.S. government is in a unique position to become a global leader in cyber security, but it must take care that it is promoting a culture of innovation where legitimate research can take place without fear of legal backlash. After all, this freedom to study and create is what gave rise to the technology we have today, and it is what will give rise to the security solutions of tomorrow.

Editor’s Note: Gavin Reid recently participated as a panelist in the “National Conversation – A Trusted Cyber Future” community engagement conference organized by the U.S. Department of Homeland Security Science and Technology Directorate (DHS S&T). Notes from his presentation can be found here.

Gavin Reid is VP of Threat Intelligence for Lancope Inc., where he is a driving force behind data analytics and research for threat identification and remediation. Prior to Lancope, he was Fidelity's VP of threat intelligence and responsible for preventing, detecting and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-08
The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in ...
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...