President Obama tasked the bipartisan Commission on Enhancing National Cybersecurity and on December 1, 2016, they released their report. This 12 -person Commission, comprised of individuals with expertise in “federal government, public policy, research and development, law enforcement, academia, consumer matters and the management of large enterprises.”
In other words, experts as varied as a retired general, a Microsoft exec and a Georgia Tech professor collaborated on a 100-page document that we read so you don’t have to.
The Commission focused on these areas:
• federal governance
• critical infrastructure
• cybersecurity research and development
• cybersecurity workforce
• identity management and authentication
• the Internet of Things (IoT)
• public awareness and education
• state and local government cybersecurity
• and insurance and international issues
They came up with 6 imperatives, which included 16 recommendations and 53 associated action items. After all, their task from the president included a focus on actionable data.
Yes, we read it all, and here are some highlights: 6 key cyber security issues raised, that concern you (or should, or will, anyway).
1. The Role of the Feds
There’s lots of talk in the report about the role of the federal government in cybersecurity, just as there should be. An interesting point: what are the definitions and roles, anyway? Even within the federal government, multiple agencies (the CIA, NSA, Department of Homeland Security, etc.), all play a part in cybersecurity. When it comes to competing with large-scale attacks, many of which are state-sponsored themselves, it makes sense to have a cohesive federal role.
Yes, the federal government faces some unique challenges: the legislative budget cycle, a large legacy information technology base and procurement process (that, in part, predates the digital age), and the difficulty of competing for cybersecurity talent against often-better-funded-and-incentivized private corporations. The cards seem stacked against the feds, and yet we need them to play their part.
Then again, small businesses account for 50% of the workforce, and businesses of all sizes play an important role in the cyber food change.
Which brings us to point…
2. Education and Awareness
Every IT professional is intimately familiar with user-malfunctions. Phishing scams have alarming success rates. Can you really protect the cyber infrastructure, with its interdependency of devices, when everyone is connected to the internet? In fact, the Internet of Things, got its own section in the report (unsurprisingly, after recent malware attacks involving the IoT).
The report stated that, “To the maximum extent possible, the burden for cybersecurity must ultimately be moved away from the end user—consumers, businesses, critical infrastructure, and others—to higher-level solutions that include greater threat deterrence, more security products and protocols, and a safer internet ecosystem.”
Sounds lovely, except with such low-level workforce awareness, that “ecosystem” is like a sieve, where households, vehicles, handheld devices and even medical devices are connected to the internet.
Leading to another interesting point, point number…
3. Innovation vs Security
The report encourages “incentives over regulation” and advises that regulation should “make the secure action easy to do and the less secure action more difficult to do.”
The inherent flaw has to do with market forces: being first to market taking precedence over being “secure to market.” With the ability to release updates later, when flaws are discovered, and the desire/demand/financial need to release new products quickly (such as apps, games, programs and even hardware), there isn’t market incentive for security.
Of course, brand reputation, the staggering cost of dealing with a cyber-related incident, and such concerns play a part, but those all require long-term perspective, which can be fogged by short-term need.
That’s where federal regulation may play a part, but a more interesting driving force, brought up in the report is point…
4. Cyber Insurance
Plenty of protection and mitigation services exist. Where most businesses fail is in the basics (see point #2 above, “Education and Awareness”). Still, the market drive for such services and products is not what it should be. Enter: cyber insurance.
With the cost of a cyber incident/intrusion to businesses growing, sometimes even putting a company out of business, the cyber insurance business is taking hold. With any luck, outside insurers will do what many companies have been failing to do: review cybersecurity plans for compliance with industry standards. Better premium rates include a healthy intrusion management and mitigation plan.
With cyber insurance, enter market drive, but not without considering point…
5. Liberty vs Security
Maintaining civil liberties, like protection of privacy, versus the maintenance of security is the great challenge of cybersecurity, and will be for the next administration as well.
A great deal of the Commission’s report focused on the next administration, since this is the end of the Obama administration. The Commission targeted actions needed within the first 100 days of the next administration.
Can we even wait that long, given point number…
6. Global Cyber
Woven throughout the report, but also with its own section, is discussion of the inherent global nature of cybersecurity. How can the United States compete, unless organized and coordinated in its efforts, against attackers with the upper hand? Attackers, often state-sponsored, spend months or even years, working in teams, planning and instituting intrusions. Even operating as a team, attacks cost a fraction of the expense of defense.
Since attacks cross borders, often utilizing devices in multiple countries, a global coordination is needed. Currently, cultural differences and legal variations make prosecution, and really even detection, of attacks difficult.
If the next administration is going to make a difference in cybersecurity, international coordination will be needed.
As for your own business, if you do nothing else, check out points #2 and #4.