Obama Focuses on Cyber but Two Key Issues Need to Be Addressed
“If we don’t act, we’ll leave our nation and our economy vulnerable” – President Obama.
In case you missed it, that’s President Obama calling out cyber security at this week’s State of the Union address. Wow!
For anyone working in information security (or if you’ve even just read the newspaper or watched the news recently) you know cyber crime, cyber espionage, and the overall state of information security is a very hot topic.
While I applaud the President, his staff, and Congress for putting more focus on our field, more needs to be done.
In his address, the President said that we shouldn’t be vulnerable, but I believe he wasn’t strong enough in describing this pandemic. The reality is that we are at war and we are losing.
The amount of trade secrets, financial information, and sensitive data leaving our companies and government agencies is staggering. This is a top national security issue and everyone should know that.
Companies are losing their competitive edge to overseas competitors. This might not have an immediate impact, but as foreign nations position their economic and political strategies, they can take slow, subtle steps forward until one day, the United States is no longer able to compete. This is a serious problem that requires a call to arms NOW.
The proposed legislation is a good step forward, but it largely focuses on three areas:
- Intelligence sharing
- Law enforcement prosecution power
- Data breach reporting
While I am excited for all three, I think only intelligence sharing actually helps combat the true problem. State-sponsored military units will not be prosecuted by our law enforcement, nor will the organized mafias in Eastern Europe and Asia. And while data breach reporting requirements should be supported, that’s merely educating the consumer that their information was lost.
Breach disclosure is not actually trying to prevent or lessen the losses suffered in the technical sense. It’s merely streamlining the reaction and response from a PR and privacy notification standpoint.
There are two main information-security issues that I hope the President, Congress, and others, call out more directly to the public:
1) The shortage of information security professionals: While this is something the White House briefly touches on, it needs more focused attention.
People discover and respond to breaches using technology – environments are too complicated to leave prevention, detection, and response entirely up to automated algorithms. So, we need more people and effective operations around those people to truly position ourselves to combat attackers.
2) We need to make it much more difficult for the bad guys to succeed: Just because the malicious actor makes it to one of your desktops, does not mean there should be high dwell time or massive data loss. Cyber resiliency needs to be a focus.
It’s time we think about creating a cyber “fire marshal” – an official who inspects and helps companies maintain best practices and proper security posture. Our focus today should be about moving beyond threat hunting to risk hunting. Let’s find the holes, fix them, and repeat, over and over, never stopping.
I get a chuckle when I say “best practices” because a lot of companies aren’t even employing “standard” practices. Regardless, we need help. We need to continue to pour money into cyber security innovation and entrepreneurship, but we also need better blocking and tackling by IT and the first level cyber defenders. We need government incentives to help drive cyber defense in a collective manner. The economics of prevention, resiliency, and of reducing risk need to be much more beneficial than just buying cyber insurance.
I want to reinforce that I am happy that the highest levels of government understand there’s a cyber security problem. It is great that they are bringing cyber issues to light on the biggest stages, but more needs to be done.
The breaches we see on the news are only a fraction of the attacks that actually occur. Data breaches are a rampant problem, and we need to stand tall now to fight back against motivated attackers. This is our call to arms.
SVP, Information Security and Enterprise IT (CISO)
10 年Technical Debt translates to Security Debt. Do we need more professionals with a background in business, operations, information technology, security, etc. and double dose of common sense?!?
Cyber Security Advisor - Threat Hunt Lead @ FedEx | GCIH, GCTI, OSCP
10 年Do we need more security professionals or do we we need more experienced IT Professionals that have an interest/passion in IT Security? We will be in deeper trouble if a security credential/degree ultimately makes up our corps of security professionals; especially if they have no operational IT experience. If we thought the disconnect between IT & IT Security is big now, wait till that wave hits... We should be recruiting seasoned IT folks into IT Security vs. trying to create them. Just my 2¢..
I would like to point out that Security has generally been the black sheep of companies. Underfunded and overworked up until there is a incident and generally that's the time your able to get funding, head count and probably more attention that you wanted.
Cyber Strategist, Cyber OSINT
10 年I agree, Benjamin Johnson. However, I would also add that we do not currently have the technology to protect our data, secure code, or secure protocols. I will also add that there is a major assault on encryption at this point in time. We have already left our Nation and Economy vulnerable for over a decade now, which is made apparent by the fact that 97% of US businesses have been breached, 85% of Americans have suffered identity theft. In 2012, it was estimated that the Chinese government has stolen four times the data that is in the Library of Congress, and continue to steal because we have given them no reason to stop. It still amazes me how little these facts are mentioned by members of our government when they speak of cybersecurity. This will start to abate only when deal with it as a global crisis, requiring a global response. I have not seen that yet.