Here’s how the US government can bolster cybersecurity
- 18 February, 2017 08:34
Almost 20 years ago, Chris Wysopal was among a group of hackers who testified before U.S. Congress, warning it about the dangers of the internet.
Unfortunately, the U.S. government is still struggling to act, he said. "You’re just going to keep ending up with the status quo," he said, pointing to the U.S. government's failure to regulate the tech industry or incentivize any change.
It’s a feeling that was shared by the experts who attended this week’s RSA cybersecurity show. Clearly, the U.S. government needs to do more on cybersecurity, but what?
Public and Private sector
Perhaps, the need for U.S. action hasn't been more urgent. In last year's election, Russia was accused of hacking U.S. political groups and figures in an effort to influence the outcome.
In addition, major internet companies, including Yahoo, have also reported huge data breaches, one of which exposed details to a billion user accounts.
The list of problems goes on and on. However, what the U.S. government's role should be in cybersecurity isn't as clear-cut as one might think. That's because most of the IT infrastructure is in the hands of the private sector, which is constantly churning out new -- and sometimes vulnerable -- tech products. But it's not always the biggest fan of regulation.
"Every year, people talk about improved collaboration between the public and private sectors," said RSA CTO Zulfikar Ramzan. "And of course, every year, it feels like we haven't made that much progress."
He predicts the state of cybersecurity will first get worse before it gets better. Nowadays, one relatively simple hack involving a phishing email can affect an entire U.S. election, like it did, last year.
Ramzan recommends that the U.S. fully outline the public and private sectors' roles in cybersecurity, as opposed to leaving this muddled. "That would help things move forward," he said. "Each respective sector can do what they do best."
For instance, the U.S. should be pushing out more standards on IT security, based on guidance from the industry. Meanwhile, the private sector can focus on developing new innovations that government bureaus can beta test and support.
Others like Wysopal, who is now CTO at Veracode, think the U.S. government is in a unique position to spark change that can reach out across the industry.
Imagine if tech vendors all suddenly decided to build securer products -- not because of any new regulation -- but because they wanted to win bids from a customer.
The U.S. government happens to be one of the biggest customers of technology. So it's in a prime position to demand tech vendors secure their products, which would pass those benefits on to other buyers such as enterprises and consumers, Wysopal said.
"It isn’t regulation. It’s securing the government and getting that ripple effect," he said.
"But they've never really done that," he added. "They've never put acquisition requirements in place. There's recommendations. But they're not as stringent as we see with the banks."
Experts at the RSA show also brought up the urgent need for the U.S. government to train new cybersecurity talent – which is scarce in today's industry – and to readily share its intelligence on the latest cyber threats, rather than wait until it's too late.
"Don’t tell us what to do, how to do it," said Jeremiah Grossman, chief of security strategy at SentinelOne. "Just tell us what's out there."
"The faster we get the data out to the masses, the sooner we can counteract," he said. "By sharing threat intel data, we force them [the hackers] to change their tactics."
But in the cyber realm, perhaps the biggest challenge facing the U.S. government is what to do about state-sponsored hacking.
The U.S. still doesn’t have a clear policy on how to retaliate, which does nothing to discourage foreign governments from striking again. But at the same time, many of these cyber attacks might be considered an act of war, said Mike Rogers, a former U.S. congressman who was chairman of the House intelligence committee.
During a panel at the RSA show, he pointed to the example of North Korea's suspected hacking of Sony Pictures in 2014, which costs millions of dollars in damages.
"Is that an act of war?" he asked. "It's so hard to come to that conclusion, because [these cyber attacks] are happening a million times a day."
In 2007, U.S. officials began realizing they needed a policy around cyberwarfare, Rogers said. But the government still isn't close to defining it, despite wrestling with the topic for years.
"We were having a hard time coming to any agreement, and we're not there yet," he said.
But clearly, something needs to change.
"I think the United States is in cyberwar and most Americans don't know it. And I'm not sure we're winning," he said.