No Blue Pill for Cybersecurity Failures
A few weeks ago, I was asked to comment on the "most underestimated IT security threat". My answer was "us". The full post is here. My conclusion is going to be valid for 2017 and at least the next 10-20 years. Why? Because there are no magic pills to prevent cybersecurity failures. Only your own diligence and knowledge. The problem is we have grown accustomed to someone else solving these types of problems. Look at health issues. If you watch evening TV, you will be amazed at the number of drugs being marketed to improve lifestyle. Most of these challenges can be mitigated by simple diet and exercise, but that does require discipline and self-knowledge. For cyber threats, there's plenty at stake. Our democratic processes, privacy and financial well-being. But we are going to have to defend these.
A recent column from Hiawatha Bray makes the same point: to create a safe Internet, we all need to be actively involved. Mr. Bray recalls the days of nuclear bomb shelters and civil defense exercises, long gone out of favor. If cyber defense exercises won't get people engaged today, what will, short of a "cyber Pearl Harbor"?
The Commission on Enhancing National Cybersecurity, referred to in my last blog post, considers consumer based cybersecurity efforts to be a national imperative. Their recommendations include:
- Sustained awareness campaign at the national level
- Better security educational efforts from vendors of digital products
- Research on security and usability of digital products
These efforts haven't made much progress in the past. As the Commission pointed out, past awareness campaigns were carried out by technology focused organizations, such as DHS. Before you dismiss all new initiatives, take a look at this site describing the top ad campaigns of the 21st century. Cybersecurity awareness needs participation from experts in advertising and public messaging. Combine their level of creativity and a strong social media campaign, and I can see a new type of cybersecurity awareness campaign getting traction next year.
Posted on 12/21/2016 10:41 AM by Fred Scholl
Presidential Cybersecurity Commission Makes Some Good Suggestions
President Obama's Commission on Enhancing National Cybersecurity issued its report on December 1, and I thought it had some good recommendations. I was expecting a long list of regulatory requirements, but did not find those. Now we have to wait to see if the incoming President chooses to follow the recommendations.
The report contents was divided into six imperatives and 16 recommendations. The recommendations were backed up with action items. The major recurring idea in the report was that of public-private partnerships. Another one was the use of incentives to encourage the adoption of good cyber security programs. There were many specific steps that the group documented.
Here are some of the high points that caught my attention:
- Creation of a National Cybersecurity Private-Public Program (NCP3) to address collaboration of public and private sectors in cyber defense. This is needed, since we don't have a template to use in the event of a major incident.
- Strong authentication: government services should offer strong authentication to citizens; agencies should require strong authentication by employees and contractors; the government should determine how it can provide identity proofing for all.
- The NIST Cyber Security Framework (CSF) gets prime billing. Recommendations are that it should be required in government agencies, promoted in the private sector and promoted internationally.
- Incentives should be provided for companies that follow good cyber risk management principles.
- Significant focus on helping SMB markets.
- Recommendation to increase funding for cybersecurity in civilian federal agencies by $4 billion over 10 years.
- Development of a cybersecurity nutritional label to help educate consumers.
- Workforce improvement: 100,000 new cybersecurity practitioners by 2020; 50,000 new apprentice level practitioners by 2020.
- Mandatory training program for managers and executives.
- Move federal agencies from security requirements management to enterprise risk management.
The whole report is worth reading and can be found here.
Posted on 12/06/2016 3:19 PM by Fred Scholl