For most cybersecurity professionals, the long-awaited release of the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity – a voluntary set of guidelines designed to improve cybersecurity across the country – is merely a first step toward real improvement in national cybersecurity.
When the Obama administration released the framework in February, a senior administration official described it as “the beginning of what I hope will be a continuing, common-sense conversation” about critical infrastructure cybersecurity. One of the biggest challenges for any organization, the official said, is knowing when they are doing enough.
“When do you know you’ve done the best you can to protect your company, your suppliers, your customers from the adverse effects of cybersecurity threats?” the official said.
The answer to that question, of course, is you can never know when enough is enough. But what we can be sure of is that there is more to do. And to help understand what those additional steps might be, FedScoop asked four leading thinkers in national cybersecurity to tell us what they would do or change to improve the state of national cybersecurity – beyond the framework.
Ron Ross is a computer scientist and a fellow at NIST, where he leads the Federal Information Security Management Act Implementation Project, which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical information infrastructure.
According to Ross, there should be more emphasis on how secure systems are designed.
“We must shift from chasing an endless supply of potential threats—our current whack-a-mole approach—to more proactively designing and building state-of-the-practice security into IT systems in the first place,” Ross said. “Stronger security architecture and systems security engineering are the key to greater trustworthiness and resiliency in our systems.”
To make the shift Ross talks about will take research and development. And that’s what Charles Brooks would focus on. Brooks, Xerox Corp.’s vice president and client executive for the Department of Homeland Security, characterizes R&D as a positive, transforming force.
“R&D is the engine that fuels secure solutions for our cyber-futures,” Brooks said. “An expanded R&D investment in new technologies, hardware, software algorithms and operational processes are needed just to keep up with the evolving threat matrix. There are no areas on the cybersecurity spectrum that do not need more R&D to help fill capability gaps.”
Brooks suggests a closer partnership between the private sector, academia and the national laboratories. Such a partnership could help produce tactical and long-term strategic cybersecurity solutions quicker, he said.
“The national labs could also provide a reservoir of specialized technical capabilities and the best state-of-the art facilities for testing and evaluation of cybersecurity technologies,” Brooks said.
DHS is currently working with private sector entities on “leap-ahead technologies” under the Comprehensive National Cybersecurity Initiative. These R&D efforts seek to identify and execute high-risk, but high-payoff projects that may significantly advance current cybersecurity capabilities.
“Expansion of that cooperative work and an influx in additional R&D investment across government and the private sector in a coordinated effort will reap benefits for years to come,” Brooks said.
Expand cybersecurity responsibilities
Michael Assante is the co-founder and chief security strategist with NexDefense in San Mateo, Calif. A former Naval intelligence officer, Assante also serves on the board for the Council on Cybersecurity and the ICS & SCADA lead for the SANS Institute. And for Assante, cybersecurity has been relegated to the realm of technologists and engineers for far too long.
“I would change the way we think about cybersecurity by expanding the box,” Assante said. “A common mindset of executives and administrators is to consider cybersecurity as primarily the responsibility of technologist and information systems employees.” That has to change, he said.
“In many cases, we have been addressing the cybersecurity challenge as if it were an overly defined technical problem reserved for a few specialists to manage,” Assante said. “This folly has left us marshaling too few resources, making cybersecurity someone else’s problem or decision. It is time for us to change our mindset and involve business leaders, supervisors and engineers in our effort to enhance the security of our digital systems and data.”
Pass meaningful legislation
Cybersecurity legislation capable of satisfying both government and private sector interests has proven elusive. And while the politics and the vested interests may seem insurmountable, most experts agree legislation remains a critical component to the future improvement of national cybersecurity.
Adm. Jamie Barnett is a partner with Venable LLP in Washington, D.C., and has been following the legislative and policy landscape closely. A 30-year veteran of the Navy, Barnett also served as the chief of the Public Safety and Homeland Security Bureau at the Federal Communications Commission.
For Barnett, the framework is a critical first step toward helping small and medium-size businesses improve their cybersecurity posture. But in the end, greater incentives will be needed to ensure adoption. And the only way to create the proper incentives is through legislation.
“Cybersecurity has dropped through the cracks of gridlock in Washington, and that needs to change in 2014 with meaningful cyber-legislation,” Barnett said. “The framework will help unsophisticated businesses, large and small, move toward better cybersecurity, but there is a strong possibility that greater incentives, including financial incentives, will be required. Legislation is the only avenue.”
According to Barnett, lawmakers need to begin treating cybersecurity in the same bipartisan fashion they treat national defense. That mindset can be achieved, Barnett said, with the recognition of four essential principles:
- The real cyber-fight is in the private sector;
- The proper role of government in the cyber-fight is to bolster private action;
- The market has already proven it will not bear a higher level of cybersecurity; and
- The government should provide tangible and financial incentives, not to just raise the floor, but to raise the bar of effective cybersecurity.
“We need more than just information sharing; we need a serious legislative effort at limitations of liability, tax incentives to upgrade cybersecurity especially for critical infrastructure and even an examination of self-defense in cyberspace,” Barnett said.
“Until we do, we will not have the level or speed of improvement that we need, and we will never address longer-term problems like defeating Internet route hijacking, communications supply chain threats and several other serious cybersecurity problems that are beyond the scope of the cybersecurity framework,” he said.