Defense Industrial Base
Cybersecurity in the Defense Industrial Base
WHAT MAKES THE DIB SECTOR UNIQUE
The defense industry has a different economic model than most industries, and investing in cyber protection is not a function of traditional economic risk management. Top-tier defense companies sell to national governments with few alternatives, and the Pentagon is unlikely to opt for lower cost products from rival nations, especially should the design suspiciously resemble American-made technology.
The defense industry invests in cybersecurity, despite the lack of traditional economic interest, out of a fundamentally patriotic sense of responsibility to our warfighters and because strong data and network security are essential to brand credibility when doing business with the military.
However, small- and medium-sized companies lower in the defense supply chain have a greater proportion of commercial business than defense business. The greater the commercial component of a business, the more the traditional economic risk-assessment calculations predominate. Financial conditions facing SMBs do not afford them the luxury of uneconomic investments in cybersecurity.
Differences in incentive structures have created a two-tiered defense ecosystem. One tier contains the large, well-funded system integrators and the other everyone else. Into this mix, DoD has introduced new compliance requirements, in an attempt to artificially influence traditional economic based risk-management calculations.
CHALLENGES FACING THE NEW ADMINISTRATION
Modern weapons systems are built via a supply chain hundreds of companies long, spanning multiple countries and subject to cyber manipulation. Defense developers and innovators are at risk of intellectual property theft through cyber espionage. Second-level nations skip generations of research development, becoming competitive with US weaponry, and the economic losses portend negative downstream effects on future investment and innovation.
Government reporting and information-sharing requirements are confusing and divert resources away from security to compliance. New regulations have significantly increased costs of doing business with the government and shifted cybersecurity focus from incentives, as called for in Executive Order 13636, to compliance with standards. These increased costs dwarf information technology budgets for small businesses. However, compliance alone will not generate security and must not be confused with it.
The collaboration process codified in the Defense Industrial Base Framework Agreement has been successful but is labor-intensive. Cyber threats have expanded to attack the defense supply chain, an ecosystem of smaller, less cyber-capable companies, ill-suited for such processes.
Cybersecurity policies assume US-based companies operating on American soil. Yet, reductions in defense spending led many companies to expand their presence overseas, creating a very different set of dynamics for cyber defense in the sector. The requirements levied by the International Trafficking in Arms Regulations drives the defense industry into maintaining two distinct networks—one for US persons and one for non-US employees—making a unified cyber defense both difficult and expensive. Privacy
laws of many of countries also make a unified monitoring environment difficult.
Most countries now require coproduction or offset suppliers. As the demand for coproduction rises in the value chain, so does the need to defend the networks of suppliers, resulting in policy challenges to the defense industry in two areas: first, current information-sharing policies preclude open sharing of information with foreign partners; second, the Defense Federal Acquisition Regulation Supplement rules on safeguarding defense information mandate application of NIST controls to overseas suppliers anytime covered information is involved. But few foreign companies are likely to submit themselves to DoD-imposed standards, leaving defense companies to choose between continuing with a foreign supplier who is out of compliance or abandoning the supplier and failing to meet contractual offset requirements.
INSTITUTE A TIERED MODEL FOR GRADING CYBERSECURITY COMPETENCY
The current regulatory compliance model is binary—either comply with everything or fail. Turn it into an incentive model with different tiers of compliance, where each level represents a concrete improvement in security. Companies will then prioritize efforts, and the government and larger defense contractors could tailor contract requirements to a certain level of security, incentivizing suppliers to move to the next tier to gain eligibility for larger contracts. This would transform the compliance environment to a competitive one, which will then incentivize defense companies to advance tiers in order to set themselves apart from their peers or gain market share.
A maturity model would also allow small- and medium-sized defense contractors to realistically participate.
INFORMATION SHARING BEYOND THE ELITES
Current close-hold information-sharing methods are designed for companies with the infrastructure and staff capable of manually receiving complex threat data, evaluating these data for their environment, and applying them to any number of defensive systems. Small companies cannot do this.
Instead, sharing with small companies requires a passive model where the company can accept threat data in an automated system and have these data applied to their network. The Pentagon needs to work with industry to create a broader information-sharing environment that is affordable and passive. Defense can allow large system integrators to share DoD-provided unclassified threat indicators with defense contractors in their supply chain via automated monitoring systems. Extending to the supply chain can have
a high payoff at a low cost.
DOD SHOULD MOVE TO BETTER ACCOMMODATE A GLOBAL DEFENSE INDUSTRIAL BASE
Defense needs to work with industry to develop operating concepts for cyber defense in an increasingly global market. Compliance regimes and information-sharing processes must both be modified to accommodate overseas suppliers and coproduction agreements. They must also work to develop a way to share cyber-defense information with foreign suppliers of critical items. DoD should work with NIST to find an acceptable international standard that can serve as an overseas substitute for defense-controlled information
THE PENTAGON NEEDS TO INCREASE ITS FOCUS ON SMALL BUSINESSES
Defense depends on small businesses to support its missions, spark innovation, and develop technologies to support soldiers. While the Office of Small Business Programs has acknowledged that cybersecurity is an important and timely issue for small businesses, it has not identified or disseminated any cybersecurity resources in its outreach and education efforts to defense-sector small businesses. The next administration should ensure cybersecurity is a part the OSBP outreach and take steps to stabilize the office’s performance and leadership team.
Cybersecurity in the banking and financial sector
WHAT MAKES THE FINANCIAL SERVICES SECTOR UNIQUE
Banks and other financial institutions remain a top target for cyberattacks, whether for financial gain, data theft, or retaliation. Today’s consumers have higher expectations about service, given the proliferation of technologies available to them. Consumers are more likely to shop around for products and be more interested in direct and mobile channels. However, while the use of innovations such as mobile devices and applications for consumer banking has exploded, the exploitation of these devices has increased significantly.
Commercial banking, too, has seen tremendous benefits from technology and is poised to reap even more as the new distributed ledger system, known as blockchain, enters the mainstream. More than half of exchanges surveyed by the International Organization of Securities Commissions and the World Federation of Exchanges in 2013 reported experiencing a cyberattack during the previous twelve months. Neither is the insurance industry is immune to the changes in how business is conducted in today’s contemporary and interconnected society. Insurers are prime targets to be victimized, given the richness of data—credit-card information, medical information, and other underwriting information.
CHALLENGES FACING THE NEW ADMINISTRATION
The current regulatory model for cybersecurity does not work. Cyber technology and attack methods change constantly, and the regulatory process is inherently time consuming and cumbersome.
The financial services sector continues to see an increase in disparate and fragmented cybersecurity regulation. For many institutions, it began with the Federal Financial Institutions Examination Council releasing in June 2015 a Cybersecurity Assessment Tool incorporating concepts from the voluntary NIST Cybersecurity Framework. Member agencies use the tool in regulatory inquiries. As a result, many large financial institutions expend immense amounts of time and resources determining how to demonstrate compliance.
Complicating matters further, financial institutions receive similar cybersecurity inquiries from different regulators, even from different offices of the same regulator. These duplicative reporting requirements ask largely the same questions but require exhaustive tailoring for each regulator. And the SEC is becoming ever more assertive in monitoring the cybersecurity of broker-dealers and registered investment advisers, even testing firms’ implementation of cybersecurity controls.
Technology innovations have eliminated borders for criminal enterprises. Attackers can exploit vulnerabilities from anywhere and impact entire networks in a matter of seconds. This poses a tremendous risk of cascading failure across the sector. Phishing is a main pathway for cyber theft, and spear-phishing is even more pernicious. The use of phishing is widespread, unrelenting, and a low-cost, high-payoff technique for attackers.
Mobile banking is a boon for consumers but opens up a new front for attackers to exploit. Cyber thieves craft malicious apps targeting banking data, but it’s not just banking apps that pose a cybersecurity challenge.
GOVERNMENT SHOULD RETHINK ITS APPROACH TO CYBERSECURITY
The federal government’s credibility in educating, let alone regulating and mandating, cybersecurity practices is severely undermined by its track record of inefficiency. Agencies have yet to adjust to the interconnected nature of cybersecurity, approach it as if it were a static problem addressable through existing formulations. Punitive checklist compliance is a waste of resources. The number of regulatory agency examiners with specialized information technology training is low, and much of government’s shared cyber-threat data are out of date and stripped of context as to be useless.
HARMONIZE, STREAMLINE, AND IMPROVE REGULATIONS
Regulatory and legislative mandates and compliance frameworks that address information security for the financial sector, such as Sarbanes-Oxley, Gramm-Leach-Bliley, the Fair and Accurate Credit Transactions Act, as well as state compliance regimes, must be consolidated and streamlined.
Regulations should encourage banks to take a risk-based approach, which is customized to the threats they face and takes into account the bank’s business model and resources available. Utilizing a standard mechanism such as the NIST Cybersecurity Framework to align the proliferation of different legal and regulatory cybersecurity requirements enables harmonization and adopts unified fundamental guidance for developing cybersecurity policies and practices within the industry.
Toss the Password into the Dustbin of History
“Killing the password” has been a long-standing Obama administration priority, one that it reiterated in the National Cyber Action Plan unveiled in February 2016. The new administration should accelerate the work of the National Strategy for Trusted Identities in Cyberspace, a program charged in 2011 with creating market conditions favorable to a wholesale replacement of passwords. Today, it’s clear the effort has stalled.
Incentivize ISPs to Become More Active in Cybersecurity
ISPs are critical players in improving cybersecurity across the Internet but are not incentivized to implement well-established security protocols, such as DNS Security Extension and BGPSec, that would make launching cyberattacks harder for hackers. We are not advocating for heavy-handed regulation but a common set of strong security standards that ISPs can be evaluated against in the market place, much like the “5-star safety rating” system developed years ago by the National Highway Traffic Safety Administration.
Adopt Antiphishing Technology
The existing Internet technology standard known as DMARC (domain-based message authentication, reporting, and conformance) should be implemented by the federal government and even further in the private sector.
ENCOURAGE DEVELOPMENT OF MORE CYBERSECURITY EXPERTS
The new administration should consider leveraging the federal science, technology, engineering, and mathematics program to promote wider interest among students in technology jobs. The current national goal of graduating an additional one million students with STEM majors should be reassessed with an eye toward increasing both that number as well as the number of technology graduates represented within it.
The Role of Cyber Insurance in promoting Cybersecurity
Insurance exists to help companies and individuals manage the financial impact of unexpected events. Demand for cyber insurance is rapidly increasing, but take-up rates vary on the basis of company size, industry sector, value of data assets, and regulatory requirements. Companies that purchase cyber insurance generally are buying modest limits. A recent survey of risk managers suggests that nearly 60 percent buy less than $20 million of coverage.
CYBER INSURANCE—PRODUCT AND SERVICE
The insurance industry has created a system to help companies plan, prepare for and respond to incidents. Insurers frequently conduct in-depth reviews of company cybersecurity frameworks during the underwriting process. Insurers also offer a suite of ex-ante and ex-post services that minimize the likelihood and impact of a breach.
While the market is advancing quickly, there are several inhibiting factors that constrain its full capacity:
• Disparate company preparedness and investment.
• Lack of suitable data for modeling.
• Challenges of risk aggregation and correlation.
• Weak public understanding of cyberattack importance.
• Competing priorities and opportunity costs of insurance purchases.
• Shortage of qualified talent to address the risk.
• Rapid growth of the Internet of Things and resultant risks.
TAX INCENTIVES FOR CYBERSECURITY INVESTMENT
This could take the form of tax incentives for such investments or the purchase of cyber insurance. The latter would ensure that more companies are subjected to an independent review of their cybersecurity framework. Companies that partner with cyber insurers also have strong economic incentives to continually improve security practices that raise the overall level of national preparedness.
GOVERNMENT INTELLIGENCE SHARING
Some Information and Security Analysis Centers are more effective than others, and it would be beneficial to enhance all of them to ensure a consistent level of information and engagement across industry sectors. While participation in such groups is voluntary, the federal government can incentivize strong participation by using these forums to deliver timely and highly valuable intelligence on emerging cybersecurity threats.
SCENARIO PLANNING WORKSHOPS
The insurance industry is prepared to facilitate cross-industry cyber scenario workshops. These would involve federal government agencies, universities, corporations, and other participants. The workshops would focus on designing and implementing scenario analysis to better understand the types of attacks that could impact the private and public sector.
The government’s program to certify universities and provide loan forgiveness to students who major in cybersecurity and work for the government is a very good start. We recommend continuing to invest in such programs to ensure that a suitable pool of talent is filled and that companies can draw on this pool. Federal funding for research at nonprofits and universities would also dramatically improve the level of knowledge in the field.
PUBLIC SERVICE CAMPAIGN
We also recommend creating a public campaign similar to the “Say No to Drugs” campaign. Additionally, educational materials should be developed and delivered to midsized and small businesses through various channels such as the Small Business Administration and other governmental programs.
GEOPOLITICAL RISK MANAGEMENT
Companies are incapable of protecting against sophisticated, well-funded nation-state attacks. As such, the DHS, FBI, and NSA need to take the lead in protecting the country against such attacks through appropriate offensive and defensive means. Further, intelligence gained from such actions should be shared openly with the private sector to enhance understanding of threats and allow for preparedness.
CLARIFY THE TERRORISM RISK INSURANCE ACT
Large-scale terrorist attacks launched by cyber means should qualify as certified acts of terrorism and trigger TRIA for covered lines. Additionally, greater clarity on what constitutes an act of cyber war would be helpful to ensure that all parties are clear if, and when, an event occurs.
LEGAL AND REGULATORY IMMUNITY
The federal government should consider legal or regulatory immunity for companies that develop products to prevent and address cyberattacks. The federal government should also consider extending the SAFETY Act to include liability limitations for certified products and services that are designed to prevent or mitigate loss from cyber terrorism and cyber-criminal activity.
SOFTWARE AND HARDWARE SECURITY STANDARDS
The insurance industry also supports the creation of an independent organization that would be tasked with certifying the security of commonly used software and hardware devices. This initiative would be equivalent to standards developed under the Underwriter Laboratories for the introduction of new electronic devices and components.
Cybersecurity in the Healthcare Industry
WHAT MAKES THE HEALTHCARE SECTOR UNIQUE
Patient data are uniquely valuable to criminals. The cost of purchasing stolen patient records on the cyber black market is approximately ten times the cost of purchasing that same individual’s stolen credit-card data and includes all data elements necessary to impersonate the victim. Hackers further monetize health records by compromising weaknesses in the healthcare system, billing fraudulent claims to Medicaid and Medicare, potentially prescribing narcotics, and even filing fraudulent tax returns.
Perhaps the most interesting evolution in the cyber threat facing healthcare industry is the rise of the nation-state threat. Governments of other countries direct their cyber warriors to hack into hospitals and health insurers to steal medical records. It’s likely that nation-state actors are stealing patient data to build databases on American citizens for espionage activities.
Insider threats are particularly insidious in the healthcare sector. Healthcare data processors say malicious insiders account for just about 10 percent of data breaches but are the root cause of double the percentage of medical-identity thefts. Accidental insiders cause more, albeit smaller, breaches.
The number of individuals who have access to data during a healthcare transaction represents another point of vulnerability. Even a routine visit to the doctor exposes medical data to a dozen people or organizations as diagnostic and billing information makes its way through various systems. Each hand represents another potential point of vulnerability or attack.
CHALLENGES FACING THE NEW ADMINISTRATION
Two major laws governing healthcare cybersecurity practices are not functioning as intended. The massive 2013 omnibus rule updating HIPAA, mandated by the HITECH Act, has failed to have the desired effect of making the healthcare industry more secure. In the years since its implementation, massive health-payer data breaches have occurred.
Moreover, the regulations take a retributive approach to cybersecurity, punishing organizations that get breached. Breaches spawn audits, and audits spawn punitive outcomes in the forms of substantial fines and other penalties, regardless of how much time and money was put into trying to prevent a breach.
The cost of security is a great obstacle for healthcare organizations. Large organizations have the ability to fund teams dedicated to both implementation of security best practices and regulatory compliance. Small practices have minimal resources. While all organizations must abide by the same rules and regulations, not all have equivalent access to the financial resources and expertise necessary to comply. The high cost of compliance, and the higher cost of failure, further exacerbates the problem.
The doctor-patient relationship is unique—patients are unlikely to abandon their medical provider over a data breach, so there is little incentive beyond regulatory consequences to spend time and effort defending against potential breaches.
The proliferation of technology in healthcare is another obstacle. Like most disruptive technologies, the uses for mobile-enabled practice management systems multiplied long before any serious thought was given to securing the technology.
Escalating ransomware attacks on the healthcare industry creates another challenge. For now, ransomware attacks appear unconnected to data theft. But given the real value of patient data—in its theft for exploitation or resale—ransomware attacks will become the nasty second jab of what really are one-two punch attacks.
Possible cyber-terrorist attacks against newly networked medical devices coming onto the market could cause significant disruptions, some even fatal. Life-sustaining devices once isolated away from public networks are now exposed to them. Medical equipment is now part of the mix of databases and hard drives once thought impervious to hackers.
There’s also a lack of urgency within the healthcare industry. The idea that medical data had value to criminals is novel, and it took significant healthcare data breaches to convince the industry to get serious about committing resources to secure itself against cyberattacks.
INCENTIVIZE HEALTHCARE TO IMPLEMENT BEST CYBERSECURITY PRACTICES
Healthcare needs a shift in focus away from prescriptive regulation toward regulation that encourages security best practices. An incentive-focused regulatory approach would encourage more healthcare companies to invest in necessary protections to information assets, possibly even driving broad adoption of controls necessary to solve the aforementioned data problems. What’s needed is a sliding scale of liability protection on the basis of company’s progress toward implementing an objective set of practices. The NIST Cybersecurity Framework, and the process used to develop it, could provide a good starting point for determining those practices.
The system should allow a company to accrue credits tied to its investments in security that it could use against future audits and fines in the event of a breach. This could be taken further by also offering modest tax incentives for certain high-value, but often-overlooked, security best practices, such as employee awareness training.
REDUCE REGULATORY COMPLEXITY
Congress should pursue legislation that harmonizes privacy, security, and information-risk-management requirements to eliminate the complex patchwork of regulations. Streamlining HIPAA audit requirements put into place by the HITECH Act. Audits drain resources from security budgets. Passing an audit, combined with proof of ongoing investment into cybersecurity, should result in a less strenuous audit the next time around—a HIPAA-Lite version, as it were—or increased time interval between audits.
REPLACE SOCIAL SECURITY NUMBERS AS A PATIENT IDENTIFIER
Congress should remove language placed annually in federal spending bills that prohibits the Department of Health and Human Services from using any federal funds to promulgate or adopt any such standard. Technology has provided for alternatives to a numeric or alphanumeric identifier as a solution, and the government does not need to be the arbiter of the identification solution.
USE SECURITY AS A FACTOR OF REIMBURSEMENT
Congress should allow the Centers for Medicare and Medicaid to use security as a factor in reimbursement. Similarly, improving an organization’s cybersecurity readiness should be considered a recognized activity under the clinical practice improvement performance category under the Medicare Access and CHIP Reauthorization Act Merit-based Incentive Payment System reimbursement scheme.
CYBERSECURITY IN THE POWER UTILITY SECTOR
WHAT MAKES THE UTILITIES SECTOR UNIQUE
Over the past decade, the bulk power system has seen improvements and increased investment in resiliency and cybersecurity. However, local power-distribution assets are not only more vulnerable to cyberattack but also more critical to national electricity delivery than previously contemplated.
MARKETPLACE INNOVATION IS LAGGING
While products to protect information technology infrastructure are readily available and mature, there are far fewer products in the marketplace that provide security for the highly connected operational technologies that control physical assets on the power grid.
To add complexity, many power utility executives struggle with the uncertainties associated with recovery of security-related costs and overhead on the basis of traditional state rate making procedures. Even if there were adequate funding by utilities to address their normal (i.e., “commercial”) cybersecurity risk, there will inevitably be a gap between vulnerabilities that can be cost-effectively mitigated and the residual risk posed by sophisticated nation-state powers seeking to disrupt the grid. Even utilities, dutybound by public-good considerations, are still private-sector businesses that are unlikely to invest far beyond the thresholds of normal commercial risk.
LIMITED INFORMATION TO INFORM CYBERSECURITY DECISIONS
Exacerbating the situation is how utility asset vendors sell closed-source devices and software solutions, which typically come bundled with significant contractual prohibitions against tampering or reverse engineering. This results in a difficult situation, preventing utilities from processes that might allow them to verify the integrity of hardware and software they purchase.
CHALLENGES FACING THE NEW ADMINISTRATION
A GRID THAT IS BECOMING INCREASINGLY DIFFICULT AND COSTLY TO DEFEND
For the past fifteen years, the electric power industry, with significant support from government, has invested heavily in making the distribution system smarter, more efficient, and more connected. Smart grid technologies have been incentivized and implemented with little regard for the increased cyber risk. Equally concerning is that utilities are sourcing advanced technologies and products from multiple vendors with little or no ability to properly assess supply-chain risks.
CREEPING POSSIBILITY OF A TERRORIST ATTACK
The possibility of terrorist attacks will grow. The level of sophistication required to effect widespread damage to the grid has typically suggested that only nation-states will be effective. However, a growing community of postnational actors are being contracted by states as an extension of their offensive capabilities, which is creating an international marketplace for sophisticated disruption capabilities.
ENHANCE INFORMATION SHARING BETWEEN UTILITIES AND THE FEDERAL GOVERNMENT
Greater federal government transparency in managing data will foster trust and confidence in relationship building and communication. The next president should instruct the existing utility industry sector coordinating council and the corresponding government coordinating council established under the National Infrastructure Protection Plan to engage on these information sharing issues and report back to the administration within three months on their plan to create greater clarity and transparency regarding information sharing within the sector, including any legislative adjustments that may be needed.
REFORM THE CLEARANCE ATTAINMENT PROCESS FOR PRIVATE SECTOR EXECUTIVES
Long processing times and an insufficient number of security clearances being made available are significantly hindering the utility industry’s ability to support the US cybersecurity mission. The next president should instruct DHS to coordinate among security clearance granting agencies and develop an expedited “TSA precheck” style system to enable already cleared individuals to maintain their clearances more easily and generally modernize the clearance process to include the use of transferable clearances from department to department.
ENSURE DOE REMAINS THE PRIMARY LIAISON BETWEEN UTILITIES AND THE FEDERAL GOVERNMENT
While DHS plays a critical role as utilities face cybersecurity challenges, the Department of Energy remains best suited as the main point of contact due to decades of working to provide meaningful, contextual, and actionable analysis. The next president and Congress should consider amending the Cybersecurity Act of 2015 to expand the benefits currently granted for sharing information with DHS to other appropriate agencies such as Energy.
CATALYZE AND ACCELERATE THE DEVELOPMENT OF THE PRIVATE CYBERSECURITY INSURANCE MARKET
Cybersecurity insurance is an undervalued tool and critical to the future safeguarding of utilities, but to date the market has focused on data-breach fallout. To expand coverage, the administration and Congress should replicate the success of the Terrorism Risk Insurance Act to create a similar reinsurance backstop for cyberattack-caused real-world damage to utilities and their customers.
PROMOTE INNOVATION THROUGH GOVERNMENT GRANTS
Initiatives such as Rapid Attack Detection, Isolation and Characterization Systems at DARPA and Cybersecurity for Energy Delivery Systems at Energy encourage investment in commercial products by appropriately reducing risk for potential vendors and helping bring together all relevant stakeholders. These programs should be continued and expanded.
INCREASE CYBERSECURITY FOCUS OF STATE-LEVEL REGULATORS AND LEGISLATURES
The federal government should pass a cybersecurity “states-must-consider” law so that states must demonstrate they have considered appropriate cost-effective cybersecurity standards for their electric utility ratemaking proceedings. Doing so will effectively increase the focus on distribution cybersecurity at the state level without imposing new regulations on distribution utilities.
ENCOURAGE PUBLIC-PRIVATE COLLABORATION TO MANAGE VENDOR RISKS
Vendors must play their part in the security of the grid. A new balance needs to be struck between the commercial needs of vendors, who would prefer not to reveal the workings of their products, and the needs of electric utilities to both ensure assets are not prepackaged with malware and understand better how assets would behave if they were to be controlled maliciously. Solving this requires a dialogue between utilities, vendors, and the government to evaluate possible solutions that cost-effectively increase confidence in US grid assets and help utilities prepare for cyberattacks. The Obama administration’s proposal for a National Center for Cybersecurity Resilience, where companies could test the security of systems under controlled conditions, is a good start in this direction. So is the Federal Energy Regulatory Commission’s proposed rule regarding supply-chain risk management. The government and utilities themselves could play a valuable role in incentivizing vendors to adopt the Underwriter’s Laboratories model—this would ensure that all vendor products are rigorously and transparently inspected to ensure they meet baseline cybersecurity standards.
CYBERSECURITY in telecommunications
WHAT MAKES THE TELECOMMUNICATIONS SECTOR UNIQUE
The global telecommunications sector is a mix of government, former government, and commercial operators. The networks are a critical part of the business infrastructure and increasingly seen as part of the critical national infrastructure. They deliver services for customers but also wider benefits for society.
The telecommunications industry stores, manages, and transports a vast amount of valuable data for individuals and society, digital commerce, and critical national infrastructure.
The threat from cyber actors is increasing in sophistication, persistence, and variety—and the risks posed are not easily mitigated. Cybersecurity needs to be multidimensional, transcending the risk management and response capabilities of any single enterprise, industry, or government. The damage inflicted by successful cyberattacks is not just financial and commercial but can also lead to long-term reputational damage and regulatory action. Customer confidence is crucial. Customers need to know that their data are safe and to understand how companies will use these data and the basis on which the government can secure access to these data. Customers need to trust service providers to behave responsibly in this regard. Telecommunications is a regulated business. Service providers are required to give government’s access to customer traffic and data in accordance with licensing regulations and the laws of the jurisdictions in which they operate. Our policy is clear: telecommunications companies should not hand over customer data unless they are lawfully required to do so.
CHALLENGES FACING THE NEW ADMINISTRATION
MAINTAINING TRUST BETWEEN BUSINESS, GOVERNMENT, AND SOCIETY
We need to align the interests of customers with those of business and government. The experience of Apple versus the FBI might suggest that the interests of industry, government, and society are divergent. We would argue absolutely not. It is about reaching an agreed compromise, a question of balance not absolute choices. Crucially it is about trust and transparency.
REGULATION LAGS BEHIND GLOBALIZATION AND THE PACE OF CHANGE
In a globalized information economy, telecommunications companies will often deliver products and services using centralized platforms and infrastructure located across multiple jurisdictions. Regulations that unduly restrict the cross-border transfer of personal and machine-generated data are likely to impede service delivery and distort investment decisions.
The speed of technology change challenges existing regulation. Services come and go rapidly and the development cycle is shortening.
Legislation should clearly outline the purpose and offer clarity about the types of government agency who can require access to customer data, along with the process by which that data can be secured. The process should be auditable, and it should be possible, through that audit, to verify that the lawful system is being used.
THE NEED TO KEEP UP WITH THOSE WHO THREATEN OUR NETWORKS
The scale and changing nature of the challenge are disrupting industry attempts to build internationally compatible safeguards and making it more difficult to have a mature debate with customers about privacy and security.
INCIDENT REPORTING AND INFORMATION SHARING
Following an incident, everyone needs to be clear and precise about what has happened, but government decisions about incident notification and public disclosure of major incidents (or audits) should not be allowed to disrupt or undermine industry attempts to mount an appropriate and proportionate response.
For the industry to make meaningful headway on standards and standardization, we need to see more intergovernment coordination on standards work to deliver globally accepted outcomes that strike at the heart of the issues.
The telecommunications industry also requires a legal and regulatory framework to promote and uphold technology neutrality and provide a legal framework to encourage investment in future-capable networks that will carry exponentially growing data in virtualized cloud-based environments.
TAKE A LIGHT HAND WITH REGULATION
Government needs to lead and support national and international conversations required to find the appropriate balance between the need to protect the privacy of the individual and the need to ensure the collective security of society. Policy and regulation must be developed with the specific needs of the enterprise sector in mind rather than as a by-product of regulation designed for consumer needs.
BROADEN THE VISION OF THE PUBLIC-PRIVATE PARTNERSHIP BETWEEN TELECOMMUNICATIONS AND GOVERNMENT
In the digital age, private companies are on the frontline of defense when it comes to cyber threats. Many attacks are not launched at telecommunications companies but through them, in some cases against government or national-security targets. Third parties may struggle to manage the impact of high-level attacks if their prevailing business models don’t allow for further investment in cybersecurity. In these situations it might be cost effective for government to use telecommunications companies to provide enhanced security in situations where further investment is needed to reduce the impact of high-level threats and provide a broader common level of defense that it beyond the reach of some organizations but ultimately in the national interest.
CYBERSECURITY AND the Information Technology industry
WHAT MAKES THE IT SECTOR UNIQUE
In the digital age, virtually all sectors rely on the IT sector, and no industry has escaped transformation because of IT innovations. The Internet changed virtually every aspect of modern life. Approximately 12 percent of global trade is conducted via international e-commerce. Even the political process has changed because of social-media interactions.
Computing power doubles every two years, and interconnected devices communicate and deliver instructions and intelligence to machinery, creating the Internet of Things and amassing huge amounts of data. However, this increase in surface creates ample opportunities for security breaches and the misuse of privacy information that will be felt by all sectors, not just IT.
These same innovations also create ample opportunities for advances in cybersecurity technologies. Development of products with artificial intelligence and the use of machine learning gives us the ability to prevent, predict, detect, and respond to attacks as never before.
However, do not mistake improved technical abilities for a true solution to the bad state of computer security. The challenges are imbedded in policy and management. The IT industry has flourished in a generally unregulated environment, which has been essential to its historic growth and productivity. An unhappy by-product of this growth is a system prone to outside attacks. The sector must find a mechanism to sustainably secure it without killing innovation.
CHALLENGES FACING THE NEW ADMINISTRATION
INTERNET OF THINGS
In the IoT, humans are the ultimate thing and will generate multitudes of personal data. We know better than to create this world without securing it first, yet we continue to do so.
CYBER WAR AND TERRORISM
Even absent direct escalation into a shooting war, cyberattacks will cross the plane from bits to atoms and become kinetic in the damage they cause.
Intellectual property theft is an act of economic war and harms drivers of global economic growth.
PROPOSALS FOR BACKDOORS
Adoption of proposals to build encryption backdoors into IT products for law-enforcement and intelligence communities would benefit adversaries, provoke legitimate privacy concerns among citizens, and further deteriorate trust between the United States and world community.
Government systems repeatedly fail at security. Federal information technology infrastructure is obsolete, yet government continues to spend resources on legacy systems rather than funding upgrades.
We cannot seem to navigate the legitimate concerns of privacy groups around information that can be shared and the business community around legal liability. Moreover, liability protections are available only for sharing through DHS and no other preferred entities such as the FBI.
Trust and cooperation between IT and government is at an all-time low. This will persist so long as government continues to threaten industry.
Forty-seven states plus the District of Columbia maintain separate laws for data-breach notification, creating an undue burden on industry and increasing costs for notification of breaches.
CREATE A CABINET-LIKE POSITION TO UPGRADE CIVILIAN IT AND SECURITY INFRASTRUCTURE
Given the importance of IT in the running of our government, the need to manage and secure critical infrastructure, and the ongoing productivity benefits of continued innovation, appointing a cabinet-level position to manage an IT transformation should be one of the highest priorities for the next administration. The position needs full authority and funding.
Government should work with colleges and universities across the country to obtain a steady flow of recruits for cybersecurity positions by providing scholarships to students willing to commit a specified number of years in government cybersecurity positions.
INCREASE AND IMPROVE INTERNATIONAL LAW ENFORCEMENT AND COOPERATION TO PREVENT CYBER WAR AND TERRORISM
This should start with the president instituting a full review of national law enforcement spending to assure that fighting digital crime is far better resourced. The commander-in-chief should also initiate a concerted process to modernize international law and procedures with respect to clarifying criminal laws internationally.
INCREASE GOVERNMENT RESEARCH AND DEVELOPMENT FUNDING FOR RISKY TECHNOLOGY RESEARCH
Rather than routinely cut research and development funding, the United States should emulate what our competitors are doing in other countries by providing increased government support for basic IT research and general purpose digital programs.
Collaboration between the public and private sectors to test the effectiveness of the NIST Cybersecurity Framework is needed to define what using the framework entails. By testing the framework, cost-effective aspects will be discovered. Cooperation would also allow the Enduring Security Framework to be reenergized and expanded to include allies.
LAW ENFORCEMENT SHOULD STOP PUSHING THE “GOING DARK” NARRATIVE
New enabling capabilities for the IoT and advancements in computer power and storage capacity for big-data applications can be used by law-enforcement, defense, and intelligence communities in lawful ways. Law enforcement should spend more energy in adjusting their investigative techniques to this new world than fighting the inevitable onset of encryption, which is good for cybersecurity by preventing data theft and cyber espionage.
Winning the Cyber-Talent war: Strategies to enhance Cybersecurity workforce development
EXAMINING PROGRESS TO DATE IN EFFORTS TO STRENGTHEN THE CYBERSECURITY WORKFORCE
A PARTNERSHIP FOR BUILDING THE FUTURE PUBLIC-SECTOR WORKFORCE—THE SCHOLARSHIP FOR SERVICE PROGRAM
Funded by the National Science Foundation and operated in partnership with DHS, the Cyber Corps of the Scholarship for Service program has demonstrated significant impact in encouraging students to pursue cybersecurity careers and creating a pipeline of talent for the public sector.
NATIONAL CENTERS OF ACADEMIC EXCELLENCE IN CYBER DEFENSE
This program sets criteria and mapping curricula to assist institutions in building effective cybersecurity education and research programs—helping to establish a national framework for cybersecurity education. All four-year baccalaureate, graduate education, and two-year institutions are eligible.
PRESIDENTIAL INNOVATION FELLOWS
The fellows program is designed to engage early career IT professionals and engage them in short stints in government. While not focused exclusively or even predominantly on cybersecurity, the Presidential Innovation Fellows program provides a window on a future where an improved flow of critical cybersecurity talent could be a vital resource for meeting major short-term challenges and raising the overall level of skills in the cyber workforce.
NATIONAL GUARD AND MILITARY RESERVE CYBER OPERATIONS
Regional centers being developed by the National Guard and Reserve are creating a nexus of talent within states and cities that draws on professionals engaged in industry and academia who can be mobilized to support government needs in the case of major incidents.
ENGAGING VETERANS IN CYBERSECURITY CAREERS
A number of promising initiatives have also been launched in the last few years to focus cybersecurity education on veterans. These efforts include specific outreach and degree programs—including those launched by the state of Virginia and boot camp programs launched by companies such as PricewaterhouseCoopers, among others.
INITIAL STEPS TO NURTURE CYBERSECURITY CAREER PATHS FOR YOUNG AMERICANS
As part of the National Initiative for Cybersecurity Education (more often known as NICE), federal agencies collaborate to strengthen K–12 student and teacher engagement. One of the leading examples of this effort is the GenCyber initiative supported by NSF and the NSA. GenCyber supports collaborations with academic institutions to conduct cybersecurity summer camps for students and teachers.
SHAPING AN AGENDA FOR THE NEW ADMINISTRATION: PRINCIPLE BUILDING BLOCKS OF AN EFFECTIVE NATIONAL CYBER WORKFORCE STRATEGY
FOCUS A NATIONAL INITIATIVE ON BUILDING THE TALENT PIPELINE
Attracting students into the federal government must be augmented by an aggressive strategy to build the pipeline of interest in earlier grade levels. This will require a broad range of engagement with K–12 education that includes classroom initiatives, expanded teacher education, and after-school competitions to spark interest.
EMBRACE THE POSITIVE ELEMENTS OF THE HACKER DYNAMIC
Hackers are ultracurious, highly imaginative professionals who are able to spot even the most hidden vulnerabilities in systems. Meeting the nation’s cybersecurity talent needs will require nurturing the natural curiosity and imaginative creativity that defines the hacker experience.
CREATE NEW VEHICLES FOR INDUSTRY, GOVERNMENT, EDUCATION COLLABORATION
While policies to date have focused on the needs of the federal government, the national cybersecurity workforce is a challenge for the private sector as well. Opportunities must be explored to foster closer coordination among government, industry, and the higher-education community as the nature of the cybersecurity challenge evolves.
POLICY RECOMMENDATIONS FOR NEW NATIONAL FEDERAL CYBERSECURITY WORKFORCE
INTENSIFY INITIATIVES TO CREATE A CYBER-AWARE GENERATION
Incorporating basic cybersecurity education into curricula at all education levels and work experiences would enhance this first line of defense. Along with this effort, we need to invest in research and applied development of innovations that continue to make security and privacy easier for consumers.
DEVELOP A CORE CYBERSECURITY CURRICULUM THAT CAN BE ADAPTED AND APPLIED AT ALL EDUCATION LEVELS AND START BUILDING CYBERSECURITY INTO STEM PROGRAMS
Recognizing the importance of cybersecurity as a fundamental element of STEM education will also enhance the growth of programs and stronger student interest.
ENGAGE INDUSTRY AND THE HIGHER-EDUCATION COMMUNITY IN COMMITMENT TO TRAIN ONE HUNDRED THOUSAND HIGH SCHOOL AND MIDDLE-SCHOOL TEACHERS IN BASIC CYBERSECURITY EDUCATION IN THE NEXT FIVE YEARS
This component can tap the development of new online and gamification tools that have the potential to significantly impact the ability
to bring cost-effective education resources to schools throughout the nation. Carnegie Mellon experienced the success with picoCTF, and
nationwide adoption of this model, specifically aimed at educators who can run their own versions of the contest, could have an exponential impact.
USING THE FIRST ROBOTICS LEAGUE AS A MODEL, ADVANCE A NATIONAL STRATEGY FOR MIDDLE-SCHOOL AND HIGH-SCHOOL
HACKING CONTESTS TO EXCITE THE NEXT GENERATION OF CYBERSECURITY PROFESSIONALS
Now in its twenty-fifth year, FIRST reaches seventy-five thousand students around the world each year and provides a broader portal to STEM careers. A national hacking contest initiative can have a similar impact.
EXPAND THE SCHOLARSHIP FOR SERVICE PROGRAM AND FOSTER EVEN DEEPER CROSS-INSTITUTIONAL COLLABORATION
The proposal to increase the number of institutions in the program is a valuable component of a talent initiative. One model for such an effort is the Cyber Stakes program, which has fostered collaborative education and exercises between Carnegie Mellon and service academies.
EXPLORE CREATION OF A CYBERSECURITY ROTC PROGRAM
A cyber-specific ROTC-like initiative would underscore the sense of national mission that is vital to addressing the environment for strengthening the cybersecurity talent pipeline. A key to this effort would be to create a strong network among institutions operating this program to ensure that the development of these students included both deep technical and operational experiences.
Additionally, consideration should be given to development a “2+2” model for this effort, where a student who has a potential interest in cybersecurity can receive a modest financial-aid supplement in their first and second year. At the end of the second year, these students (and any other students in the program) can choose to apply for acceptance into a program fully funding their tuition during the third and fourth year, if they commit to a cybersecurity minor in addition to their computer science or electrical and computer engineering major. In return, the student would be required to sign up for three years of service in a government cybersecurity position.
CREATE NEW MECHANISMS FOR INDUSTRY, GOVERNMENT, HIGHER EDUCATION COLLABORATION
One strategic approach to fostering these new mechanisms would be to support the development of regional test beds for collaboration on the emerging Internet of Things. These test beds could focus both on innovation in cyber applications and advancing opportunities for formal education programs as well as ongoing training initiatives.
CYBERSECURITY IN THE Food and Agriculture Sector
WHAT MAKES THE AGRICULTURE SECTOR UNIQUE
Whether it’s wired-up off-road equipment and machinery, high-tech food and grain processing, radio frequency ID-tagged livestock, or global-positioning-system tracking, the agriculture sector depends on information systems to sustain and improve operations, competiveness, and profitability.
Wringing out even more efficient yields is a global and domestic necessity. Population growth and rising living standards will increase future demands for agricultural products. Breadbasket countries like the United States need to find sustained growth in yields and more efficient ways to farm to meet these demands. Without making use of remote sensing and computer science, significant increases in agricultural yields will be impossible.
Embracing technology comes with risks, and the sector finds itself targeted as never before, thanks to its intellectual property being coveted by foreign competitors and hacktivists. Until recently, most food and agriculture companies did not invest in cybersecurity defense and were lax in fortifying their infrastructure and developing sound cybersecurity practices. That’s beginning to change.
The delay in grasping the threat wasn’t limited to the private sector. In 2010, two federal oversight agencies, USDA and FDA, classified cybersecurity as a low priority. However, in 2015, the agencies reversed course.
This past lack of urgency in the agriculture sector was a mistake, as it missed its chance to get ahead of the threats. All sectors of critical infrastructure are interlaced with dependencies, but the biological requirement of food is arguably at the root of them all. An extreme, coordinated cyberattack on agricultural companies would have human and financial consequences.
CHALLENGES FACING THE NEW ADMINISTRATION
Between the seed seller and the supermarket shopper lies a huge, complex, and volatile supply chain, one of the most complex worldwide. Its components are vastly different in size and sophistication and compete in an economy that optimizes for the lowest possible cost. This level of diversity and size, combined with small budgets for overhead, isn’t the best recipe for robust cybersecurity since it results in huge disparities among individual components. As a result, the agriculture sector will be confronted with the same weakest-link problem facing other sectors.
Agricultural production and operations will only increase dependency on software and hardware applications vulnerable to cyberattacks. Smart farm machinery will handle many of the labor-intensive and repetitive jobs still requiring manual work. Smarter, more robust automation will expand into food processing as machines become more apt to deal with irregular size, shape, and quality-control problems.
This new level of connectivity creates vulnerabilities that the sector hasn’t fully contended with, especially not in the operational environment. Foreign nations are trying to illegally get ahold of American agricultural technology, particularly data on genetic engineering, improved seeds and fertilizer as well as information related to organic insecticide and irrigation equipment. While most recent cases of intellectual property espionage were done the old-fashioned way, it’s naive to assume cyber espionage will not become a major element of commercial espionage.
Prospects of agroterrorism also concern the sector. A sophisticated terrorist attack could wreck America’s status as a trusted food exporter and undermine domestic confidence in the food supply chain. The sector’s growing digitization brings with it new opportunities for terrorists to attack places that previously have been too remote or difficult to strike. Cyber terrorism is a relatively low-cost venture with high payoff potential, making the risks of agroterrorism too large to ignore.
Neither branch of government gives food and agriculture cybersecurity the attention it demands. While new regulations from the federal government are not necessary, agencies that interact with the sector should recognize cybersecurity for the priority issues it has. The FDA and USDA should start educational programs promoting good cybersecurity practices among sector industries.
There is no congressional subcommittee charged with food and agriculture cybersecurity oversight or deals with communication technology’s new dominant role in the sector’s growth. Committees within the full House and Senate agricultural committees must be assigned this task.
DEFINE WHAT CONSTITUTES A NATION-STATE ATTACK AGAINST THE AGRICULTURE SECTOR
Despite widespread attacks by foreign powers, the federal government has yet to define at what point a cyberattack constitutes an act of war or what type of defense it will offer against such attacks. Nor has it updated and adjusted its defense spending in light of this modern threat.
Increasing cybersecurity will cost money, and finding the additional funding will not be simple for the sector since it is governed by tight margins and faces a highly competitive world market. Federal involvement in correcting food and agriculture market failures goes back to the New Deal, and this is a new market failure that need correction. Loan forgiveness or grants tied to cybersecurity practices measured against benchmarks such as the NIST Cybersecurity Framework should be implemented, as should new or modified incentive programs for standards, practices, and technologies that are not cost effective but necessary for national security.
IMPROVE INFORMATION SHARING
Agricultural cybersecurity information sharing lacks a center. The sector needs a dedicated cyber-threat information-sharing mechanism, designed for chief information security officers at large corporations, industry associations, and agricultural cooperatives. For smaller, individual enterprises, this mechanism should provide the option of automated updates to threat-protection software. There are plenty of data exchanges dedicated to various threats, such as food-borne illnesses or crop diseases, but cyber gets lost.
CYBERSECURITY IN THE Manufacturing Sector
WHAT MAKES THE MANUFACTURING SECTOR UNIQUE
Manufacturers are the creators, users, servicers, and installers of the Internet of Things. This technology is creating enormous opportunity and driving transformative change. It has made all manufacturers into technology companies.
The days of interacting with the customer only during a single transaction are over. Connected technology enables manufacturers to provide real-time performance monitoring and usage patterns for their customers throughout the entire lifespan of a product. A tire manufacturer won’t just sell tires but a package to reduce costs through sensors that collect data on fuel consumption and tire pressure.
While connected technology drives innovation in the manufacturing sector, it also creates new challenges. Manufacturers are now the first line of defense in securing our nation’s most critical online assets. They place cybersecurity at the highest priority level.
One of the primary targets for cyberattack inside the manufacturing ecosystem is industrial control systems. This is the class of computers that help manage the shop floor. ICS are configured in growing numbers to be reachable through the Internet, including systems retrofitted with modern networking capabilities.
Even when companies take measures to secure their Internet addressable ICS, they often link their factory production and enterprise
information technology networks. That connection results in benefits such as increased productivity, but a new class of malware is exploiting those links to target ICS, likely for espionage.
CHALLENGES FACING THE NEW ADMINISTRATION
THE IOT IS GOING FASTER THAN SECURITY CAN KEEP UP
Many IoT devices will possess minimal processing power. That is the nature of the thing—ubiquitous and cheap devices everywhere whose power comes through networking. As a result, many devices may not have capability for basic cybersecurity best practices, such as encryption and operating system updates. Even where capacity exists, manufacturers might not find it economical to patch devices made on a slim margin in a market relentlessly focused on the next generation of products.
Only the government tops the manufacturing sector as a victim of cyber espionage. Espionage isn’t just a matter of lost revenue. It’s a threat to economic security with implications for national security.
INDUSTRIAL CONTROL SYSTEM SECURITY IS UNDERRATED
Attackers seeking to disrupt industrial processes don’t need to exploit an underlying software vulnerability, the way that sophisticated hackers do when attacking enterprise IT systems. They simply need to gain access to the ICS (perhaps through the corporate IT network) and use the exposed digital controls to manipulate the system into failure. No further hacking required.
The Department of Homeland Security stood up in 2009 the Industrial Control Systems Cyber Emergency Response Team in recognition of this challenge, but the years since have proved disappointing. Its main output is further transmitting alerts already widely available to industry.
INCENTIVES FOR IMPROVING CYBERSECURITY
Small- and medium-sized manufacturers in particular face bad economics when it comes to achieving a level of cybersecurity robust enough to stand up to nation-states, manufacturing’s main cyber threat. This gap between commercially sustainable levels of cybersecurity and what’s necessary to counteract foreign adversaries isn’t just a market failure. It’s the space that federal government was designed to fill by dint of its constitutional charge to provide for the common defense.
What’s necessary is a public-private partnership that uses economic tools to encourage investment beyond ordinary levels of commercial cybersecurity spending. Specifically, the government should complete the task begun with creation of the National Institute of Standards and Technology Cybersecurity Framework in determining what the most cost-effective elements of cyber defense are.
FUND IOT SECURITY RESEARCH
No amount of incentives can overcome a key characteristic of the Internet of Things: ubiquity of cheap computers with minimal computing power. The ability to seed the environment with cheap computers is what makes the IoT possible.
This is an irreducible problem that requires a different approach to cybersecurity, one premised on building secure systems from insecure components. This isn’t a new notion, but it’s one that’s needs urgent revitalization. The National Science Foundation, the Defense Advanced Research Projects Agency, and the research arm of the Department of Homeland Security should make funding research into this a priority.
ICS-CERT SHOULD BE STRENGTHENED
The Industrial Controls Systems Cyber Emergency Response Team performance needs to enhance its focus on development of best practices and on research. The organization’s outreach to the manufacturing sector should also be improved.
“We tend to count things—how many alerts, how many advisories, how many incidents do you respond to,” said ICS-CERT director Marty Edwards in May 2016. “I think we have to get to the point of measuring what impact did we make inside of a company, or how is a sector improving or degrading over time in the cybersecurity area,” he added. The manufacturing sector concurs.