By: Larry Clinton, CEO/President
THE NEXT ADMINISTRATION NEEDS TO PICK UP THE PACE – A LOT – ON CYBERSECURITY
The Pentagon’s 2015 annual report says that most DoD systems are subject to low to mid-level cyberattacks and our defense systems are basically subject to compromise whenever an adversary chooses to do so.
If the world’s largest and best-funded military operation is subject to low and mid-level attack, what is reasonable to expect from discount retailers (Target) and movies studios (Sony) or anyone else?
And the bad news is, we may soon look back on these as the good old days.
Our cyber systems are actually becoming technically weaker as the Internet of Things and explosion of mobile devices vastly expand the cyber perimeter. Meanwhile, the attack community – wisely investing in their business – is becoming much more sophisticated, including finding new weakness in the core protocols the Internet is based on. The “APT” – the Advanced Persistent Threat — has now become the Average Persistent Threat as the sort of elite attack methods we saw only between nation states and DIB partners a few years ago have now become fairly common place throughout the economy.
And, of course, the economics of cybersecurity all favor the attacker. Attacks are cheap, easy and profitable. Defense is mostly reactive, underfunded and misplaced from a cost benefit perspective.
Despite the fact that our vulnerability is growing weaker at light-speed, cyber policy is developing at a glacial pace.
It took us 6 years to pass a fairly modest information-sharing bill.
We are successfully prosecuting maybe one or two percent of cyber criminals.
Federal acquisition policy is so outdated that some DoD IT systems, including some in mission critical systems, are still using 8-inch floppy disks to store data in 2016.
Two and a half years after the NIST Cybersecurity Framework was unveiled, we still don’t have a single piece of objective evidence that shows it has changed any behavior, or that any such changes have had a measurable improvement in cybersecurity.
Other elements of President Obama’s visionary 2013 Executive Order on cybersecurity, such as prioritizing the NIST Cybersecurity Framework (critical for smaller companies), demonstrating that it is cost effective, and supporting it with an incentive program – despite being expressly called for in the President’s Executive Order – have not even begun.
Ironically, the U.S. government is by far the leader among western democracies in terms of enlightened cybersecurity. Compared to the backward looking, blame-the-victim approach still prevalent in Europe, the U.S. is way out in front.
We are way out ahead of other democracies, but we are way behind the attack community and their lead is growing every day – every minute.
American policy makers seem to be treating cybersecurity like it was the Farm Bill. “We’ll get to it in due time.”
Far too many think Congress addressed the “cyber issue” when CISA passed several months ago. Talk about being out of the loop.
While we will be detailing with several very specific cyber policies for the next Administration to take up in the coming weeks, it is important to understand that the cyber threat is massive and growing quickly.
Whatever the next Administration does on cyber policy, it is vital to emphasize that it needs to be done with far greater urgency than we have been demonstrating.
I promise you the attackers are not going to slow down and wait for us.
15 Years of Cybersecurity Experience and Thought Leadership Culminates in ISA’s Newest Publication:
SOCIAL CONTRACT 3.0
“If you had ten minutes to talk to the next President about cybersecurity, what would you say?”
We asked just that question of our ISA Members, Associates and Friends representing an international coterie of C-level cybersecurity experts and thought leaders. Their answers became Social Contract 3.0, a new book from ISA rich in cybersecurity analysis and leadership across a wide range of topics and sectors.
SAVE THE DATE! We will launch Social Contract 3.0 at our 15 Year Anniversary Conference in Washington, DC, September 15 and 16. The Conference features panels from our experts along with keynote speeches from U.S Government leaders in Cybersecurity Policy and Legislation.
SPACE IS LIMITED! If you would like to attend or receive more information, contact us.
JOIN THE MAILING LIST – send us your address to stay up-to-date on our ISA blogs and events.
Interested in more information about the Internet Security Alliance? Read On.