After months of rumors and floating drafts, a Presidential Executive Order has been announced on cybersecurity. President Obama will be extending his oversight into a world that has been sorely neglected for decades: cybersecurity. Obama has outlined in his Executive Order Improving Critical Infrastructure Cybersecurity, the need for policy for baseline standards framework, information sharing and critical infrastructure asset and risk identification through a consultative outreach approach. We as security enablers need to do two primary things: 1) improve our resilience to cyber incidents and 2) proactively and quantitatively reduce the cyber threat.
As a security professional with frontline experience for over 27 years, I can tell you that we are in dire need of executive leadership as a country. President Obama has pointed out a number of near term actions, and while it is a good start, we can and should do more. For starters, and not mentioned prominently in the Order, we need to appoint a new cybersecurity leader of the country. We have had these kinds of officials in the past and while they may be ultimately capable of guiding the flock to a more secure world, they tend to be incapable to truly enforce policy or guidelines. They need to have a carrot and carry a stick to be effective, considering minimalistic impact that has maximum gain, think Praetos 80/20 Rule.
Critical Infrastructure, defined in the Order, helps identify those systems and networks most critical to our economy and livelihood. However, security of these environments is sorely needed and must include all three primary sources of attack exploitation: 1) passwords and privilege 2) execution and 3) denial of service doing one of the three only addresses part of the problem. For example, just telling everyone to require hard passwords only solves the symptoms. There will always be a mistake made or a new attack technique introduced. You need to address the problem and eliminate passwords as a form of authentication and privilege.
The Order also highlights the need for clearly providing security clearances to those who vitally need sensitive threat information. However, what the administration doesnt know is that the vast majority of the information we need from government to protect these environments doesnt need to be classified; we just need IP addresses, techniques and tools used. If we could openly share this vital information it would immensely help the community. The bad guys have no such handcuffs. I testified in front of Congress on this issue back in 2012 and spoke out about our dire need for information sharing of the threat vectors, tools, techniques and tactics. We need to share this information in real-time without worrying about privacy violations.
While not highlighted in the Order, we desperately need a national awareness campaign to elevate the value of strong passwords and thinking before we click which is easy to do. The campaign needs to be broad and address all three primary sources of threat targets indicated above.
Another critical area not discussed in detail is the need for international cooperation. All too often our actions fall on deaf ears internationally. We need one unified agreement with nations to respond to attacks.
As part of the framework discussed, we hope a national incident response program will be developed and strictly adhered to. Most government agencies and critical infrastructure providers are woefully neglectful of responding to attacks. We need a unified effort, need to share information and attack vectors, tools, techniques, tactics. If we continue to handle incidents the way we do now, we will continually be attacked. The Groundhog Day must end!!!
We also need advance protective security technologies that will increase the expense of the attacker, exponentially. The administration must encourage and reward new technology companies to develop new solutions to achieve our mission to protect and empower.
Weak passwords and authentication is one of the three biggest problems to solve in the security industry and while there were hints of a national identity management framework, which we agree with, we didnt see much of it in the Order. Many countries already have national programs. We are behind.
With deep expertise surrounding Critical Infrastructure and Key Resources protection, along with Industrial Control Systems and Embedded knowledge, we at Cylance support the initiatives announced by the President. We know that it often takes a village to solve big problems and without support from the top and information sharing from the victims, we can never truly prevent the next major catastrophe.
Now the hard part...... execution.