As expected, President Obama mentioned briefly his cybersecurity proposals to congress last night. First, I think we should take a moment and appreciate the fact that cybersecurity made it into the State of the Union address to begin with.
Over the past few years, we have seen cybersecurity move from the realm of IT into the boardroom and now onto the political stage. The reason for this is clear—the resiliency, security and safety of the Internet is critical to our economy and the progress of our society as a whole. It is our future.
I believe the spirit and intentions behind the the Cyber Intelligence Sharing and Protection Act, known as CISPA are good. However, the devil is in the details. The proposal itself may be premature without plans established with regards to implementation.
Big Government, Big Data, Big Problems
In addition to developing a system that can handle large amounts of data will be the government’s ability to maintain and secure it. If the private industry shares information with the government, some of this information could lead to further compromise and embarrassment if it falls into the wrong hands.
Regardless on your stance on Snowden, the fact that information that was meant to be top secret was so easily exfiltrated by a contractor does not provide confidence in our own government’s ability to secure its own systems. Along the same lines, in many cases, information that is shared with the government regarding a data breach may also include personal information of customers.
What will the limits of government access to this data be? Before we begin the discussion about what information we can share with the government regarding incidents, we should clearly establish what the government can collect in the first place.
Is Sharing Caring?
Collecting information regarding breaches is one thing, but being able to make use of it is another. The three-letter agencies already lack resources on the cybersecurity front – the additional data and reporting can have a significant impact on workload.
In addition to reporting and sharing of information, there should be help for businesses to help secure their infrastructure in the first place. The current proposals are like trying to solve the problem of traffic fatalities with more ambulances and sharing photos of accident scenes, when what is needed is safer cars and roads and better drivers.
What is the motivation for businesses to implement better security practices in their environments to avoid breaches to begin with? The government should assist businesses with not only information sharing about attacks but also guidance on how to better secure their networks.
Can’t Share What You Don’t Have
A key piece of the proposal hinges on intelligence gathering from businesses that are compromised, which leads us to a “chicken and egg” scenario. The organizations lacking even the most basic of security controls fail to gather information from systems at all. One of the first things the FBI or Secret Service request when they come on site to assist companies is access to their log data. I have heard horror stories from agents in the field who go on site to discover little to no log collection, or the data they need had already been dumped.
One promising proposal is the Personal Data Notification & Protection Act – a requirement to have risk assessments include logging data for at least the prior six months for all systems containing sensitive personal data. Although we have similar requirements at the state level and for many regulatory compliance frameworks, this would help set a precedence at the national level for businesses to ensure basic logging for incident response.
Although I believe it is great that the President is taking an active interest in cybersecurity, my hope is that real change is made not just with regards to how respond to breaches, but also how we can prevent them and decrease our response time to mitigate the damage. The government has an opportunity to help businesses as they struggle to secure their infrastructure, but they need to focus more efforts on education and awareness.