It’s Time to Take Cybersecurity Seriously

The list is long, and growing: It seems that a week doesn’t go by that some major company or agency isn’t breached for fun or profit. WikiLeaks and Anonymous, once known only to a subset of cyber geeks, are now household names.

The Stratfor hack poured thousands of e-mails into the public domain. Anonymous listened in on an FBI conference call whose purpose was to — crack down on Anonymous. An attack on Sony’s PlayStation Network exposed personal details of 90,000 customers, and left them in the dark about what was going on for days.

In the past five years, the number of reported security breaches has grown from 5,503 in 2006 to 41,776 in 2010, federal auditors wrote in a Government Accountability Office report released Oct. 3, 2011 — an increase of 650%.

The costs paid to date from high-profile breaks such as the infamous RSA breach, VeriSign’s recent admission about 2010 hacks and countless others are nothing compared to what is coming in the not-too-distant future.

In other words: There’s no room for debate about the need for a paradigm shift in the way both business and government approach cybersecurity.

But identifying a need is the easy part. Getting the relevant parties to agree on what to do, and getting that done, is like the proverbial sausage factory. It will take legislation, and laws that accomplish anything meaningful will require a public/private partnership of historical efficiency.

For any legislation to work, I believe we must first create a joint committee composed of representatives and experts from both government and industry. Second, a standard or certification for data security and identity management must be implemented to ensure that confidential and/or sensitive data is not vulnerable to external threats or attacks.

Neither contingency is perfect, but for any significant changes to take hold, efforts must be collaborative, comprehensive and hyper-specific.

Clearly, there are sectors — energy, electricity, shipping, and financial services — whose data and networks are national-security concerns. The tricky part is that it would be too easy (and quite frankly hypocritical) for the U.S government to say they will cast a watchful eye on U.S. business, when its own leadership in providing digital security does not pass muster.

Beyond that, politics tends to creep too easily into these debates, and when the stakes are of the “national security” level, that is simply unacceptable. Consider the so-called implementation of HSPD–12.

Homeland Security Presidential Directive (HSPD) 12 Abstract:  There are wide variations in the quality and security of identification used to gain access to secure facilities where there is potential for terrorist attacks. In order to eliminate these variations, U.S. policy is to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees). This directive mandates a federal standard for secure and reliable forms of identification.

An admirable directive conceptually, HSPD-12 has in no way thus far lived up to its objective — indeed, in my humble opinion, it is an unqualified, toothless failure.

Compliance was to have been fully implemented by the fall of 2010. We are in the third month of 2012 and nowhere near compliant. There have been no repercussions for recalcitrant government departments, agencies, and other federal bodies that have not complied, and no impetus to force its implementation.

I believe that the core elements of the digital security risk for the U.S. government and business community focus on two primary issues:

  1. Are you properly authenticating a person, and if you aren’t, how do you know that the right person was given access/entitlements to the digital assets?
  2. Are you in control of the digital asset? If data goes outside of the organization’s firewall, how do you ensure its integrity, and further, if you open up “windows” for the data to move outside of the firewall, are you creating additional vulnerabilities to your fortress for viruses/malware/other cyber attacks?

I am emphatic that when it comes to protecting our fortress, both the U.S. government and business community must focus on identity management, access and data entitlement.

Keep data safe and secure behind the firewalls. With a higher percentage of our workforce now teleworking, in addition to the growing trend of employees using personal devices at work, we cannot afford to turn a blind eye to this issue and its inherent risks.

Make no mistake, teleworking and cybersecurity are closely related. An increasingly remote workforce that depends on the Internet for its communications and access to information is finding itself more and more vulnerable with every passing day.

When employees work from home or on the road, they most often use personal devices such as a PC, laptop, tablet or smartphone, which means that sensitive enterprise data and information is not safe behind the enterprise’s firewall, but instead outside of the fortress and quite vulnerable to a never-ending range of security breaches.

Employees that telework must have tools that provide them with a remote user experience identical to that when they are in the office. To truly ensure security, there can be no risk of cache, file transfer, middleware or footprint on a guest PC. Confidential data and information stored on personal devices, such as smartphones, tablets, laptops, and USB drives, are a liability waiting to happen and an open door for hackers, viruses or other external threats.

For many organizations, adopting data entitlement practices may be the most powerful way to mitigate risks as well as the easiest path through which to address this problem. Gone will be the days of any employee being allowed to access and store sensitive information on personally owned devices.

Most important, is that solutions that enable secure, remote access should be founded on assuring the identity of an individual, not a PC, tablet, smartphone or other device.

Once we accept the premise that there is no such thing as perfect security, then collectively, we — government and private business — can work towards our common goal of minimizing data security risk by eliminating vulnerabilities.