Are we serious about cybersecurity? Here's a test to find out.
When the cover story for the January 2012 issue of Popular Mechanics is entitled, “Digital spies: How China’s secret war threatens our economy, national security – and you,” it is evident that awareness of the cyber threat has gone mainstream. Unfortunately, after reading the latest strategy document from the Department of Homeland Security, entitled the “Blueprint for a Secure Cyber Future,” we need a reality check on whether our current response is up to the challenge.
It is unfortunate that as a country we don’t seem to muster enough political will to solve a problem until after a crisis occurs. We are currently facing many, many challenges – from the federal deficit to energy policy to aging infrastructure to cybersecurity – where easy answers no longer suffice. In IT, we face daunting problems related to authoritative data sources, electronic discovery, data quality and anomaly detection. Here again, easy answers no longer suffice.
2011: The year of the breach
DHS outlines goals for securing critical infrastructure
We will either get serious and do the hard work necessary to surmount these challenges or suffer in the doldrums of mediocrity and decline. To help prevent that and gauge our readiness to tackle these problems, here is a six-point litmus test to determine if we are serious about cybersecurity.
1. Secure software signoff
The first question we need to answer is – do we know how to build secure software? If so, prove it! For every other engineering discipline, a “P.E.” or licensed Professional Engineer signs off and is accountable for the quality of the design and implementation of the project. Not so in free-wheeling software development. It is time for a P.E. for software engineering in the areas of security and reliability.
2. Trusted computing components
Our entire computing infrastructure has been built on openness, free-spirited sharing and a Pollyanna mindset right out of a 1960’s “love-in.” Time to get serious and develop trusted hardware, an operating system, apps and networking for our next “Manhattan Project.” Fortunately, the mass migration to cloud computing (for applications) and IPv6 (for networking) are targets of opportunity in this endeavor.
3. National vulnerability database
Our current patch-based, after-the-attack modus-operandi requires an authoritative data source for every known vulnerability in every known IT system and software application out there so we are not flying blind. If we are serious, this could be done in six months.
4. White-hat hacking of U.S. industries
We need to face economic espionage head on by finding the vulnerabilities before our enemies do. Not only would this enable DHS to warn those companies that are vulnerable and give them guidance on how to prevent unfriendly attacks, it would also provide offensive training for our cyber warriors.
5. Offensive cyber-operations policy
The old adage that “the best defense is a good offense” should be applied to cybersecurity. We will never have a real grasp of our vulnerabilities until we see through the eyes of an attacker. Given that, and the reality that we have plenty of adversaries, requires us to enact offensive cyber operations on par with how we fund, train and equip physical operations.
6. Accelerate national strategy for trusted identities
This strategy is sound yet requires a fast-track approach. The implementation must not take the usual bureaucratic path of over-analysis and hand-wringing. We need to end our after-the-fact, band-aid mentality towards cybersecurity as that approach has failed.
Unfortunately, 80 percent of the just-released DHS blueprint is just more of the same. Just doing more cybersecurity stuff is frankly not good enough. It’s time to get serious before we face a crisis situation. If the Popular Mechanics article is to be believed, then we may already be there. Game on!