LETTERS TO THE EDITOR: DHS not alone in vulnerability
GCN cover from 8/29
In your good piece on 'DHS Limps on Cybersecurity', you leave this reader with the impression that the Homeland Security Department's cybersecurity outlook is bleak. This is unquestionably true for DHS, but it is also true generally.
DHS systems, along with the systems of systems throughout the critical infrastructure, are being outgunned by bad actors capable of launching attacks. Vulnerabilities resulting from neglect in the practice of software engineering and the application of software security technology pave the way for exploits that are increasingly more innovative and exhibit great skill.
The continuing impotence of DHS on cybersecurity is not simply tied to reporting structures or even risk management practice. Risk management is a useful technique when faced with genuine uncertainty. But it is not the right choice when the root cause of the problem is known to be neglect within an entire industry, and the response is one of dithering between market-driven forces and government regulation to avoid being tagged with the blame. Risk management is being used as a facade.
First-tier companies are working hard on security but new vulnerabilities continue to appear, and these are being exploited more rapidly than ever before. Are these first-tier companies failing in the practice of good software product engineering or simply failing in the practice of good software security engineering? Security vendors insist that security solutions are known and available and that the problem lies with the users who lag in security awareness and dissemination of security technology. However, when the need to be secure now is stated as the requirement, the vendors fall silent.
This lack of progress toward achieving trustworthy software systems is due to several factors:
1. Fielding today's systems of systems is becoming an increasingly complex challenge.
2. The education and training of the software workforce, whether university or corporate, is not resulting in the application of industry best practices; the result is a growing pool of ex- ploitable vulnerabilities.
3. The software industry and its security vendors are being outmaneuvered by bad actors who are exploiting vulnerabilities stemming from neglect despite the best defenses by those charged with protection.
4. The current and projected levels of cybersecurity R&D funding and investment initiatives are insufficient to reverse the situation. For example, DHS' R&D funding for cybsercurity is just $18 million.
5. Innovation in the security industry is dead in the water as security vendors insist that the state of the art is sufficient to meet the need and that the lag in user awareness and dissemination is the issue.
It is clear that we need to be secure now in every sector of the critical infrastructure.
We also see that innovation trumps neglect. Bad actors display innovation in their exploits. The software industry and its programmers reveal neglect in their vulnerabilities while the government compounds the neglect with insufficient cybersecurity R&D. Market-driven solutions are unlikely to emerge where the basic awareness of the problem is still being sold and has become the substitute for the problem itself. What is needed is an overarching national strategic process for formulating and driving an innovative cybersecurity agenda.Don O'Neill
Executive Vice President
Center for National Software Studies