Industry experts weigh in on Obama’s cybersecurity blueprint

New federal CISO, $19 billion spending hike aim to prevent cyber attacks, but is it enough?

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Pres­i­dent Oba­ma is once again using his bul­ly pul­pit to help make the Inter­net safer.

Obama’s 2017 bud­get pro­pos­al calls for a $19 bil­lion increase in cyber­se­cu­ri­ty fund­ing across all gov­ern­ment agencies—up more than 35 per­cent from the pre­vi­ous fis­cal year.

In Jan­u­ary 2015, Oba­ma pro­posed a sweep­ing new fed­er­al pri­va­cy law that would return some lev­el of con­trol back to indi­vid­ual citizens—with respect to the vast amount of online-track­ing data gen­er­at­ed and stored for consumers.

Free resource: Plan­ning ahead to reduce breach expenses

And I was in the audi­ence at Stan­ford Uni­ver­si­ty in Feb­ru­ary 2015 when Oba­ma signed a mile­stone exec­u­tive order urg­ing the cor­po­rate sec­tor to dra­mat­i­cal­ly advance the shar­ing of cyber-attack intel­li­gence among them­selves and with the fed­er­al government.

He fol­lowed up in April 2015 issu­ing an exec­u­tive order stip­u­lat­ing sanc­tions against indi­vid­u­als and enti­ties who endan­ger the nation with “mali­cious cyber-enabled activities.”

And now, in addi­tion to boost­ing fed­er­al spend­ing, Obama’s Cyber­se­cu­ri­ty Nation­al Action Plan calls for cre­at­ing a new fed­er­al chief infor­ma­tion secu­ri­ty offi­cer to coor­di­nate cyber­se­cu­ri­ty across civil­ian agen­cies. Third­Cer­tain­ty asked secu­ri­ty experts about Obama’s lat­est move to estab­lish his lega­cy as the cyber­se­cu­ri­ty president.

Ray Rothrock, chief exec­u­tive offi­cer, Red­Seal

Ray Rothrock_220Net­works were not designed with cyber attacks in mind, so they are not resilient to them. But it’s not too late. Build­ing dig­i­tal resilience into net­works before attacks is the only way to get ahead. The pro­pos­al by the pres­i­dent can be an excel­lent step in lead­ing the world to a more cyber-resilient future.

The nation’s new CISO should be ask­ing agency teams, ‘How are we mea­sur­ing our cyber results and defens­es? How are we think­ing about resilience? And how are we deter­min­ing the first step to take to make our dig­i­tal infra­struc­ture more resilient?’

Igor Baikalov, chief sci­en­tist, Securonix

Igor Baikalov_220This is a much need­ed and suf­fi­cient­ly action­able effort to strength­en cyber­se­cu­ri­ty. Gov­ern­ment-wide shared ser­vices will def­i­nite­ly help to pool lim­it­ed resources and build qual­i­fied cyber­se­cu­ri­ty teams.

From inci­dent response and foren­sic inves­ti­ga­tions to cen­tral­ized mon­i­tor­ing and ana­lyt­ics to sub­stan­tial buy­ing pow­er to get the best tools and resources, this is the only way to get fed­er­al cyber defens­es up to the lev­el suf­fi­cient to sur­vive in the cur­rent threat environment.

Phil Dunkel­berg­er, chief exec­u­tive offi­cer, Nok Nok Labs

Phil Dunkelberger_220While fed­er­al gov­ern­ment lead­er­ship is a pos­i­tive step, some big holes remain. There is a wor­ri­some lack of pub­lic-pri­vate part­ner­ship. And a major pain point for both gov­ern­ment and the pri­vate sec­tor is the short­age of skilled IT secu­ri­ty pro­fes­sion­als. There is the oppor­tu­ni­ty for gov­ern­ment to help expand the tal­ent pool.

The Unit­ed States also lacks com­pre­hen­sive data breach leg­is­la­tion. While the U.S. fre­quent­ly takes a lead­er­ship role in tech­nol­o­gy ini­tia­tives, there has been no sub­stan­tive move­ment to address data breach­es. Only with a strong move in this area will we see real traction.

David Brum­ley, direc­tor, Carnegie Mel­lon University’s CyLab and IEEE member

David Brumley_220The pres­i­dent should be com­mend­ed. How­ev­er, cur­rent­ly there is a zero per­cent unem­ploy­ment rate in the field of cyber­se­cu­ri­ty, which rep­re­sents an inad­e­quate pipeline to fill the nec­es­sary pub­lic- and pri­vate-sec­tor jobs.

And we need to devel­op sys­tems that auto­mat­i­cal­ly check soft­ware for exploitable bugs. We also need real­is­tic test beds that cov­er emerg­ing Inter­net of Things devices, as well as devel­op a plan for IoT that includes the eco­nom­ics of real enter­pris­es in indus­try and gov­ern­ment. And we need to make secu­ri­ty and pri­va­cy easy to use.

Mal­colm Harkins, chief infor­ma­tion secu­ri­ty offi­cer, Cylance

Malcolm Harkins_220This is a pos­i­tive and great­ly need­ed step. The ques­tion is whether the $19 bil­lion will be spent wise­ly. The secu­ri­ty indus­try is prof­it­ing from this nev­er-end­ing cycle of upgrad­ing old detec­tion-and-response tech­nolo­gies and approach­es. The prob­lem with that is that dam­age is already occur­ring before the secu­ri­ty process can begin. Unless the invest­ment is being guid­ed by a per­spec­tive that includes new pre­ven­tion approach­es, we may, as a coun­try, be spend­ing $19 bil­lion more each year on Band-Aids.

Jeff Hill, mar­ket­ing man­ag­er, STEALTH­bits Technologies

Jeff Hill_220The $19 bil­lion is noth­ing to sneeze at. More telling, how­ev­er, is that the fed­er­al gov­ern­ment spends $700 bil­lion annu­al­ly on defense, intel­li­gence and home­land security.

This bud­get pri­or­i­ty real­i­ty begs the ques­tion: Do cyber attacks rep­re­sent a mere 2 or 3 per­cent of the risk to our nation’s econ­o­my and the safe­ty of its cit­i­zens? Three per­cent pri­or­i­ty might be progress, but we’ve got a long way to go.

More sto­ries on cybersecurity:
The fed­er­al gov­ern­ment needs a cyber­se­cu­ri­ty marathon, not a sprint
NAIC sets mod­el stan­dard for con­sumer rights, cybersecurity
Data secu­ri­ty best prac­tices should begin with fed­er­al government

Posted in Cybersecurity, Featured Story