Trump’s order to strengthen cybersecurity is a step in right direction

But more time, regulations would go a long way in achieving goals of mandate

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

More reg­u­la­tions are need­ed to ensure that soft­ware and hard­ware cre­ators make their prod­ucts as safe as pos­si­ble before going to market.

On May 11, 111 days after tak­ing office, Pres­i­dent Don­ald Trump signed the Pres­i­den­tial Exec­u­tive Order on Strength­en­ing the Cyber­se­cu­ri­ty of Fed­er­al Net­works and Crit­i­cal Infra­struc­ture. When data breach­es make the head­lines on a week­ly basis, Trump announced that the exec­u­tive branch would take con­trol of pro­tect­ing America’s crit­i­cal IT sys­tems. Cyber­se­cu­ri­ty for the nation and, specif­i­cal­ly, work force devel­op­ment is the pri­ma­ry goal of the order.

For many cyber­se­cu­ri­ty ana­lysts, includ­ing Paul Vix­ie, inter­net pio­neer and CEO of Far­sight Secu­ri­ty, the order is a stride in the right direc­tion. Vix­ie tes­ti­fied before the U.S. Sen­ate Judi­cia­ry Sub­com­mit­tee on Crime and Ter­ror­ism for a 2014 hear­ing on tak­ing down botnets.

 Relat­ed video: What you should know about bat­tling botnets

Paul Vix­ie, Far­sight Secu­ri­ty CEO

In a con­ver­sa­tion with Third Cer­tain­ty, Vix­ie says he thinks the exec­u­tive order is good, all things con­sid­ered. The order is sim­i­lar to those of the Clin­ton, Bush and Oba­ma admin­is­tra­tions, and is a pos­i­tive move. If the goals can be met, the lev­el of cyber­se­cu­ri­ty in the nation will be elevated.

Improv­ing cyber­se­cu­ri­ty in the work­place and align­ing man­u­fac­tur­ers’ goals with the public’s goals will be cru­cial to the ongo­ing secu­ri­ty of the coun­try. But Vix­ie says the 60- to 90-day time­frame man­dat­ed by the exec­u­tive order to turn around the required assess­ments is too short and unrealistic.

Work­place needs

Trump’s order describes the goals to strength­en work force cyber­se­cu­ri­ty, but Vix­ie says meet­ing those goals will take years, not weeks.

There is a huge short­age of IT pro­fes­sion­als with the nec­es­sary cyber­se­cu­ri­ty skills and expe­ri­ence. The Infor­ma­tion Sys­tems Secu­ri­ty Asso­ci­a­tion (ISSA), a com­mu­ni­ty of cyber­se­cu­ri­ty pro­fes­sion­als, esti­mates that over a quar­ter-mil­lion posi­tions are unfilled. They pre­dict the short­age will increase to 1.5 mil­lion jobs by 2019.

To com­pound the prob­lem, Vix­ie says cer­ti­fi­ca­tions alone are not enough. Often too much empha­sis is placed on gain­ing cre­den­tials and not enough on real-life expe­ri­ence. “Only time gives peo­ple the expe­ri­ence, per­spec­tive and judg­ment they need to do the job well,” Vix­ie says.

Build­ing a bet­ter work force isn’t the only issue Vix­ie thinks the gov­ern­ment should address fur­ther. Ran­somware and cyber attacks will only increase as the num­ber of con­nect­ed devices mul­ti­plies. Stronger reg­u­la­tions are need­ed to pro­tect against the dan­gers of bot­nets and devices enabled by the Inter­net of Things. And there is an urgent need to boost the secu­ri­ty of soft­ware and products.

The Wan­naCry out­break in May is evi­dence. The mal­ware infect­ed sys­tems that weren’t patched. Though IT pro­fes­sion­als know how to do it, they don’t prac­tice what they know. Vix­ie says that’s because too many have the­o­ret­i­cal back­grounds but not prac­ti­cal ones.

Reg­u­la­tions matter

Increased reg­u­la­tion is need­ed in the cyber­se­cu­ri­ty indus­try. Cur­rent­ly, device man­u­fac­tur­ers have no incen­tive to test and assess device vul­ner­a­bil­i­ties. When get­ting to mar­ket is the only goal, man­u­fac­tur­ers are will­ing to for­go as much as pos­si­ble to gain mar­ket share. Buy­out or bank­rupt­cy seem to be the only long-term out­comes of a safe­ty-first attitude.

Reg­u­la­tions can lev­el the play­ing field and are key to requir­ing device mak­ers to pro­tect the pub­lic against bot­nets and IoT devices. If the gov­ern­ment were to intro­duce a pol­i­cy of min­i­mum safe­ty stan­dards, device mak­ers would be forced to align their val­ues to those of the pub­lic. The­o­ret­i­cal­ly, such a pol­i­cy would be easy to enforce. The U.S. gov­ern­ment is the largest pro­duc­er of IT tech­nol­o­gy in the nation, pos­si­bly the world. If it rais­es the stan­dards, the mar­ket will improve dra­mat­i­cal­ly. Ven­dors that don’t meet the new stan­dards will find they no longer have a mar­ket and will quick­ly go out of business.

In an ide­al world, Vix­ie says, every­one would work on the prin­ci­ple of least priv­i­lege, which is the prac­tice of lim­it­ing access to the min­i­mal lev­el that will allow nor­mal func­tion­ing. Applied to employ­ees, the prin­ci­ple of least priv­i­lege trans­lates to giv­ing peo­ple the low­est lev­el of user rights that they can have and still do their jobs. The con­cept isn’t new, but is hard to enforce.

More sto­ries relat­ed to cyber vulnerabilities:
Don’t expect Trump to leave inter­net rules, reg­u­la­tions intact
SMBs need to for­ti­fy their ‘human fire­wall’ with cyber­se­cu­ri­ty training
Secu­ri­ty aware­ness train­ing gets a much-need­ed reboot



Posted in Featured Story