Cyber Hygiene and Government–Industry Cooperation for Better Cybersecurity
This past month cybersecurity legislation, called Promoting Good Cyber Hygiene Act of 2017, was introduced that would mandate the National Institute of Standards and Technology (NIST), the Federal Trade Commission (FTC), and the Department of Homeland Security (DHS) to establish baseline best practices for good cyber hygiene, authentication and cooperation.
Specifically the legislation states that the list of best practices established “shall be published in a clear and concise format and made available prominently on the public websites of the Federal Trade Commission and the Small Business Administration.” It also recommends including “other standard cybersecurity measures to achieve trusted security in the infrastructure.”
This introduction of the legislation is timely and follows an expanding trend of public–private cooperation. In February of 2013, Presidential Policy Directive-21 was issued to provide an approach to developing standards and enhancing information sharing with critical infrastructure owners and operators. The executive order was aimed at identifying vulnerabilities, ensuring security, and integrating resilience in the public–private cyber ecosystem.
Subsequently, the National Cybersecurity Protection Act of 2014 became law to help provide a roadmap for the roles of DHS and stakeholders. The law authorized the National Cybersecurity and Communications Integration Center’s current activities to share cybersecurity information and analysis with the private sector, provide incident response and technical assistance to companies and federal agencies, and recommend security measures to enhance cybersecurity.
Collaboration is Key
Certainly, information collaboration is a key component of any successful cybersecurity initiative effort, and the relationship between industry and government is no exception. Recently, DHS in cooperation with NIST developed guidelines for information sharing among several industry sectors with government. The benefits are evident. Information sharing allows both government and industry to keep abreast of the latest viruses, malware, phishing threats, and especially denial of service attacks. Information sharing also establishes working protocols for resilience and forensics, which is critical for the success of commerce and enforcement against cybercrimes.
Because of privacy and intellectual property issues, the private sector appeared reluctant to share established protocols, data and lessons learned with other industry players and government. Both government and commerce are now prioritizing critical infrastructure as the primary focus of threat and response. There is a growing understanding of the seriousness and sophistication of the threats from adversarial actors that include states, organized crimes, and loosely affiliated hackers. This budding government–industry relationship still needs to be expanded and enhanced, especially in regard to critical infrastructure—85 percent of which is owned and operated by the private sector.
A closer partnership between governments and the private sector could help produce tactical and long-term strategic cybersecurity solutions quicker. Cooperative research and development in new technologies such as hardware, software algorithms and operational processes are needed just to keep up with the evolving global threat matrix. There are no areas on the cybersecurity spectrum that do not need more investment and modernization to help fill capability gaps. The Science and Technology Directorate at DHS operates several programs and projects facilitating public–private cooperation in R&D, tech prototyping, and commercialization. These programs and projects need to be expanded and provided with more funding resources.
Keeping up with cybersecurity threats is often daunting. There are a wide variety of architectures, systems, and jurisdictions, and adaptability and scalability to upgrade to new security technologies and processes is a significant challenge. The Internet of Things (IoT), which relies on the interoperability of a plethora of devices, platforms, and protocols, is a good example of the complexities involved.
The Internet of Things era could become the Internet of Threats era if cybersecurity safeguards aren’t put in place.
One of the priorities of the proposed legislation is to study cybersecurity threats relating to IoT devices. According to one of the bill’s key sponsors, Sen. Ed Markey, D-Mass., “The Internet of Things era could morph into the Internet of Threats era if appropriate cybersecurity safeguards are not put in place now to protect consumers.”
The legislation’s title, Promoting Good Cyber Hygiene Act of 2017, is instructive in itself: Regardless of location, any government or private organization’s cyber-hygiene mantra should include:
1) Update and patch your networks, operating system and devices promptly. “Critical” is “critical” for a reason. Do it within 72 hours of release.
2) Train your employees on how to detect spear-phishing attempts and what best social media practices are. Quarterly training can reduce the risk by up to 90 percent in most cases.
3) Use multifactor authentication. We have effectively reached the age of password uselessness due to our poor habits. Passwords slow down bad guys who do not know what they are doing. Biometric solutions are great, but proceed with caution if you go this route because you now have data management and privacy concerns that must be addressed.
4) Back up regularly (daily if feasible). Where possible, use the “1, 2, 3” backup rule: 1. a segmented backup on-site; 2. one off-site; and 3. one in the cloud. No need to pay the ransom if you have a clean backup ready to be uploaded to your system.
5) Be cautious with older systems. Yes, older systems can be repaired. However, the upfront capital cost is not always affordable. The critical issue becomes support (patches) for these system stops. If these systems are past their “patch life” they become tempting targets for hackers.
6) Follow-on to the last point, sometimes the best answer is the cloud. Cloud service providers have state of the art hardware and software and cloud migrations have become easier, especially over the last two years. The cloud is not a savior—it comes with other issues, such as needing to learn what your obligations and responsibilities are, ensuring you have robust agreements with your vendors, and knowing what third-party sources will have access to your information.
7) Know how your intrusion detection and prevention system works. Is it signature-based? Perhaps it is behavioral-based? Maybe it is both? New cyber threats require new tools. This is where machine learning, cognitive computing, AI, automation, and orchestration all come into play (but only when done in tandem with all other techniques discussed here). Internet data traffic has reached the stage where humans aren’t able to do this on their own.
8) Consider a Managed Service Provider (MSP) or a Managed Security Service Provider (MSSP). Cybersecurity is not everybody’s strength, but one ransomware attack could be crushing. There are options out there to help you. Sure, it costs money, but you are buying peace of mind. Do your homework and find the right solution for you.
9) Do you drive your car without insurance? Cyber insurance is not mandatory yet, but it may be in the future. Chances are if you are doing a lot of what is suggested here, premium payments will be at the lower end.
It clearly makes sense for both industry and government to work together, especially on cyber hygiene, and also to share lessons learned on threats and procurements of mitigating technologies and processes. The newly proposed legislation is a continued step in the right direction.
* The CyberAvengers are a self-described “group of salty and experienced professionals who have decided to work together to help keep this nation and its data safe and secure.” The group includes BRINK’s cybersecurity columnist Chuck Brooks, vice president for Government Relations & Marketing for Sutherland Global Services; Paul Ferrillo, counsel in Weil’s Litigation Department and part of its Cybersecurity, Data Privacy & Information Management Practice; Kenneth Holley, founder of Information Systems Integration, focusing on infrastructure security and data analytics; George Platsis, 15-year veteran of the private, public and nonprofit sectors; Shawn Tuma, 25 years in banking, trading, asset management and auditing at GE, Citigroup, State Street Global Advisors and Nomura Securities; and Christophe Veltsos, a cyber risk advisor and professor at Minnesota State University, Mankato.