Cybersecurity Basics
Our current approach to cybercrime prevention requires each information system operator to secure their own environment by implementing best practices for threat prevention, detection, and response. These practices include:
- using network encryption (SSL/TLS, VPN, etc.) to ensure all data flowing between the system and its users cannot be intercepted
- using multi-factor authentication to ensure that system access is restricted to authorized users
- implementing strict controls around physical system access and encrypting all data that is stored in the system
- implementing strict procedures for patching known security defects in all device firmware, system software, and application software
- ensuring all systems are properly configured to prevent unauthorized access or data leakage (operating systems, web servers, e-mail systems, database servers, etc.)
- ensuring complete awareness and accountability of all devices and applications in the operator's network, to prevent a rogue device or application from being inserted into the network and leaking proprietary information
- implementing appropriate network security measures (firewalls, IDS, and IPS) to prevent unauthorized data transmissions to or from components in the network
- implementing security information event management (SIEM) to observe all application, system, and network events and detect suspicious events that could indicate illicit activity
- implementing denial-of-service prevention solutions to protect against brute force attacks like the one that took out Dyn on October 21, 2016 and with it many popular Internet services
- regularly inspecting all code developed internally for security weaknesses and immediately patching any defects discovered
- regularly performing third-party penetration tests to verify that cybersecurity defenses are operating as intended
- implementing e-mail and messaging filters to protect employees from exploitation (e.g., spear phishing, social engineering)
- performing routine malware scans on all servers and personal devices
- implementing recurring cybersecurity training for all employees, including specialized classes for software developers and system operators
- implementing an internal cybersecurity management and incident response team with skilled professionals and 24x7 coverage
As you can see, there's a lot of stuff that has to be done, and most of them require ongoing effort and expense. The awful truth is that most companies are not doing these things, and many others are doing them in an incomplete or haphazard manner. And the bad guys know it.
A Big Problem for the Government
Cybersecurity is just as big an issue for our government as it is for the private sector, yet in many ways the government is even less capable. The breach at the Office of Personnel Management, which resulted in the loss of over 20 million government employee records with extremely detailed personal background information, could have been prevented if the agency required two-factor authentication, but they didn't. It went on for over a year, but it wasn't detected because they didn't have an effective SIEM platform in place. It's also been widely reported that Chinese hackers stole large amounts of data from the F-22, F-35, and C-17 programs at the Department of Defense.I believe – or should I say hope – that some government systems have better security in place, but the complexity of systems and networks, and the constant evolution they experience, means that the probability is high that access to even the most sensitive information can be gained through unexpected and potentially unguarded pathways.
Even our political system is under threat. The 2016 election cycle started and ended with the drama over Hillary Clinton's private e-mail server and its potential implications for national security. As if to underscore this issue, thousands of internal e-mail messages were stolen from computers at the DNC as well as the Google e-mail account of Clinton's campaign manager John Podesta. The DNC breach was carried out by malware installed on their computers, and the Podesta hack was a straightforward spear phishing attack that convinced him to give his Google mail credentials to the hackers. If the DNC had mail filtering and malware detection systems and if Podesta had enabled two-factor authentication, both attacks would have been thwarted.
A National Cybersecurity Policy?
The incoming administration has proposed a national cybersecurity task force to determine appropriate policies and actions for defending our nation's information systems. What might this entail?First, there might be a set of regulations which require companies and government agencies operating vital information systems to implement a specific minimum set of cybersecurity capabilities from the list above. Companies that fail to meet these requirements will be cited and must comply within a given period of time or face stiff financial or other penalties. This will require a national cybersecurity enforcement agency that will perform inspections and penetration tests, and deliver warnings and citations to organizations that fail to comply with the law. There is legal precedent for this; consider that Ford can't sell a car in the US unless it has airbags and seat belts, so why should a bank be able to launch an online banking system without the capabilities required to protect its customers' identities and accounts?
Second, there might be a national cybersecurity monitoring function observing all network traffic passing over major internetwork links, especially those traversing our national border. In this way, unusual or suspicious traffic patterns can be detected; e.g., OPM data being sent to China, a major bank's computers being accessed from a TOR node, or a large data dump from a US telecom provider's network to a server in Romania. This would then let the potential targets be informed, hopefully before too much damage is done.
Third, there might be a traffic management function to block or interrupt network traffic if it is deemed suspicious or harmful. This would amount to a national firewall, where all US network operators are required to deploy secure border gateways with traffic inspection and control software and allow control of those devices by some national cybersecurity agency. This mechanism might be able to prevent large volume data theft and block large-scale DDoS attacks.
Fourth, there might be a set of regulations which require manufacturers of networked devices to meet a minimum set of cybersecurity requirements. Consider that a lot of the hacking going on today is enabled by things like home routers and webcams with known vulnerabilities that have been compromised by malicious actors and are being used to penetrate internal company networks or launch large-scale denial of service attacks. Companies might have to demonstrate compliance before their devices are allowed to be sold in the USA, so this would give them a massive incentive to get it right.
Finally, I believe the task force will propose a single agency to implement and enforce these policies. This will close the gaps that exist today across Homeland Security, Commerce, Justice, Defense and other federal agencies that each cover a part of the national cybersecurity landscape.
What Could Go Wrong?
Any policy decision will have negative impacts as well as positive ones, but this set of policies could have huge implications for our government, our citizens, and our businesses.First, a new set of complex regulations and compliance enforcement policies will create a large cost burden on businesses and taxpayers; the former to comply with regulations, the latter to fund the personnel and systems required to enforce the policies. You might argue that businesses should be in compliance in any event, but having to prove compliance to the government will create expenses beyond the internal implementation cost.
Second, a global traffic observation system will be costly and may raise significant privacy concerns. Will the government be watching every movie you download from a foreign server, or reading every e-mail you send to international friends and co-workers? Beyond this, it will create costs for network operators and will require people and systems that will perform the monitoring and alerting functions.
Third, a global traffic management system will potentially threaten valid traffic between networks and could allow the government to intentionally cut off Internet traffic to any or all other countries, so this is a serious threat to our freedom. If your personal or corporate communication was blocked, and this communication was valid, what would you have to do to get it un-blocked? What rights would you have to freely send and receive data, and what obligations would the government have to protect those rights and not infringe upon them?
Fourth, requiring devices to be inspected by the government prior to being sold will create delays in time to market and additional expenses that smaller companies might not be able to bear. This will advantage large companies with established revenue streams and more human resources, and thus will probably retard innovation.
Finally, a new large and powerful bureaucratic organization will also create new problems. It will have to be funded and staffed, initially. After a while, as all bureaucracies do, it will attempt to solidify and expand its position in society by increasing its authority and budgetary requirements. It will create friction with existing bureaucracies which will result in wasted energy within the government, and potential fallout to the citizens and businesses as they try to decipher and navigate the new requirements. Consider the impacts encountered when businesses and individuals were trying to understand the impact of complying with the Affordable Care Act when it was introduced.