Cybersecurity is in the news and on the minds of many Americans going into 2017.
Just in the last few weeks, the CIA has indicated that Russia hacked into emails from both the Democratic and Republican National Committees. Following that news, there has been a bipartisan congressional effort to determine if the breach affected the 2016 election. And prior to that, on Dec. 2, the Obama administration released the results of a new report from the Commission on Enhancing National Cybersecurity.
Among the recommendations from the commission — which has representation from IBM, MasterCard, Microsoft Research, Merrill Lynch and Uber — are tightening up the security of internet of things devices, aligning responsibility for cybersecurity to an agency inside of the Department of Homeland Security, creating a labeling system for consumer technology products that rates their security and constructing an apprenticeship program to train college students for careers in cybersecurity.
Just how President-elect Donald Trump’s administration will handle these recommendations remains to be seen. His website outlines plans to create a cybersecurity review team; develop an offensive strategy for handling cyber attacks; and ask the Department of Justice to create joint task forces to coordinate federal, state and local law enforcement to respond to cyber threats.
Many of the concerns being discussed at the federal level are top of mind for cybersecurity enterprises, who live and breathe these issues daily.
“The [policy changes] that have been beneficial are when you look at the information sharing that goes on now, not just an individual term in an office,” says Mike Buratowski, vice president of cybersecurity services at threat detection company Fidelis Cybersecurity. “Any time we’ve seen an effort to share information or to standardize capabilities, that’s always been a benefit to Fidelis and the industry.”
Buratowski was encouraged with the announcement of the nation’s first chief information security officer in September, but he would like to see more cohesion across the government for cybersecurity.
“There needs to be more consolidation or standardization of cyber across the government,” he says. “It’s more siloed. Any sort of standardization or accountability is going to be huge.”
Though defining standards that satisfy diverse companies would be a challenge, the outcome would be beneficial. There have been a lot of efforts to standardize the format and language when entities share indicators of compromise. Buratowski says entities like the National Institute of Standards and Technology could play a role in creating a standard so this type of information could be usable by everyone that needs to be involved. Health care standards also need further definition — especially in the modern climate where there are stiff penalties for data breaches, but there is also a federal call for increased shareable health data.
Operations management and cybersecurity company PAS anticipates an uptick in cybersecurity regulation, but warns that doesn’t always lead to tightened security.
“Federal regulation is a double-edged sword,” says David Zahn, general manager of cybersecurity at PAS. “On one side, it forces nationwide attention and, more importantly, investment that might otherwise happen too slowly. Unfortunately, good compliance does not always equal good security — the other side of the sword. When standards are enforced, compliance — particularly low-cost compliance — becomes an investment ceiling versus a floor.”
How regulations are enforced also varies. For instance, for infrastructure-related security, the North American Electric Reliability Corp. critical infrastructure protection plan fortified traditional IT systems, but those account for about 20 percent of a power plant’s cyber assets. The other 80 percent comprises proprietary industrial control systems that are opaque to auditors and cyber personnel.
“A beneficial shift in regulatory policy would include focusing on this unaddressed class of endpoints,” says Zahn. “The regulations are roughly defined. Now we just need to add them to the enforcement side.”
Fidelis also anticipates a more robust policy related to endpoints — particularly the quickly growing IoT market.
“There’s no way those companies that build those interfaces and systems built security robustly into it. They build and program for usability,” says Buratowski.
This leaves many consumer products vulnerable, from smart home devices to even cars that can be hacked through vehicle infotainment systems. “They are built for interface. That’s really scary when you think about it,” he says.
However, while Buratowski says it’s inevitable that innovation will outpace the government, regulations could play some much-needed catch up in the next four years.
“I’m very hopeful that we’ll be better off,” says Buratowski, on the company’s outlook over the next four years. “The law and regulation is usually behind technology, so it can only get better.”
Follow Alisa Valudes Whyte on Twitter: www.twitter.com/MerrittGroup