It’s no secret that cyberspace is growing more hostile, with increased criminal activity and regime-driven intelligence activity. When the CSIS Commission first published its Report on Cybersecurity for the 44th Presidency two years ago, cybersecurity didn’t appear to be a priority for many of the world’s elite organizations and government agencies. This continued to be evident in 2010: For instance, the year began with a major exfiltration of data from Google and other Fortune 500 companies, saw the Stuxnet worm cut through industrial control systems with ease, and ended with annoying denial of service attacks over Wikileaks.
In the Wikileaks case, three key lessons we should have learned include:
- trusted third-party systems can be used to exfiltrate your data
- an ecosystem of unregulated hosting companies exists to distribute stolen data
- anarchists have rebranded themselves has “hacktivists”
These troubling realities necessitate fundamental policy shifts and strategic action. The CSIS Commission has issued final report that delineates 10 action items for the administration:
- Coherent organization of Federal efforts for cybersecurity and recognition of cybersecurity as a national priority.
- Clear authority to mandate better cybersecurity in critical infrastructure and develop new ideas on how to work with the private sector.
- A foreign policy that uses all tools of U.S. power to create norms, new approaches to governance, and consequences for malicious actions in cyberspace. The new policy should lay out a vision for the future of the global Internet.
- An expanded ability to use intelligence and military capabilities for defense against advanced foreign threats.
- Strengthened oversight for privacy and civil liberties, with clear rules and processes adapted to digital technologies.
- Improvement in the authentication of identity for critical infrastructure.
- Build an expanded workforce with adequate cybersecurity skills.
- Change Federal acquisition policy to drive the market towards more secure products and services.
- A revised policy and legal framework to guide government cybersecurity actions.
- Research and development (R&D) focused on the hard problems of cybersecurity and a process to identify these problems and allocate funding in a coordinated manner.
It’s clear that cyber-situational awareness in terms of threats to our nation’s critical infrastructure is paramount. In particular, the second recommendation references the need for risk-based performance metrics when evaluating the security of critical infrastructure -- especially as part of the continuous monitoring of an entity’s security. The Commission also highlights the importance of the Consensus Audit Guidelines in assessing risk.
We must recognize that the Three Little Pigs paradigm per cybersecurity has ended. Security is not an expense but rather a central facet of doing business in a digital world. Critical infrastructures are under constant attack, and must they identify how their critical assets are exploitable prior to the colonization of their assets by foreign parties. With this awareness the fog of plausible deniability is evaporated
Core Security is dedicated to providing cyber-situational awareness to all those who believe the “wolf” is knocking at the door. Only through appreciation of our adversaries’ organization and tactics can we begin to manage the risk to our cyber assets. Risk assessment and recognition is paramount when attempting to build our virtual houses from brick. The CSIS Commissions policy priorities represent the Marshall Doctrine of the developed world’s attempts to civilize cyberspace. It is my earnest hope that we can succeed both tactically and strategically in this historic struggle.
- Tom Kellermann, VP of Security Awareness and Government Affairs