Partnerships, Cyber Training Could Protect Networks
Several recommendations mirror what AFCEA's Cyber Committee has called for.
Better cooperation and enhanced information sharing between the government and industry will go a long way toward safeguarding digital networks and building up the work force needed to protect the information infrastructure. These are some of the recommendations offered by the nonpartisan Commission on Enhancing National Cybersecurity in its much-anticipated report released this month.
The 12-member commission, established by President Barack Obama earlier this year, also called for an increase in educational programs for younger students. “Our commitment to cybersecurity must match our commitment to innovation,” the report states. “If our digital economy is to thrive, it must be secure. That means that every enterprise in our society—large and small companies, government at all levels, educational institutions and individuals—must be more purposefully and effectively engaged in addressing cyber risks.”
The report highlights the dangers posed by hackers and cyber criminals, and addresses six imperatives for improved national cybersecurity that the upcoming administration should focus on and which reportedly are already on President-elect Donald Trump’s radar.
“Presidential transitions are a time of incredible change in Washington, and we appreciate that the incoming administration has already signaled [its] commitment to addressing fundamental cybersecurity challenges,” says Mordecai Rosen, senior vice president and general manager for cybersecurity at CA Technologies. “Cybersecurity is an issue that must remain front and center for our country. The report … echoes many of the key recommendations that we see as critically important for our nation’s security. Chief among them is the need to focus on identity-centric security, including the authentication of people and devices.”
The commission’s report makes a strong appeal for better partnerships—between countries, between national and state governments, and between government and the private sector. “When it comes to cybersecurity, organizations cannot operate in isolation,” it states.
After months of working on the directive, the commission identified these six imperatives to enhance cybersecurity:
- Protect, defend and secure today’s information infrastructure and digital networks.
- Innovate and accelerate investment for the security and growth of digital networks and the digital economy.
- Prepare consumers to thrive in a digital age.
- Build cybersecurity work force capabilities.
- Better equip government to function effectively and securely in the digital age.
- Ensure an open, fair, competitive and secure global digital economy.
Additional key areas merit emphasis and expansion of focus, Rosen states. Currently, analysts estimate 80 percent of breaches involve compromised credentials of privileged users. “The government should strive to establish a frictionless authentication experience that prioritizes continuous and risk-based authentication processes that will make identity management in the public sector easier and more effective,” he says. “But good security doesn’t stop at authenticating who you are; it needs to go further to authenticate a user based also on what they do. Greater use of behavior analytics will help flag anomalous behavior for a specific identity or role.”
Another area centers on federal acquisition reform and calls for the government to develop a better mechanism for leveraging new technologies quickly, suggests Rosen, who commended the commission’s support for wider adoption of the National Institute of Standards and Technology (NIST) Cybersecurity Framework. “Incentives for adopting the framework could help encourage other organizations to use it, resulting in more consistent security practices and systems going forward,” Rosen shares.
In championing improved cybersecurity efforts, Obama signed two executive orders that seek to strengthen government networks against cyber attacks while protecting personal information. "Technological advancement is outpacing security and will continue to do so unless we change how we approach and implement cybersecurity strategies and practices," reads a portion of the commission's 100-page report. “Successful implementation of our recommendations will require significant commitment from both the public and private sectors and extensive cooperation and collaboration between the two. Indeed, enhancing the state of national cybersecurity will require the coordinated effort of a wide range of organizations and individuals."
Experts across the cyber field have echoed many of the same recommendations outlined in the report. “There is no shortage of practical and achievable process improvement ideas,” reads a white paper released in October by AFCEA International’s Cyber Committee. “The overarching theme is that, with the correct and timely level of cooperation between the public and private sector, we can improve our response to cyber attacks and begin to better understand how the adversaries are attempting to position themselves in the ever-changing world of cyberspace.”
The paper mirrors aspects of the commission’s first imperative, which calls for better information sharing: “While the private sector and government are continuously seeking better partnership models, a lack of mutual trust—an essential ingredient—seems to inhibit needed progress. This paper explores areas of collaboration where the government and private sector are collaborating effectively as well as new areas for collaboration that constitute ripe opportunities.”
Information sharing goes beyond the simple exchanging of cyber-related information and must be recognized as a means to an end, the AFCEA committee wrote in June. “The ultimate objective is enabling members of the cyber ecosystem to make defensive risk-based decisions based upon much more precise data. That is, the act of exchanging or sharing information is necessary but not sufficient to prevent cyber attacks.” Additionally, the AFCEA committee in April called for defined standards and broad-based input as a companion framework for information sharing to NIST's framework.
But the solutions are not just about tapping technology. The nonpartisan commission’s report addressed work force gaps and encourages the next president “to initiate a national cybersecurity work force program to train 100,000 new cybersecurity practitioners by 2020.”
That recommendation provides “sensible” advice, says Morgan Reed, executive director of ACT/The App Association. “No challenge is more important over the long term ... than addressing the cybersecurity talent gap and the failure of America’s education system to produce enough students with computer science skills,” Reed says.
A report released by the association not only highlights that nearly 250,000 software developer jobs in the United States remain unfilled, but also shows barely one in eight high schools across the nation offer advanced computer science courses. “We look forward to working closely with the new administration and Congress to find solutions to this growing talent crisis that threatens both the security of our digital infrastructure as well as the future of our innovation economy,” Reed says.