Time for the Government to Practice What It Preaches
Action is needed now on cybersecurity and critical infrastructure protection.
Most cyber practitioners and many users agree that assessing and managing the risk attributed to cybersecurity and critical infrastructure protection is a shared responsibility between and across a wide array of stakeholders—including government, industry, academia, the nonprofit community and individual citizens.
However, acknowledging and executing on that shared responsibility requires each of the stakeholder groups to accept and address their role in contributing to productive solutions. Rather than simply telling others what they should be doing, government should lead by example. Unfortunately, today’s circumstances regarding cybersecurity and critical infrastructure protection far too often find the government telling others, especially industry, what they should be doing but failing to implement appropriate protection measures in its own environment.
As we have seen in recent examples, the government itself, including various departments and agencies, are targets for cyber crime and cyber espionage. Accordingly, it is time for the government to begin holding up its end of the shared responsibility to improve our collective national protection profile for cybersecurity and critical infrastructure protection.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework was released in February 2014. Over the past 18 months, a great deal of taxpayer money has been spent by the Department of Homeland Security and other federal agencies seeking to promote the “adoption” of the framework, especially by private sector companies. Various programs have been established and staffed in the government to conduct meetings and other activities around the country regarding the framework. The term “adoption” remains elusively undefined even after this significant period of time. This is largely because the framework itself is a toolbox of standards and best practices that are known across the community but now are collected in a framework document. This document leverages a common lexicon to become an important resource for stakeholders at all levels of user sophistication seeking to identify measures to help improve their cybersecurity protection.
The failure to include a discussion about the economics of cybersecurity is a serious omission. Various studies and surveys indicate that cost is a significant factor in cybersecurity risk management investment decision making for companies of all sizes. The corresponding failure of the government to follow through on its public commitment to pursue a series of economic incentives to motivate cybersecurity risk mitigation investment is an impediment to the framework becoming an even more valuable resource for stakeholders exploring measures to improve their cyber protection efforts.
Government speakers have traveled around the country advocating for the framework as an important tool for cybersecurity and critical infrastructure protection. In spite of the fact that the framework is portrayed as voluntary, the government has been asking companies to commit to the “adoption,” “implementation” or “utilization” of the framework. Government has attempted to survey industry sectors with an objective of documenting private sector action. We now are seeing evidence that some federal agencies are viewing the framework through a compliance, enforcement and regulatory lens, although the government continues to state that it is not intended as a regulatory instrument.
Yet, throughout this same time, what federal government department or agency has publicly announced its own commitment to the same framework? Given the impact of high-profile breaches at agencies such as the Office of Personnel Management, and the number of Americans who will be negatively affected by the result, it would seem logical that if the government agrees with the premise that the cyber risk management challenge is truly a shared responsibility, then the government itself would be committed to leading by example and stepping to the front of the line in committing to the framework. How about offering the Department of Homeland Security as a candidate?
October has been declared National Cybersecurity Awareness Month again this year. While many companies and organizations are embracing and actively participating in a variety of activities for National Cybersecurity Awareness Month, it also is time for the government to leverage this opportunity to ramp up its efforts to lead by example in cybersecurity preparedness, prevention and protection. Helping cyber users learn how to improve their basic cyber hygiene and their cybersecurity protection profile should be an effort proffered every day, not just one month out of the year. Developing a comprehensive, collaborative and sustained national education and awareness campaign for cybersecurity protection and resilience should be a national priority.
It is estimated that approximately 80 percent of exploitable vulnerabilities in cyberspace are the result of poor or no cyber hygiene. These are basic measures to improve cyber protection and resilience such as password management and installing system updates in a timely manner. Most users want to be protected but just are not sure what to do, especially given the limited resources that they have available. Small businesses and individual users particularly would benefit greatly from such information and tips. Creating a sustained online presence with timely and relevant material for citizens, businesses, and stakeholders across the wide array of users will help improve today’s national and global cyber risk management challenge.
Imagine that every member of Congress, every member of every state legislature, every local elected mayor, city council, board of supervisors or county commissioners posted a link to their constituent website home page that directed folks to a location where they could get access to timely and relevant cybersecurity protection information. Such an approach is about leadership and creating a culture of security. National Cybersecurity Awareness Month would have been a great opportunity to launch such a nationwide initiative, and we should not wait until next year to consider creating a consortium of government, industry, academia, nonprofits and others to raise the bar of awareness and knowledge about user protection and resilience in cyberspace.
Then there is the issue of supply chain risk management. Once again, the government has become quite proficient at telling others what they should do to reduce the risk of supply chain intrusions or the insertion of counterfeit, tainted or malicious equipment into the government’s supply chain. The government could steps take immediately that would improve supply chain security and assurance while demonstrating a tangible commitment to the shared responsibility.
A number of legislative and regulatory provisions have been adopted in recent years that impose new requirements on industry for implementation of various security controls and measures; as well as new reporting requirements related to cyber compromises for prime contractors, subcontractors, suppliers and vendors. However, what is missing and what is not prevalent in these discussions about managing the risk to the government’s supply chain is a commitment to addressing gaps in the federal acquisition process that would improve protection and reduce risk.
A federal procurement culture that focuses on lowest cost, technically feasible solutions in the realm of information and communications technology is an invitation for trouble. The result of purchasing from online brokers and other untrusted sources to save dollars creates a challenge in verifying the authenticity, assurance or pedigree of the equipment being acquired. Most manufacturers of information and communications technology products and services have a trusted channel of authorized partners and resellers that are subject to background checks and other due diligence measures. While no approach to supply chain risk management is bullet-proof, a policy commitment by the government to purchase only from trusted and authorized sources—especially for mission critical systems—would be a significant step forward in reducing the risk of a compromise or intrusion into the government’s own supply chain.
Clear and compelling evidence exists that the bad guys take advantage of the government’s propensity for purchasing from lowest price providers and therefore leverage the untrusted channels such as online brokers and the gray market to insert counterfeit, tainted and even malicious products, depending on their motive. As in other cybersecurity risk and threat examples, those motives range from financial to disruptive or even destructive intent.
These three examples of inviting the government to not just “talk the talk”, but to “walk the walk” on cybersecurity and critical infrastructure protection and resilience do not require legislation or regulation to implement. They require will and leadership to take important steps that will make a meaningful difference for our national cyber protection profile in a globally connected world. Leading by example should not just be a phrase—it should be a paradigm. Accordingly, it is time for the government to move beyond just telling industry and other stakeholders what they should do to manage risk in their own environments and instead take a deeper look at how to examine its own practices. The result should be a renewed commitment to take bold steps and execute on the same measures that they are expecting and in some cases demanding of others.
National Cybersecurity Awareness Month provides an excellent opportunity for government to step to the podium and not just announce new taxpayer-funded programs but instead announce affirmative steps that the government itself will take to address its own cybersecurity and critical infrastructure protection challenge and advance our shared responsibility. The U.S. people are counting on us to get this right. Let’s get to it.
Robert B. Dix Jr., is vice president, Global Government Affairs and Public Policy, Juniper Networks.