The Presidential Commission on Enhancing National Cybersecurity last week published a set of recommendations aimed at strengthening cybersecurity across the public and private sectors.
The recommendations would need to be carried out by President-elect Donald Trump, including some that call for action within the first 100 days of the new administration.
The report covers a wide range of topics, including DDoS attacks, authentication and identity management, critical infrastructure, the security of SMBs, IoT threats, cybersecurity research and development, educating consumers, addressing workforce gaps, enterprise risk management in federal agencies, incident response, and international agreements and norms of behavior.
Independent experts and the representatives of various security firms shared comments and criticism on the presidential commission’s report:
Robert Graham, Errata Security:
“This document is promoted as being written by technical experts. However, nothing in the document is neutral technical expertise. Instead, it's almost entirely a policy document dominated by special interests and left-wing politics. In many places it makes recommendations to the incoming Republican president. His response should be to round-file it immediately.
I could pick almost any of of the 53 Action Items to demonstrate how they are policy, special-interest driven rather than reflecting technical expertise.” [Graham’s complete blog post]
Edward McAndrew, partner and co-leader of Privacy and Data Security Practice, Ballard Spahr:
"The Commission's Report, and the President's statements on the Report, rightfully acknowledge the enormity and quickly evolving nature of the cyber threat landscape. The root cause of cybersecurity issues is cybercrime. For all that it does cover, the Report fails to address the critical need for increased resources for cybercrime-related law enforcement activity. Because too few offenders are successfully prosecuted for massive criminal schemes, we are failing to deter this criminal conduct, and we are failing to create a public record upon which other costs can be imposed in the international community.
Federal law enforcement agencies (FBI, Secret Service, ICE) and the US Department of Justice have far too few investigators and prosecutors to effectively combat the epidemic of cybercrime that the United States is experiencing. When I left the Department of Justice at the end of 2015, we had roughly 300 federal prosecutors dedicated to cybercrime (in the Computer Hacking & Intellectual Property Crime Network), and 120 prosecutors focused on national security cyber issues (in the National Cyber Specialist Network). It should be self evident that those numbers are grossly inadequate.
We need to significantly expand the ranks of investigators and prosecutors focused exclusively on cybercrime investigation -- not just intelligence gathering. Otherwise, triaging national security threats will largely remain the sole mission, and most other cybercrimes (that are causing most damage and loss) will continue to go unaddressed."
Brian Krebs, investigative journalist:
“It’s nice that this presidential commission placed a special emphasis on IoT and denial-of-service attacks, as these two threats alone are clear and present dangers to the stability of e-commerce and free expression online. However, this report overall reads very much like other blue-ribbon commission reports of years past: The recommendations eschew new requirements in favor of the usual calls for best practices, voluntary guidelines, increasing industry-government information sharing, public/private partnerships, and public awareness campaigns.
One recommendation I would like to have seen in this report is a call for federal legislation that requires U.S.-based hosting providers to block spoofed traffic from leaving their networks.” [full blog post]
Chris Day, CISO, Invincea:
“One of the recommendations by the commission is the "training of 100,000 hackers”. While that sounds great on paper, the devil is in the details. What kind of “hackers” are we talking about here? If the govt. could somehow train 100,000 true hackers (e.g. those that can write and evaluate source code from a security perspective) vs. 100,000 low-level compliance enforcers or patch managers then that might make a difference. The problem is no one knows how to train highly skilled “hackers” at scale. In fact, some argue that true hackers aren’t trained at all but self-develop.
Another face to the problem with this recommendation is the problem actually isn’t one that operates on a human scale. The speeds that defense must be able to identify and counter today’s threats (or yesterday’s threats, for that matter) are such that humans just can’t compete anymore. Different approaches are needed such as machine learning and predictive defense as well as much more secure systems from a design and implantation level. Where government can actually play an impactful role here is to provide real research dollars to incentivize both public and private researchers to explore solutions that can actually work in the real world and work on already deployed and fielded systems. Those are truly hard problems both whose solutions would dramatically alter the cyber threat equation.”
Chris Roberts, Chief Security Architect, Acalvio:
“They certainly got some of the issues right. We’ve been fighting for 20 years and what we’ve done and what we are doing is not working. I’m not saying that we’ve failed for the last two decades, however, we are always playing catch up and we are not good at reacting quickly.
The fact that they want to move the ownership of securing systems away from end users is a positive move. Working out exactly how to do that, and how to actually effect change, is going to be the key. Just saying to the manufacturers “be better stewards of data” is going to be absolutely useless.
Additionally, encouraging companies to ‘share online threats’ is about as useful as a wet paper bag. Frankly, most won’t share. Most have teams of lawyers who stop them from sharing, etc.
When nobody trusts the FBI with anything more harmful than a plastic bag, we will never win. When the CIA and the NSA won’t share things with the other Intelligence agencies, we will never win. When each agency acts as its own enclave, we will never win. Get the idea? Let’s break the walls down.”
Ajay Arora, CEO and co-founder, Vera:
“The way we've been protecting digital information for the last 20 years simply isn't working and it's imperative that President-elect Trump execute quickly in his first 100 days in office. With an immediate focus on protecting our nation's digital and network infrastructure, it's critical for the government and Silicon Valley to actively work closely on new and innovative ways to identify, protect, detect, and respond to cyber incidents affecting critical infrastructure.
When it comes to protecting digital information, people often equate cyber security with encryption. It's so much more than that. Trump must immediately focus on hiring 100,000 skilled cybersecurity practitioners that understand the need for more robust security measures and practices.”
Jamison Utter, VP of Senrio, on addressing workforce gaps:
“If we consider the disruptive changes that IoT, and globalization of commerce have made on our economy (and culture) maybe we can stop looking for workforce in all the same places. What I am saying here is that we want 8-5 in the office workforces. That’s not where people are, or want to be. Cyber security is not a suit-and-tie, 8-5 job. Let’s flex to globalized workforces (mobile, on the go) and non-traditional forces, stop looking for your classic computer science grad (they don't make the best analysts, criminals don’t do things by the book). But let’s instead look to displaced soldiers (that might think about security differently) or former security workers, even former criminals. The influx of different thinking might help the perspective of the entire industry.”
Slavik Markovich, CEO, Demisto:
"One of the best weapons to combat cyberattacks is the sharing of threat intelligence. Government agencies and private companies alike should improve on this by leveraging an open platform for sharing IoCs, response plans, and resources like security playbooks. With the cybercrime industry exceeding $3 trillion, the bad guys do a great job of sharing - there are 800 sites to exchange code. So there is a lot of catching up to do.
With the federal government's push to centralize their cyber security efforts, it's important that all the shared services integrate and work as well as possible with one another. Having an incident response platform that does this will maximize the government's security IT investment and give them a competitive advantage over hackers. Another key factor to keep in mind is automation, as there are too many incidents (more than 10,000 / week for some agencies) for the security workforce to review. Automation lowers the number of incidents requiring expert attention and places the most complex ones as priority. This risk reduction will go a long way in hardening the government's security posture."
Nathan Wenzler, Principal Security Architect, AsTech Consulting:
“While it has been touted for many years that the public and private sectors need to do more to collaborate in all matters of cybersecurity, the Commission's report puts this need into sharp focus as one of their primary recommendations. Topping their list of Imperatives, the commission puts building a formalized joint effort between the government and private companies to enhance and improve both sectors ability to respond to cyber threats, be more proactive in protecting infrastructure, and to identify potential issues more quickly than either group does today.
While there are privacy concerns that must be addressed in such a collaboration, it is an important step in bridging the gaps between the separate silos of effort going on within the security programs of every individual corporation, government agency and other organization out there today. This is one of the key recommendations the Commission has put forward, and may serve as a foundation for a level of cooperation to secure and protect data and other critical systems we've previously not seen before.”
Joseph Carson, Head of Global Strategic Alliances, Thycotic:
“This report provides a solid foundation for the current challenges and threats we are facing. The recommendations lead us in a good direction, however, executing and implementing these are going to need a major workforce with expertise in cyber security. This raises the question: is the education system ready to deliver the skilled workforce to deliver and execute these recommendations? We are going to need a major overhaul and significant investment to achieve this. Another question for the next administration is whether this will be the highest priority, above immigration and trade, or is this going to fall behind?”
Philip Lieberman, president, Lieberman Software:
“There is an excellent lesson for the commercial sector: the core of many improvements in security require the investment in projects to remove legacy systems that cannot be properly secured, as well as modernization of infrastructure and process improvement. For-profit organizations are loath to remove or replace working and profitable systems that are fatally insecure. The decision to do so generally leads up to the CEO and Board of Directors having the vision to forgo short term gains to gain resiliency.
The Federal Government’s OPM breach points out the horrible cost of not modernizing and strengthening defenses. Both private and public institutions have limited resources and the best of intentions. Choosing to prioritize and fund cybersecurity is a matter of leadership and budgets.”
Kasey Cross, Director of Product Management, LightCyber:
“The directional statement from the Presidential Commission signals what might be an important breakthrough in thinking and approach to national cybersecurity. The proof will be in the eventual pudding, and it remains to be seen. The third priority of the program, ‘Effectively responding to and recovering from cybersecurity incidents when they occur,’ is an admission that today’s cold war mentality towards cybercrime is simply not working.
Motivated attackers can find a way into any given network, including the FBI and NSA. Likely this will come from compromising a user computer or account. The new challenge is to find the attacker as soon as possible to minimize or eliminate theft or damage. Prevention is still essential and may effectively defeat the vast majority of threats and attempts, but it is not possible to stop every attack. Detection requires new tools, procedures, resource allocations and strategies. The continuing belief that prevention and security hygiene alone can solve the issue is to perpetuate the lie that results in a five month average dwell time and breach after breach.”
Brett McDowell, executive director, FIDO Alliance:
“As the Commission’s report makes clear, improving the reliability of online identity infrastructure is an essential component of improving cybersecurity, and starts with moving beyond passwords to innovative technologies like FIDO authentication. Through continued partnership between industry and government – and by following the Commission’s recommendations around identity and authentication – I am confident the new U.S. administration, with the help of global consortia like the FIDO Alliance, can make meaningful progress toward that five-year goal of eliminating identity-related data breaches.”