The U.S. needs a cold-eyed view of what’s helping and hindering cyber defenders, a report says.
U.S. efforts to improve cybersecurity across technology development, business operations and government policy should be defined by one word, according to a new report.
That word? Leverage.
Leaders in every realm of cyber defense should be asking themselves whether a new product, policy or procedure gives defenders more leverage against attackers and how much it moves the dial, according to the report from the New York Cyber Task Force, a new organization whose members hail from industry, academia and think tanks.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Innovations with the most leverage “operate on an internet-wide scale and impose the highest costs (roughly measured in both dollars and effort) on attackers with the least cost to defenders,” the report states.
Past technological innovations offering the most leverage include strong encryption, software that patches and updates automatically and software that is designed with security in mind upfront, the report authors agreed.
Top policy and operational advances include the development of national computer emergency response teams and the inclusion of cyber experts in top corporate ranks, the authors said.
Tech, business and government leaders should also ask themselves whether past innovations and policies are still providing enough leverage to prove their usefulness, task force Executive Director Jay Healey told reporters.
The report describes the typical path of a cybersecurity innovation as “from essential to albatross” with a promising innovation slowly catching steam until it becomes essential and then becoming increasingly less useful as attackers figure out ways to work around it.
“Passwords followed this curve where they were amazing and then they were not good and we’ve been saying for years they were dead,” said Healey, a Columbia University senior research scholar who previously worked in government and led the Atlantic Council think tank’s Cyber Statecraft Initiative.
Because many people use the same or similar passwords for numerous sites, hackers can often use the spoils from one data breach to compromise other sites.
In the case of passwords, Healey said, industry is in the process of turning the albatross back into an asset by requiring a second factor to authenticate a user, such as a unique code or a biometric indicator such as a fingerprint.
In other cases, cyber protections intended to improve security are actually albatrosses right off the bat when viewed through the leverage prism, the report argues.
Restrictions on exporting digital technology that might be used for hacking or surveillance, known as the Wassenaar Arrangement, for example, “generate ’negative leverage,’ imposing high costs on defenders and placing only minor obstacles in the way of attackers,” the report states.
State data breach notification laws might soon fail the leverage test, the report states, because breaches are so common that, for companies, “disclosure is often seen as just another cost of business.”
Report authors hope its New York origin suggests a “third way” between the Washington cyber consensus, which tends to focus extensively on cyber threats, and Silicon Valley, which tends to de-emphasize security in favor of the promise of technology.
“New York has a unique voice of having to balance risk and rewards,” Healey said.