The trends are clear: cyber threats to individuals, organizations and institutions are increasing in number and the damage they can do is serious and growing. Nonetheless, the prospect for meaningful legislative action to shore up network defenses remains slim, at least in the near term. Despite lawmakers’ lack of progress, however, there is plenty that agencies, companies and individuals can do to address the challenge. I recommend three immediate steps:
1. Implement a comprehensive national education campaign.
Many cyber intrusions are easily preventable. According to government sources, roughly 80 percent of exploitable vulnerabilities that contribute to cyber attacks are the direct result of poor or no cyber hygiene. If network administrators were more attentive to timely patch management, proper configuration policies, routine password management and effective network monitoring, many compromises could be prevented or the impact diminished. A comprehensive and sustained national education and awareness effort that arms people and businesses with information about how to more easily and effectively protect themselves could help alleviate many immediate threats.
In addition, we should leverage what we have learned from past cyber events that were successful, unsuccessful, interrupted or disrupted. We should examine the tactics, techniques and procedures that were used by the bad guys and conduct the attendant analysis to identify protective measures that, had they been in place, could have prevented a breach or reduced its impact. Juniper is working with industry partners across the critical infrastructure community, in collaboration with the Department of Homeland Security, Federal Bureau of Investigation and National Security Agency, to conduct a webinar series to provide this type of information to CIOs, CISOs, CSOs and others in the incident response realm to raise the level of education and awareness to better inform risk management actions and investment decisions.
2. Create a National Weather Service for cybersecurity.
We should take immediate steps to implement a true joint, integrated, public-private operational capability by leveraging information sharing, analysis, and collaboration to improve detection, prevention, mitigation and response to cyber events that may have national or global consequences. By creating the equivalent of a National Weather Service for cybersecurity, we will improve our ability to identify patterns and trends of abnormal and malicious network behavior in order to issue alerts or warnings and even recommend protective measures to improve our capability around detection, prevention, and mitigation. The building blocks are in place, the knowledge and expertise is available, and we now need to take the steps to mature the capability.
3. Update of the legal framework underpinning cybersecurity.
Many of the impediments to building trust and effective collaboration between government and industry can be traced to the current legal framework that governs cybersecurity and privacy. A range of laws relevant to information sharing and other elements of engaging a truly collaborative public-private partnership were written and passed when we lived in a largely analog world. We need to compile an inventory of relevant statutes and conduct a comprehensive examination to determine what revisions and updates are necessary to reflect the needs of a digital world. Some think tanks and academic entities have looked at pieces, but a comprehensive review to identify conflicts, contradictions and interdependencies would produce a roadmap for important legislative action.
These are pragmatic and necessary steps we can take now to address this growing and evolving challenge while Congress mulls its next steps. It’s vital that we improve cybersecurity and critical infrastructure protection in a manner that protects private sector investments in research and development, which will fuel the innovation needed to help us meet this challenge. Equally vital is avoiding static, costly and ineffective new or expanded regulation.
So if you’re wondering when the right time is to take action, the time is now.
Robert Dix is vice president for global government affairs and public policy at Juniper.