By The #CyberAvengers
Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma, and Christophe Veltsos
Originally Published on Brink on July 11th, 2017
This past month cybersecurity legislation, called Promoting Good Cyber Hygiene Act of 2017, was introduced that would mandate the National Institute of Standards and Technology (NIST), the Federal Trade Commission (FTC), and the Department of Homeland Security (DHS) to establish baseline best practices for good cyber hygiene, authentication and cooperation.
Specifically the legislation states that the list of best practices established “shall be published in a clear and concise format and made available prominently on the public websites of the Federal Trade Commission and the Small Business Administration.” It also recommends including “other standard cybersecurity measures to achieve trusted security in the infrastructure.”
This introduction of the legislation is timely and follows an expanding trend of public–private cooperation. In February of 2013, Presidential Policy Directive-21 was issued to provide an approach to developing standards and enhancing information sharing with critical infrastructure owners and operators. The executive order was aimed at identifying vulnerabilities, ensuring security, and integrating resilience in the public–private cyber ecosystem.
Subsequently, the National Cybersecurity Protection Act of 2014 became law to help provide a roadmap for the roles of DHS and stakeholders. The law authorized the National Cybersecurity and Communications Integration Center’s current activities to share cybersecurity information and analysis with the private sector, provide incident response and technical assistance to companies and federal agencies, and recommend security measures to enhance cybersecurity.
Collaboration is Key
Certainly, information collaboration is a key component of any successful cybersecurity initiative effort, and the relationship between industry and government is no exception. Recently, DHS in cooperation with NIST developed guidelines for information sharing among several industry sectors with government. The benefits are evident. Information sharing allows both government and industry to keep abreast of the latest viruses, malware, phishing threats, and especially denial of service attacks. Information sharing also establishes working protocols for resilience and forensics, which is critical for the success of commerce and enforcement against cybercrimes.
Because of privacy and intellectual property issues, the private sector appeared reluctant to share established protocols, data and lessons learned with other industry players and government. Both government and commerce are now prioritizing critical infrastructure as the primary focus of threat and response. There is a growing understanding of the seriousness and sophistication of the threats from adversarial actors that include states, organized crimes, and loosely affiliated hackers. This budding government–industry relationship still needs to be expanded and enhanced, especially in regard to critical infrastructure—85 percent of which is owned and operated by the private sector.
A closer partnership between governments and the private sector could help produce tactical and long-term strategic cybersecurity solutions quicker. Cooperative research and development in new technologies such as hardware, software algorithms and operational processes are needed just to keep up with the evolving global threat matrix. There are no areas on the cybersecurity spectrum that do not need more investment and modernization to help fill capability gaps. The Science and Technology Directorate at DHS operates several programs and projects facilitating public–private cooperation in R&D, tech prototyping, and commercialization. These programs and projects need to be expanded and provided with more funding resources.
Keeping up with cybersecurity threats is often daunting. There are a wide variety of architectures, systems, and jurisdictions, and adaptability and scalability to upgrade to new security technologies and processes is a significant challenge. The Internet of Things (IoT), which relies on the interoperability of a plethora of devices, platforms, and protocols, is a good example of the complexities involved.