Ed Amoroso, the former chief security officer of AT&T, once wrote a blog post grading the previous administrations in Washington in cybersecurity. They all rated badly. That included the recent Obama administration, which Amoroso said, got “too wrapped up in privacy.”
He gave the Obama administration a simple recommendation on cybersecurity: Focus on a couple things and get those right, then we’ll all be better. It didn’t happen, but Amoroso has continued to beat that drum.
Before Donald Trump came into office, Amoroso published an open letter recommending that Trump focus on a few simple initiatives in cybersecurity. Despite the fact that the Trump administration adopted some of the recommendations in its executive order on cybersecurity, Amoroso was not impressed with Trump’s approach.
“The executive order was terrible,” said Amoroso at the 2017 Borderless Cyber conference in New York. “It’s this amazing jumble of page after page after page of requesting reports… Who the hell is reading all those, and who’s writing them? … A thousand reports are just going to confuse us all.”
What Amoroso thinks the Trump administration needs to do instead is to focus on three big initiatives:
1. Make NIST the government’s only security framework: While the Trump administration cited NIST standards in the executive order, Amoroso wants to see them take it a step farther and make NIST the government’s only cybersecurity compliance standard so that there aren’t competing standards that end up wasting the valuable time and efforts of cybersecurity professionals in the federal government.
2. Move to the cloud and stop focusing on perimeter security: “Your perimeter is police tape,” said Amoroso. “It keeps nice people out. Bad people just lift the police tape.” The federal government needs to stop thinking of security in terms of the perimeter and embrace micro-segmentation, especially by using the cloud. That way, it’s harder to hit because the attackers have to take out 10 different things instead of one, for example.
3. Spin up a Cyber Corps to recruit young people into cybersecurity: Recalling the enthusiasm of the Peace Corps created by President Kennedy in the 1960s, Amoroso recommended creating a Cyber Corps to attract and train young people to help fill the gap of one million unfilled cybersecurity jobs.
In relation to perimeter security, Amoroso also surprised the audience by saying Hillary Clinton’s infamous email server is an example of why micro-segmentation is a big part of the solution to the US cybersecurity problem.
He asked the audience if they wondered why the Russian hackers who targeted the 2016 US presidential election didn’t attack Clinton’s private server and leak its contents.
“The Russians didn’t get it because it wasn’t in the perimeter,” Amoroso said. “They inadvertently kept it out of the Russians’ hands.”
Without being alarmist, Amoroso alluded to the fact that the time is running out for the US to get this right. The Russians, the Chinese, and others are doing whatever they want in our networks.
“Our critical infrastructure is fundamentally vulnerable,” he said.
The result is that many of our water, power, utilities, and other key industries are being actively targeted by nation states.
“CISOs now have to do civil defense,” he said. “You weren’t hired to do that. You’re not funded to do that.”
As a result, the US should consider designating these sites as critical infrastructure and working more closely with them on cyber defense, since they involve public safety. The challenge, of course, is that that could make them bigger targets. So, he admitted that it’s a complicated issue.
In the meantime, Amoroso encouraged the security professionals in the audience to pick a few strategic initiatives, and to stay focused on making good decisions.
Amoroso said, “When you make bad security decisions, the consequences could come tomorrow or in 20 years, but they’re coming.”