More regulations are needed to ensure that software and hardware creators make their products as safe as possible before going to market.
On May 11, 111 days after taking office, President Donald Trump signed the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. When data breaches make the headlines on a weekly basis, Trump announced that the executive branch would take control of protecting America’s critical IT systems. Cybersecurity for the nation and, specifically, work force development is the primary goal of the order.
For many cybersecurity analysts, including Paul Vixie, internet pioneer and CEO of Farsight Security, the order is a stride in the right direction. Vixie testified before the U.S. Senate Judiciary Subcommittee on Crime and Terrorism for a 2014 hearing on taking down botnets.
In a conversation with Third Certainty, Vixie says he thinks the executive order is good, all things considered. The order is similar to those of the Clinton, Bush and Obama administrations, and is a positive move. If the goals can be met, the level of cybersecurity in the nation will be elevated.
Improving cybersecurity in the workplace and aligning manufacturers’ goals with the public’s goals will be crucial to the ongoing security of the country. But Vixie says the 60- to 90-day timeframe mandated by the executive order to turn around the required assessments is too short and unrealistic.
Trump’s order describes the goals to strengthen work force cybersecurity, but Vixie says meeting those goals will take years, not weeks.
There is a huge shortage of IT professionals with the necessary cybersecurity skills and experience. The Information Systems Security Association (ISSA), a community of cybersecurity professionals, estimates that over a quarter-million positions are unfilled. They predict the shortage will increase to 1.5 million jobs by 2019.
To compound the problem, Vixie says certifications alone are not enough. Often too much emphasis is placed on gaining credentials and not enough on real-life experience. “Only time gives people the experience, perspective and judgment they need to do the job well,” Vixie says.
Building a better work force isn’t the only issue Vixie thinks the government should address further. Ransomware and cyber attacks will only increase as the number of connected devices multiplies. Stronger regulations are needed to protect against the dangers of botnets and devices enabled by the Internet of Things. And there is an urgent need to boost the security of software and products.
The WannaCry outbreak in May is evidence. The malware infected systems that weren’t patched. Though IT professionals know how to do it, they don’t practice what they know. Vixie says that’s because too many have theoretical backgrounds but not practical ones.
Increased regulation is needed in the cybersecurity industry. Currently, device manufacturers have no incentive to test and assess device vulnerabilities. When getting to market is the only goal, manufacturers are willing to forgo as much as possible to gain market share. Buyout or bankruptcy seem to be the only long-term outcomes of a safety-first attitude.
Regulations can level the playing field and are key to requiring device makers to protect the public against botnets and IoT devices. If the government were to introduce a policy of minimum safety standards, device makers would be forced to align their values to those of the public. Theoretically, such a policy would be easy to enforce. The U.S. government is the largest producer of IT technology in the nation, possibly the world. If it raises the standards, the market will improve dramatically. Vendors that don’t meet the new standards will find they no longer have a market and will quickly go out of business.
In an ideal world, Vixie says, everyone would work on the principle of least privilege, which is the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs. The concept isn’t new, but is hard to enforce.