What does it mean to be cyber-resilient – for businesses and governmental organizations? Cyber-resilience, Admiral Mike Rogers explained, “is the ability to sustain damage but ultimately succeed. Resiliency is all about accepting that I will sustain a certain amount of damage.” Admiral Rogers is the new director of the National Security Agency and the commander of U.S. Cyber Command.
This idea of cyber-resilience was a key theme at the fifth annual Billington Cybersecurity Summit, for which Admiral Rogers gave the keynote, in Washington D.C. last week. The event was primarily geared toward the U.S. government and U.S. business, but its central message is one that all businesses and all governments should heed: Defense should not be viewed as a process of 100 percent network protection. As they say, there are two types of companies out there: those that are owned and know it and those that are owned but don’t realize it yet.
Businesses Should Strive to be Cyber-Resilient #securityTweet
There is no question that the security issues we all face are many. Critical infrastructure security is a mess, our government and corporate networks are, or will soon be, compromised and we’re all – governments, businesses and people – wading through the muck together.
Security is hard, as president Obama’s special assistant and White House Cybersecurity Coordinator, Michaеl Daniel pointed out at the event, but it is becoming incredibly clear that important people’s opinions are coalescing around similar approaches to addressing cybersecurity. And this is very good news because an imperfect but unified plan is better than no plan at all.
It seems that a big part of the movement to reform cybersecurity, which is being led in large part by Rogers and Daniel and people like them here in the U.S. and abroad, has to do with this idea of resilience and how to achieve cyber-resilience by working together, sharing information, and establishing partnerships. Organizations, government and private alike, need to ensure they can simultaneously remain operational and remedy threats, even when an attack is ongoing. What this means is forever stepping away from the all-too-common practice of shutting the network down in the face of an attack. The military, Rogers explained, does not cease operations when it is attacked. It merely multi-tasks.
But how do you achieve cyber-resiliency? Well, according to any number of speakers at the Billington event, information sharing and crowd-sourcing – where we all share the responsibility for securing the Internet together – are necessary steps. In order to be resilient, organizations need to have a plan. One organization is dealing with attacks today that another will deal with tomorrow. If the first organization would only tell the second about how to deal with that attack, the second organization would be better equipped to devise a strong defense plan.
Daniel is tasked with facilitating information sharing by the president. He presented an interesting paradox at the event: why is network and Internet security so hard when the threats we face are so well known and seemingly simple?
Indeed, we all think about this every day. The primary threats online are known bugs that have either been patched already or, for reasons that remain unclear, just aren’t getting patched. Someone, either a vendor choosing not to patch or a user choosing not to update, is quite clearly making a bad security decision. In addition to that, passwords are still an enormous weakness. It’s 2014; there are self-driving cars and computers in our pockets and we’re still using passwords.
Daniel cautioned that if these were easy problems to solve, which I think we all agree they seem on the surface to be, then they would be solved. The reality is that these are hard problems. The president’s National Strategies for Trusted Identities in Cyberspace (NSTIC) has a number of strong leads toward replacing the password. In addition to securing the Internet, NSTIC could potentially drive new business as people begin putting data and services online that they are unwilling to put online under the current conditions.
The problem of old bugs looks simple, but it is not #securityTweet
As for the problem of known bugs not getting fixed or updates not getting installed, Daniel believes these are issues of economics and psychology. He claims we don’t properly understand the incentive structure behind cybersecurity, which is why we need to step away from speaking about cyber-stuff using words that only the engineers understand. We need to talk about security in terms that the executives and board members and the regular, everyday people can understand and stand behind.
This last point is key. It’s a very large part of what we do here at Kaspersky Lab because if ordinary people are more prepared to protect themselves, then everyone is more secure as a result.
Our very own Adam Firestone, president and general manager of Kaspersky Government Security Solutions, spoke at the event as well.
“Part of the problem we all face, everyone in this room, everyone at this conference, is that we live in a world where we have inherited an insecure internet,” Firestone said in a panel discussion. “We live in a world where we have inherited insecure operating systems. And we ask, how do we fix this?”
In a podcast conversation with Firestone, which we will post Wednesday, he noted we are in a unique position at the moment. It is almost universally accepted that the security of critical infrastructure systems is woeful. The silver lining is that many of these systems, which were built 20 or even 30 years ago, are at a point where now they must be replaced. What this means is that we can do security right. You can’t add security after the fact. You have to build security in from the ground up, and we’re going to get the opportunity to do just that as we replace all these legacy systems.
Firestone says that we must accept the fact that we are in a state of transition architecturally. We prioritized usability over security when we built the infrastructure the first time. It’s time now that we have the technology to rebuild critical infrastructure with an eye toward security.
“It’s time to start looking at this as a build it from the ground up structure. Bandaids do not work,” he warned.