When it comes to recent cybersecurity talks, the prevalent theme seemed to be, “We know we need to do something, but what?”
The recurring questions are: Where do we start, and how fast do we need to react to stop cyberattacks? What’s become quite clear is that if we are to secure our digital world, we need to do it with technologies that run as fast as the networks and applications in which they operate — in milliseconds.
Repeated time and again in recent discussions is the need for proactive defensive measures in cybersecurity — and how quickly they must react to stop today’s hacker. Even the language in the new cybersecurity bill seems to fall short of true cybersecurity protection, as it is more based on the sharing of information to assist in the detection and recovery of a cyberattack rather than a proactive cyber security solution that would stop the attack.
The way the public sector reacts to a cyberattack is much different from how the private sector reacts. When the public sector responds to an attack, officials immediately disclose the attack in order to obtain additional funds to fix it. In the private sector, however, officials don’t want to disclose the attack because the company will take a stock hit — which would reduce revenue sources that could be used to fix the problem.
The public sector typically looks at problems after they’ve occurred and then tries to get funding to analyze the size of the problem and how to control it. The private sector tries to immediately address the problem, running it through a risk management process to evaluate how expensive it is and how much it will cost to fix.
Even private-sector technology providers’ loyalties differ compared to their counterparts in the public sector. This was clear when 22 of the largest tech companies were firmly against the controversial Cybersecurity Information Sharing Act (CISA) due to their customers’ privacy concerns. Knowing this, the passing of the recent cybersecurity bill by the U.S. Senate explains clearly why there is so much opposition between the two sectors: They haven’t been on the same page from the start, because they serve different customers and operate their organizations very differently. We Spend a lot of time and money in cybersecurity only to be left with technologies that potentially deter attacks or historically define when and how the attack occurred.
Keith Alexander, a retired U.S. Army general and founder and CEO of IronNet Cybersecurity, made two straightforward comments about cybersecurity in a keynote address at the University of South Florida Cybersecurity Center Annual Conference earlier this year: “Our current cybersecurity technologies don’t work,” he said, and, “we need to focus on proactive defensive cybersecurity technologies.”
Although Alexander called CISA “a good start,” the bill is now reaching its fifth year trying to get approval. It will then take years of public/private breach information-sharing before cyberattack improvements would be realized. Many are saying that passing this cybersecurity bill has taken so long that the solutions in addressing how cyberattacks suggested in the bill are now obsolete.
In an article focusing on cybersecurity insurance, Scott L. Vernick, a partner at Fox Rothschild LLP in Philadelphia called cyber legislation a good first step, but “we shouldn’t get carried away” about what it can and cannot accomplish given that cyber attackers “are changing what they’re doing in milliseconds.”
The private sector’s response to leading-edge cyber security technologies is not much better. Combine private-sector technology purchases with product lifecycle time frames, and it’s nearly a guarantee that the “security” in cyber security will always be behind the curve. Both the public and private sectors are at fault here; they are more the reason for a lack of cybersecurity defensive technologies than part of the solution.
So where is the disconnect in truly understanding how to achieve superior cybersecurity solutions and rapidly offer leading-edge services that work?