Government Must Shift Its Approach to Cyber Defense, Some Cybersecurity Experts Say
While the government focuses heavily on finding a solution to toughen protections against adversaries in cyberspace, there are key issues in cyber defense that need to be a bigger part of the dialogue, said technology security experts and analysts in interviews. The threat from adversaries backed by some nation states and veering away from a strictly “perimeter defense” model should inform the path to a solution, they said. The gaps in understanding how to truly defend networks are due to the fact that it’s still a comparatively new issue, said Larry Clinton, Internet Security Alliance president. “You have the problem that the cybersecurity issue is rapidly evolving,” he said. Because of the shift in the nature of cyber attacks, the government and private sector “must alter how we think about cyber attacks."
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
"The entire notion of perimeter defense, which has been the model for the last decade or so, is pretty outmoded,” Clinton said. Breaches aren’t always the fault of the institution that was penetrated, he said. They're launched by well organized, well financed, state-supported attackers, he said: “They're going to get into your network.” Therefore, new methods should focus on trapping bad actors once they've penetrated a system and “watching home field,” he said: “We have fairly little control over the bad guys, but we have more control when they're inside our system."
If an adversary has the means and the incentive to do something, it’s very hard to stop them from doing it, said Allan Friedman, technology innovation center research director at the Brookings Institution. “Trying to prevent that is a waste of your money.” The “exfiltration” should be the ultimate goal, he said: “In any defense you want a very good understanding of what escalation of an attack looks like.” Once they've done damage at the local level, “you stop them from doing more,” he added.
The government and private sector need to find a way to measure risks, some experts said. The inability to measure risk is a major problem in cybersecurity, said Daniel Castro, senior analyst at the Information Technology and Innovation Foundation. While setting baseline security practices helps, “cybersecurity defense/offense is always about finding the weak links,” he said in an email. Creating baselines may reduce the number of weak links, “but if they are still there, the overall security risks may not decrease that much.” There should be a shift in focus to funding more research and development for security technology and risk methodology, he added. Friedman agreed that a common set of metrics is needed: “I would like to see a framework for what risks we're trying to address and who will be responsible for addressing the risks.” The government should step in and force these discussions to happen, he said.
The National Institute of Standards and Technology shapes guidelines, standards and recommendations to mitigate, prevent and recover from threats according to the needs of different sectors, said Matthew Scholl, deputy division chief for the Computer Security Division at NIST. As changes in technologies, threats or expected risk tolerances are reported by different sectors, NIST makes revisions or withdraws those guidelines and standards, he said. However, while attacks are more persistent and frequent, “they don’t seem to be too significantly more sophisticated.”
Pending legislation concerning cybersecurity and data security doesn’t go far enough, other cyber experts said. “The legislation being discussed still has the perimeter defense mentality to it,” Clinton said. One good feature about the legislation is that “no one is trying to do everything,” Friedman said. But none of it widely addresses the necessary changes, he added. Many of the bills focus on smaller changes, like data breach notification and data security requirements, Castro said. Congress should go after this low-hanging fruit, “but this will not get us the kind of strategic shift we really need.”