The state of US cybersecurity
ASU experts on Obama's defense against cyberattacks
President Obama signed two executive orders today to fight data breaches, and to identity theft and other cyberattacks that steal citizens’ personal information.
Here ASU experts Gail-Joon Ahn and Jamie Winterton analyze the state of U.S. cybersecurity. Ahn is a professor in the School of Computing, Informatics, and Decision Systems Engineering in the Ira A. Fulton Schools of Engineering and the director of the Center for Cybersecurity and Digital Forensics. Winterton is the director of Strategy for the Global Security Initiative.
Question: This sounds like creating two bureaucratic entities, a commission and a council. Does it really accomplish anything?
Winterton: I’m actually optimistic about both of these structures. The Commission on National Cybersecurity will bring together a diverse group — leaders from business, technology, national security, and law enforcement — to work through online security issues in the public and private spheres. Cybersecurity is an interdisciplinary problem at heart, and so that's how it must be approached. Hopefully the new Commission will encourage government and industry to collaborate in a more functional way. Government and industry haven’t had a very good relationship to this point, primarily due to their disagreements over encryption, but I hope that the Commission will work proactively and help the various parties work together.
The Federal Privacy Council is sorely needed. With the amount of deeply personal information that the government holds, and the high-level exposures of that information (OPM, and most recently FBI and DHS), it’s time to get organized and implement cybersecurity “best practices” across the board.
Q: The orders create a federal Chief Information Security Officer, a role that private sector organizations have long had in place. Is the government playing catch up?
Ahn: In this case — absolutely. It’s critical to have someone in a position who can establish the vision and guide the overall government information security strategy! It's surprising that we haven't had someone in this role until now. Given the massive infrastructure overhaul outlined in the President's plan, this person has a big job ahead of them — but also a great opportunity to make a difference.
Q: What benefit will consumers likely see, or is it a benefit they won’t see, such as fewer hacks?
Winterton: There have been so many public hacks in the last few years — all of which damage confidence in information security. I do think that optimally, this action could result in fewer breaches, but it also could have the potential to restore faith in the government's ability to protect personal information. That will take some time, though. One immediate action I would like to see is an actionable set of standards across all government agencies that includes the basics of information security — such as encryption, two-factor authentication, and isolating networks that contain personal information. Those are techniques that OPM didn't employ, which is why their breach was so shocking. These standards can then be extended as an example for industry to follow. Many companies follow cybersecurity practices that are much more robust than the government’s — but some don't. And shouldn't the government lead by example, given the depth of personal data that they hold?
Q: We routinely hear news reports of major retailers suffering cybersecurity breaches of thousands of customers’ information, and we don’t see consumer outrage. Have consumers grown accustomed to this and just aren’t very concerned?
Ahn: As cybersecurity breaches increase, I believe more consumer groups will address their concerns. However, revealing incidents will significantly influence their business including revenue and reputation. Each enterprise is reluctant to share and broadcast all the details of their threat factor and incidents in depth with the public and consumers. Instead, they often emphasize how they remedied incidents. Due to such a lack of information, consumers are not aware of what kind of consequences they will eventually face in their daily digital activities. We need a more rigorous and effective awareness and education program so that businesses who handle our sensitive and critical information will do their due diligence.
Winterton: I think it’s not that customers aren’t concerned, but more that they just feel powerless. No one wants their information stolen, but many people believe it's inevitable. A person who believes that state-sponsored hackers already have full access to their personal data isn’t incentivized to use good cyber practices, like complex passwords or two-factor authentication.
Q: If this puts the government in a leadership role on cybersecurity, what is the most important first step they can take?
Winterton: The most important part should be a collaborative platform and protocol that facilitate an information sharing between private and public sectors. Since security should be a proactive arm race, such a protocol or channel is necessary to tackle national security as a team.