What keeps cybersecurity experts up at night?
Securing elections from hackers. The spread of connected devices. Nation-state attacks.听The lack of cybersecurity talent.听
These were some of the pressing cybersecurity challenges that keep Passcode鈥檚 group of security and privacy experts up at night.
Passcode鈥檚 Influencers Poll regularly surveys 160 high-profile experts from across government, industry, and the advocacy community. For one last poll before Passcode shuts down, we asked an open-ended question: What鈥檚 the most urgent cybersecurity or privacy challenge right now, and what鈥檚 one way to fix it?
听VOTE in the public version of the poll.听
Several Influencers were concerned about the impending explosive growth in the sheer number of devices connected to the internet. 鈥淲hether one calls them embedded systems, or the 'Internet of Things,' the combination of these little computers, poor security design, and upcoming high-speed wireless networks are a perfect storm of sorts that holds the potential to make all of our current cybersecurity concerns worse, more persistent, and of much larger scale,鈥 says Bob Stratton, a serial security entrepreneur, investor, and consultant.
In order to combat this, Mr. Stratton says, 鈥渨e as consumers, investors, and regulators all have to make clear our insistence upon products (of all kinds) that have at least some basic modicum of system integrity and resistance to compromise built in at the time of manufacture. Not every connected light bulb has to have the same security features as a desktop computer, but it is reasonable to expect that ours will only obey commands from the proper controllers and at a bare minimum, that these little devices do not provide a foothold for an attacker trying to gain access to the rest of our home and business networks.鈥
To that end, the No. 1 challenge for Dan Kaminsky, cofounder and chief scientist at White Ops security firm, is making secure development of products听鈥渇aster, better, and most importantly, cheaper.鈥
鈥淎stonishing things can be built on a solid foundation. They can also be built on quicksand, but they won't last very long,鈥 he says. 鈥淲e need to escape the false dichotomy between quickly developed crud and monoliths of perfection. It needs to be relatively easy and straightforward to build and operate secure systems. A lot of that is going to involve actually studying what developers want and need, and giving them tools that maintain and retain security as a first class feature.鈥
Dan Geer, chief information security officer for In-Q-Tel, a not-for-profit investment firm that works to invest in technology that supports the missions of the intelligence community,听took a big picture approach in his answer: The most urgent issue, he says, is people鈥檚 overall dependence on technology. 鈥淭he more people use something, the more it is depended upon. Because the wellspring of risk is dependence, risk is therefore proportional to adoption. We call that on which we most depend critical infrastructures. Because dependence is transitive, so is risk,鈥 Mr. Geer says.
鈥淭hat you may not yourself depend on something directly does not mean that you do not depend on it indirectly. Interdependence within society is today absolutely centered on the Internet beyond all other dependencies excepting climate, and the Internet has a time constant five orders of magnitude smaller. The complexity of our problem is therefore unacknowledged correlated risk and the unacknowledged correlated risk of cyberspace is why cyberspace is capable of black swan behavior.鈥
To address this, Mr. Geer says there鈥檚 no single bullet. 鈥淏ring a revolver,鈥 he quips, advocating for 鈥, , , 鈥 and to 鈥済eocode the internet, just as cellphones are.鈥
Other experts pointed to broader privacy challenges as consumers put more and more personal information online. Jenny Durkan, global chair of the Cyber Law and Privacy Group at Quinn Emanuel law firm, points to 鈥済ross and unnecessary overcollection of personal information鈥 as her major concern 鈥 especially because it鈥檚 not adequately protected by the companies that collect it, and consumers have 鈥渘o realistic way鈥 to control how their personal data spreads online.
To solve this problem, Ms. Durkan says, 鈥渃onsumers should be given a easy and clear way to opt out of data collection and still utilize new technology, and should have the right to limit, review and remove data collected about them for commercial purposes. Innovators need to build and bake better security into technology from the outset. We must end the 鈥榠nnovate, then secure鈥 mindset.鈥
Several Influencers said the biggest challenges were not necessarily the cyberthreats themselves 鈥 but people鈥檚 reaction to them. 鈥淭he most urgent challenge to both cybersecurity and privacy right now is the threat of overreaction that stems from incidents that occur,鈥 says 海角大神 Dawson,听executive director and cofounder of the Internet Infrastructure Coalition.听
To prevent this, Mr. Dawson adds, 鈥渁 focus on technical education is essential, to aid legislators and regulators in a sound understanding of tech issues. If they comprehend the tech environment prior to a threat, they will be less likely to over-react legislatively during one.鈥
Similarly, Jeffrey Carr,听president and chief executive officer of Taia Global, Inc.,听worries about 鈥渢he likelihood that we will go to war over incorrect attribution of a serious cyberattack."
鈥淲hen the leadership of both House and Senate Intelligence Committees misrepresent the facts of electoral databases being hacked, and when national policy decisions are frequently driven by privately provided intelligence data that is often unverified and unreliable, and when the private sector and the media can announce nation state attribution of a cyberattack, right or wrong without fear of blowback, then a window of opportunity exists for a malicious third party to cause two nations to escalate to a kinetic conflict when the presumed attacking state is innocent," Mr. Carr continues. Unfortunately, Carr says there鈥檚 鈥渘o way to address it because the cyberthreat intelligence industry has no incentive to change and the US government doesn't acknowledge it as a problem."听
A few Influencers agreed that before any of these challenges can be tackled, the pipeline of people itself needs securing. "There are a reported one million or more job openings currently in the cybersecurity field, and some industries are just beginning to grow their efforts in this space," says听Jeff Massimilla, chief product cybersecurity officer for General Motors. "This gap will likely increase, making it even more difficult for companies听to find qualified individuals to fill these roles.鈥 Mr.听Massimilla suggests听developing more robust university curricula and programs, specialized academic support and focused efforts on job placement after graduation for students interested in the cybersecurity field.听
G眉nter Ollmann,听chief security officer at Vectra Networks, also said the shortage of appropriately trained and experienced cybersecurity staff is the biggest challenge, and offered two different ways to solve it. 鈥淭here are two primary methods for incrementally addressing the shortage of experienced cybersecurity staff. Firstly, the increased deployment of machine learning and AI-based technologies that reduce the technical load on expert staff. And secondly, concerted efforts to encourage more women to join the information security field, coupled with better pay and support mechanisms for women already commencing their cybersecurity careers.鈥澨
What do you think?听.听
To view the full list of Influencers, check out the masthead here.听
Comments听
Mike Papay, Northrop Grumman
Challenge: 鈥淐ybersecurity of the things in our life we rely on: IoT, critical infrastructure, vehicles, etc.鈥
Solution: 鈥淓nsure a market-based economy exists that values the security as well as the capability of the systems we buy.鈥 听
Nick Selby, Secure Ideas
Challenge: 鈥淭here is still an almost total lack of training for non-federal prosecutors on cyber crime. This means almost no cybercrime cases are brought outside the federal system.鈥
Solution: 鈥淭he DOJ and federal government must provide funding for training of District, County, and State's Attorneys on how to bring cybercrime cases. This is the only way to balance the load placed on federal authorities, and the only way to make a dent on logarithmic growth in cyber criminal activity.鈥
John Pescatore, SANS Institute
Challenge: 鈥淚ncreasing use of strong authentication 鈥 moving away from reusable passwords.鈥
Solution: 鈥淩equire strong authentication for online tax filing.鈥
海角大神 Dawson, Internet Infrastructure Coalition
Challenge: The most urgent challenge to both cybersecurity and privacy right now is the threat of overreaction that stems from incidents that occur.鈥
Solution: 鈥淎 focus on technical education is essential, to aid legislators and regulators in a sound understanding of tech issues. If they comprehend the tech environment prior to a threat, they will be less likely to over-react legislatively during one.鈥
Daniel Castro, Information Technology and Innovation Foundation
Challenge: 鈥淭here is a market failure around cybersecurity. Consumers cannot easily compare the security features of two products. This is an information asymmetry problem that government can help fix.鈥
Solution: 鈥淢ost companies publish a privacy policy, which helps create a transparent and accountable mechanism for regulators to ensure companies are adhering to their stated policies. However, no such system exists for security practices, which has resulted in vague standards, regulation by buzzword, and information asymmetry in markets. By publishing security policies, companies would be motivated to describe the types of security measures they have in place rather than just make claims of "we take security seriously.鈥 This is a concrete step that policymakers can take to improve security practices in the private sector.鈥
Marc Rotenberg, Electronic Privacy Information Center
Challenge:听鈥淕rowing threats to personal privacy and the increase in identity theft, data breach, and financial fraud.鈥
Solution:听鈥淭he United States needs to establish a Data Protection Agency, like every other democratic government. There is a real risk of a cyber security policy that protects US businesses and US government agencies but leaves the personal data of Americans at risk.鈥
Chris Finan, Manifold Security
Challenge: 鈥淰ulnerabilities in the nation's operational technology. Many critical infrastructure industrial control systems remain at risk because some operators have not prioritized security. Americans could absolutely die as a result of an attack against one of these vulnerable systems.鈥
Solution:听鈥淐ongress must enact legislation to ensure the operators of the most critical systems prioritize security. The public will eventually get legislation to that end that protects communities, it's only a question of whether it happens before or after a major incident.鈥
Abigail Slater, Internet Association
Challenge: 鈥淜eeping our nation's networks, including those of our key institutions, safe from malicious attacks. Trust is a must, and fostering trust online is a team sport. So the challenge will be restoring trust through teamwork.鈥
Solution: 鈥淪trong encryption is a tried and tested tool and is needed now more than ever. This is why the Internet Association supports policies that enable strong encryption online.鈥
M氓rten Mickos, HackerOne
Challenge: 鈥淐itizens worrying that cybersecurity issues in society are in much worse shape than what any official spokesperson is ready to publicly acknowledge.鈥
Solution: 鈥淢ore transparency (in public sector and by companies) about cybersecurity threats, incidents and solutions.鈥
Cris Thomas a.k.a. Space Rogue, Tenable Security
Challenge: 鈥淭he popular answer to this question will be 0-day, APT, IOT or international norms in cyberspace or any one of a dozen other trendy topics. But the most urgent cybersecurity challenge right now is the same as it has been for the last twenty years. Know thyself. The first thing an attacker does after they have gain access to a target network is map it out and find where the valuable information lies. In a short amount of time the attacker knows more about a network than the administrators of that network. We need to focus on the basic of network security, now your network and what is on it, that includes mobile, virtual, cloud and containers. Patch critical systems with critical vulnerabilities first. Most attackers don't waste 0-days if they don't have to, no, they search for the 100-day or even the 1000-day vulnerability that someone didn't patch. Make sure that your network is properly setup and configured, that the firewall rules are not set to any/any. Misconfiguration or underutilization of security tools is a continuous problem. Keep a tight control on user credentials, only allow the minimum access an employee needs to perform their job and restrict that access when it is no longer needed, especially when an employee leaves your organization. The failure to follow even the most basic cyber security principles such as these is the most urgent cybersecurity challenge right now.鈥
Solution: 鈥淭he answer is not user education. Yes, used awareness training does help reduce security incidents but it won't prevent them and blaming a user for accidently clicking on a link is not the answer. Addressing the failure of most organizations to follow even the most basic cyber security principles is a multi-pronged problem. Executives are still not taking cyber security seriously enough and are not devoting enough resources to the teams attempting to correct the problems. In some cases the security teams themselves do not understand the severity of the threat or feel they need the latest blinky light solution to save them when all they really need to do is the boring mundane work of inventorying their networks, patch their systems, check their configurations and keep an eye on their access credentials.鈥
Ely Kahn, Sqrrl
Challenge: 鈥淚 think the most urgent cybersecurity challenge is the need for all organizations to fully understand the cyber risks they face, how those risks affect their mission, and what are the most cost effective ways to mitigate those risks.鈥
Solution: 鈥淎doption of the NIST Cybersecurity Framework is a great start.鈥
Charles Brooks, Sutherland Global Services
Challenge: 鈥淕oogle Evangelist (and a founder of the Internet) Vint Cerf has stated that there is no such thing as privacy on the Internet.I agree, especially in regard to our future.In our evolving digital world, anything and everything is likely to be connected. The rapid proliferation of Internet of Things (IoT) devices (Cisco predicts 50 billion devices by 2020) implies that privacy is becoming quite a conundrum. I would posture that IoT is our biggest privacy challenge because inencompasses every vertial, financial, health, commercial,energy, communications, and security.鈥
Solution: 鈥淎 way to help ensure privacy in IoT is standardize security with manufactures, encrypt, authenticate, firewall, and practice strong cyber hygiene.鈥
Sascha Meinrath, X-Lab听
Challenge: 鈥淓ducating key decision-makers about technological realities.鈥
Solution: 鈥淔or the past ten years, I've been a vocal advocate of the need for technological expertise to be in the room and at the table whenever legislative and legal deliberations are taking place. In much the same way that we understand the need for lawyers to be involved in key decision-making, it is as important that technological savvy be equally represented in these processes.鈥
Tom Cross, Drawbridge Networks
Challenge: 鈥淭he most urgent cybersecurity challenge right now is the need for more skilled security professional. Every organization that I work with is struggling to find and retain skilled people, and this challenge is slowing down their efforts to protect themselves."
Solution: 鈥淥ne way to address the skills shortage is to think about how to do more with less, both in terms of helping CISOs properly prioritize the tasks that they have, and developing security tools that have lower administrative overhead and amplify the efforts small numbers of people.鈥
Joel de la Garza, Box
Challenge: 鈥淯ser education and awareness.鈥
Solution: 鈥淣ationwide awareness campaigns. Similar to public safety campaigns around seat belt use or littering.鈥
Scott Montgomery, Intel Security
Challenge: 鈥淭rained labor is in the midst of a nasty math problem. The number of devices, the amount of data, the vectors of delivery, the variety of threats increase at a dramatic pace. The number of trained practitioners remains relatively static, as do budgets. There are still (I checked) only 24 hours in the day. Something has to give, and it's results. Time between breach and detection is higher than four years ago even with 'better' technology and more experience.鈥澨
Solution: 鈥淭he overall amount of labor to achieve a solid security and privacy posture MUST be reduced. Industry needs to make more reliable, easier to use products that integrate well with competitors and other ecosystem vendors. Practitioners need to embrace automation and information sharing. Regulatory bodies should be agreeing on a smaller number of more useful standards. Organizations must begin data valuation efforts in order to stop treating all data equally and apply their meager resources where it matters most.鈥
Nicole Eagan, Darktrace
Challenge: 鈥淐ybersecurity has become an arms race 鈥 we have entered a new era of rapidly-evolving threats characterized by speed, sophistication, and automation. It鈥檚 no longer just about compromised websites or stolen data. Today鈥檚 threats are far more insidious, aiming to garner media attention and undermine the very integrity of our data, and the institutions who host it. Early glimpses of these 鈥榯rust attacks鈥 have been seen from DNC to Yahoo. We鈥檙e even starting to see the beginnings of a new generation of cyber warfare, where attackers use machine intelligence to subtly infiltrate organizations and learn how to blend in. Legacy defenses rely too heavily on perimeter protection and rules and signatures. Yet, these approaches are no longer sufficient to combat evolving attacks, as companies struggle to stay abreast of the 鈥榰nknown unknown鈥 threats and the ever present risk of insider threat. Quite simply, companies have a huge visibility problem 鈥 they cannot see what is happening beneath the surfaces of their own networks. Complete network visibility while securing networks from the inside out will be of paramount importance in the battle against advanced threat-actors.鈥
Solution: 鈥淪elf-learning technologies using genuine machine learning will be critical to solving this problem. New 鈥榠mmune system鈥 technologies are capable of learning a 鈥榩attern of life鈥 for every user and device to establish a comprehensive understanding of the network as a whole. From this baseline, it can detect emerging anomalies in real-time, and even take precise action to automatically respond and neutralize the threat. It鈥檚 a brave new world, and companies need to arm themselves with a self-defending network to stay one step ahead of even the stealthiest threat-actors.鈥
Stewart Baker, Steptoe & Johnson
Challenge: 鈥淣ation-state hacking of banks.鈥
Solution: 鈥淎ggressive international sanctions on countries and groups identified as having hacked banks.鈥
Steve Weber, School of Information, University of California - Berkeley听
Challenge: 鈥淚n one word: complacency. The internet has become a very dangerous place for businesses, governments, and people -- but most of us aren't scared enough to do much different.鈥澨
Solution: 鈥淔irst, ban the word 'hacker' from the cybersecurity lexicon. Don't let criminals, spies, liars, and terrorists cover themselves with a label that makes them sound creative, innovative, and clever.鈥澨
Terrell McSweeny, Federal Trade Commission听
Challenge: 鈥淎s an FTC Commissioner, my focus is on consumer data privacy and security. At the moment, the most urgent privacy challenge facing consumers is Congressional action to eliminate broadband privacy -- a huge setback for consumer control over their sensitive data. Maintaining the FCC's current rules would make ISP practices more consistent with consumers' expectations of confidentiality. The majority's haste to lay waste to privacy protections doesn't bode well for the development of a thoughtful and comprehensive approach to consumer privacy. It also likely means we won't see comprehensive data security legislation to address one of the most urgent cybersecurity challenges: the billions of insecure IoT devices that are rapidly becoming integral parts of our daily lives.鈥澨
Matthew Eggers, US Chamber of Commerce听
Challenge: 鈥淎n urgent challenge is crafting a new US cybersecurity strategy that features business input.鈥
Solution: "America鈥檚 approach to cyber is at an inflection point. Industry is typically the first to take a cyber punch on the chin, and public policy should be adjusted accordingly. Policymakers need to engage the business community before, during, and after the strategy is written. We need to highlight international norms and deterrence. Our national deterrence deficit lies in our struggle to stymie attacks by criminal groups and foreign powers that fall into the malicious middle of the attack spectrum. This middling sweep of aggressions is bookended on the one hand by relatively minor attacks that companies are capable of blunting on their own and acts of war on the other, which could require government involvement.鈥
David Brumley, CyLab
Challenge: 鈥淚nternet of Things device security.鈥
Solution: 鈥淎utomating security checks. We need to move beyond manual approaches.鈥 听
Adam Segal, Council on Foreign Relations
Challenge: 鈥淟ack of meaningful deterrence.鈥
Jonathan Zittrain, Harvard
Challenge: 鈥淚t's profoundly difficult to figure out who owns cybersecurity -- who should be responsible for ensuring it systemically. It's tempting to think that this should fall to governments, but there are many downsides to the likely centralization that would come with increased direct government roles in securing our private networks and that which connects to them.鈥
Solution: 鈥淭here are intriguing models for resilience through continued decentralization, with puzzles to be solved on interoperability and consistency, especially as many users are understandably not prepared to be personally and continually involved in actively securing their devices and data.鈥
Kevin Bankston, Open Technology Institute
Challenge: 鈥淭he threat of governments restricting the deployment of encryption.鈥
Solution: 鈥淟everage the fact that tech moves faster than policy and speed up the development, deployment and adoption of more strong encryption tools--not only to make us all more secure but to make attempts at anti-crypto regulation even more futile than they already are.鈥
Eric Burger, Georgetown Center for Secure Communications
Challenge: 鈥淭he combined cybersecurity/privacy challenge is the market speaks loudly: there is no cost to public companies in any meaningful financial metric post-breach. As such, rational enterprises will only invest just enough to cover the most basic cyber security issues, as there is no meaningful penalty for getting breached. One has to assume that the not insignificant investment by large enterprises in cyber security is one reason they are relatively immune to any post-breach impacts. However, it is clear that asking enterprises to increase investment in cyber security would be an irrational exercise.鈥
Solution: 鈥淕o beyond breach notification laws and move to restitution laws. Today the consumer suffers the economic effects of a breach. If those effects were shifted to the enterprise, the enterprise would have incentive to protect themselves better.鈥
Mark Weatherford, Chertoff Group
Challenge: 鈥淒eveloping international norms for cybersecurity behavior.鈥
Josh Corman, Atlantic Council
Challenge: 鈥淗ealthcare is sick. Connected hospitals are prone, they are prey, and predators have finally taken notice. They are target-rich; resource-poor. The bulk of hospitals lack a single qualified security pro on staff, are porous and unsegmented, and run WindowsXP and older unsupported systems. Given how familiar and exposed they are, even unskilled adversaries could do significant damage. They claim they lack resources (true). But/and: If you can't afford to protect it, then you can't afford to connect it.鈥
Solution: 鈥淲ell, we can't treat the patient without a solid diagnosis. The Information Sharing CISA Law of 2015 required a 1 year HHS CyberSecurity Task Force. We are nearly done with our report back to Congress (late April) and we outline some short-medium-long-term ways to get us on a path to wellness. None of these are going to be easy. I hope this catalyzes corrective actions.鈥
Influencers who chose to remain anonymous听
Challenge: 鈥淭he Internet of Everything - nearly everything connected globally, humans and things. This hyperconnectivity is and will always be the largest threat. Networks create collaboration and many positive advantages, but these massive new networks are incredibly vulnerable in so many ways it is impossible to deal with them. The only reason there haven't been more massive attacks or outages to this point is that bad actors are smart enough to keep their uncivil actions fairly small, so these interconnected networks keep running and stay alive to be exploited. From the weaponization of the social narrative we have seen in recent national elections globally to identity theft, to DDOS attacks at places like Dyn (October 2016), flashes of danger flare up occasionally. What if all of the attacks that have been stopped early on had been allowed to emerge full-bloom?鈥澨
Solution: 鈥淭here is no way to address the fact that billions of people and (soon) trillions of networked things in an always-evolving and constantly growing network have vulnerabilities.鈥澨
-听
Challenge:听鈥淭he danger of foreign powers manipulating the data and systems of the United States and its allies.鈥澨
Solution:听鈥淚mposing stronger punitive measures on those that hack into US systems.鈥
-
Challenge:听鈥淓nd-to-end encryption by default鈥澨
Solution:听鈥淏uild, support, and embrace zero-knowledge cloud services.鈥澨
-
Challenge:听鈥淚ndividual freedom in the age of expanding government intrusion into personal devices.鈥澨
Solution:听鈥淒evices have become so ubiquitous that people may not know the consequences of their data being copied and stored by the government for decades to come. Zero storage of data by government entities of any person who is not under indictment would be a good start.鈥澨
-
Challenge: 鈥淐yberattacks both criminal and foreign governmental.鈥澨
Solution: 鈥淪pend far less time developing offensive capabilities in the NSA, CIA, and Cyber Command and far more effort and resources on developing a comprehensive national cyber defense capability.鈥
-
Challenge:听听鈥淕overnments understanding that honest people need security.鈥
Solution:听鈥淕overnment isn't monolithic. Most parts do, except for law enforcement, and even there it's only some of them. They need to look at how to do their jobs without changing tech.鈥
-
Challenge: 鈥淪ecuring elections in EU countries and here at home.鈥澨
-
Challenge: 鈥淟ack of focused data protection in the public/private partnership. Too much time spent on walks not protecting data and access.鈥
-
Challenge: 鈥淭he statistical increase in destructive malware based attacks targeted not just at US businesses and institutions of all sizes as anti-American sentiment grows.鈥澨
Solution: 鈥淢achine learning and AI-based analytics applied at the network.鈥澨
-
Challenge: 鈥淚nsecure infrastructure.鈥
Solution: 鈥淎ttention and funding.鈥
-
Challenge: 鈥淏ad InfoSec by major companies.鈥澨
Solution: 听鈥淐riminalize bad infosec.鈥
-
Challenge: 鈥淪ecuring critical infrastructure including financial, transportation, and other systems that our way of life depends on.鈥澨
Solution: 鈥淓mploying friendly 鈥榬ed teams鈥 to attack from within like real attackers.鈥
