Four Ways for President Biden to Fix Cyber on January 21

President-elect Biden gives a speech celebrating his victory. (Photo by Adam Schultz / Biden for President) From a global pandemic that has shown no signs of slowing to regional instability across the world, President-elect Biden will have no shortage of issues to address. Unlike nearly all other challenges, however, Biden and his incoming national security team can make demonstrative progress in cybersecurity within hours of taking office. Too frequently, American policymakers have approached and treated “cyber issues” as a purely technical problem requiring a technical solution. Despite this presumption, many solutions to cyber issues are not technical at all and are solidly grounded in how humans use technology, rather than in the technologies themselves. The measures presented here highlight that tangible results are within reach and that the Biden administration can hit the ground running on day one. Recognize That Cyber Is as Much a Human Issue as a Technical One While technical at their core, cyber problems arise as a consequence of how people use technology just as much as they do from the technology itself. Potential solutions to cybersecurity challenges must seriously account for the human element and consider it with the same seriousness as technical solutions. In many high-profile cases—affecting industries from banking to health care—the root cause is not that an advanced adversary deployed a novel zero-day exploit but, rather, that someone somewhere in the affected organization either forgot a critical, but available security action or assumed that someone else had performed it. For example, in 2019, when a Seattle woman exploited a misconfiguration in CapitalOne’s web application to gain unauthorized access to millions of the bank’s customer records, it was because the bank assumed its security posture was constructed correctly; it was not due to a failure in the bank’s robust risk and information security apparatus. When the WannaCry ransomware brought the United Kingdom’s National Health Service to a standstill in May 2017, it wasn’t because WannaCry exploited a never-before-seen vulnerability in the Windows operating system; rather, it was a failure on the part of at least 80 health care facilities and 595 general practitioners’ offices to install an available patch to address the vulnerability. The problem in both cases was not the technology but, rather, compounding errors built on erroneous assumptions made by the people operating the systems, technologies and processes. These human issues derive from deadly assumptions, also known in the field of psychology as “heuristics.” These are mental shortcuts that allow an individual to make a decision, pass judgment or solve a problem quickly. Take a crosswalk, for example. people see the white logo of a pedestrian on a sign and assume that they are safe to cross the street, putting faith in the approaching cars to stop. While these shortcuts are useful in everyday situations, they do not fare as well within complex institutions or processes, as overreliance on these assumptions causes people to overlook problems and possible solutions. When people rely on assumptions, it becomes difficult to know, account for, and examine the shortcuts that their brains are making in the background. Depending on the context, the consequences could be minor, costly or crippling for an organization. Inventory and Publicize Government Resources Devoted to the Private Sector As one of its first services to the American people, the Biden administration should inventory all the services and resources already offered by federal agencies to create a single repository or catalogue of services, and then publicize this document as widely as possible across as many outlets as feasible. Readers would be forgiven for assuming that a tool as straightforward as a comprehensive catalogue of the cybersecurity resources, pilots and programs run by various arms of the U.S. government has long been available to the private sector. Unfortunately, this is another of the deadly assumptions that riddle the cyber arena. Consider the perspective of a chief information security officer (CISO) at a mid-size company, for example. CISOs are tasked with a variety of obligations and duties, ranging from building and deploying a cybersecurity program to actively monitoring for threats. They need to be creative in how they use their limited resources and in how they leverage their existing personnel to maximize the effectiveness of their security. To fulfill this task, the hypothetical CISO will want to look for government resources that can help secure the company—but how will the CISO know where to turn? He or she may learn of existing government programs by chance or by browsing various agencies’ social media feeds, but that’s no guarantee that the CISO will singlehandly discover each government agency’s offerings. Whether it’s the FBI, the Secret Service, the National Security Agency’s Cybersecurity Directorate, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), or the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response, numerous government departments and agencies have devoted tens of millions of dollars over the years to developing tools and programs that help the private sector and academia improve their cyber defenses. Government-run programs include efforts for participants to share information on cyber threats in real time, services such as free and persistent scanning and assessments run by dedicated teams of cybersecurity professionals, and full-time, government-sponsored forums for private and public stakeholders to meet and share best practices, among many others. While useful, the impact of these programs falls short of their potential when interested parties have to search through the websites of multiple bureaucracies to discover them, if they are even successful. Additionally, without a centralized initiative to consolidate the agencies’ offerings, the stovepipes also ensure that agencies are not aware of potential redundancies in services and investments. Somehow, a U.S. government catalogue of federal cybersecurity resources still does not exist—four years after the networks of the Las Vegas Sands Corp. were attacked by Iran, six years after Sony was breached by North Korean hackers, and eight years after five of the nation’s largest financial institutions were attacked by an Iranian-originated distributed-denial-of-service campaign. The lack of such a catalogue highlights the glaring gap between the offerings of the government and the needs of the private sector. It also reveals the government’s own deadly assumption that both the general public and the private sector are aware of the various government agencies’ cybersecurity services. The Biden administration could take a major step forward by creating a tailored catalogue of all the government services, programs and resources available to address the private sector’s cybersecurity needs. This catalogue should be organized by critical infrastructure sectors and other institution types and sizes, such as small retail banks, medium-sized electric utilities or large public universities. It should contain the basic information making each public-facing cybersecurity program useful and accessible to the stakeholder, including the name of the program, a description of the service and its intended customer, as well as contact information for the responsible agency office. With the right leadership direction, a catalogue of services could be built extraordinarily quickly. Publishing and publicizing this long-overdue catalogue in the first 50 days of the Biden administration would deliver an immediate benefit to private-sector institutions. Large swaths of the private sector lack the resources to build and sustain dedicated cybersecurity teams, and private-sector institutions would be able to better match their needs with the services offered by the government. From the government’s perspective, departments and agencies would more quickly understand the needs of the private sector and be able to better prioritize cyber-related investments. Clarify National Responsibilities for a Domestic Cyber Incident Biden’s cyber agenda will need to prioritize improving the federal coordination and response to domestic cyber incidents. To the untrained eye, it might seem like the government has created clear lanes regarding which agencies are responsible for what actions in a crisis. In July 2016, the Obama administration took a major step forward with the release of Presidential Policy Directive 41 (PPD-41)—United States Cyber Incident Coordination. This policy document attempted to streamline the government’s response procedures—but many areas for improvement remain. Imagine a major electric utility company in Ohio suffered a catastrophic cyberattack, and nearly a quarter of Ohio’s more than 11 million residents are without power. While the CEO is working to bring the system safely back online, it is entirely possible that representatives from multiple departments and agencies either attempt to reach out or appear on site within hours, none of which woul
Four Ways for President Biden to Fix Cyber on January 21 posted first on http://realempcol.tumblr.com/rss