Hord Tipton: Executive Director ISC2 led the roundtable discussion addressing federal and private issues onmalware, cyberattacks, targets, cyberintrusion
Dr. Ron Ross, National Institute of Computer Standards and Technology, DOC : The types of attacks are capable of bringing down infrastructure, but the most debilitating attacks are the unknown attacks on intellectual property. Private sector organizations are encouraged to use the standards and guidelines to protect their missions and their customers. Current DOC standards and guidelines do keep up with technology, and are ahead of Congressional legislation.
Situational awareness and realtime surveillance has replaced static security systems. Increased flexibility in management and technical controls. Approaching the federal system as an enterprise wide system changes the assessment strategy and reduces vulnerability through new types of software.
Current sophistication, unlimited intercommunication, and malware is a dangerous environment. Cyberattacks will continue no matter how much security is present.
Dr. Rober Brammer, VP for Advanced Technology, CTO, Northrup Gruman Information Technology Group: The advance of technology has enabled data piracy to a pervasive level. Working across all of the federal agencies is vital to changing to a risk-based approach. Cybersecurity must be addressed from the economic viewpoint: economic incentives for mobile and private devices have not been worked out. There is no consumer safety legislation to address privacy protections. Government policy viewpoint that does not damage the mobile device market is more of a boardroom or Sr. Executive issue, not just an IT issues.
Donald R. Proctor, Sr VP and Chairman of CISCO Systems: Cybersecurity has left the IT sector in private companies and organizations to become a company wide program. Obama’s 60 Day Review on Cybersecurity has some valuable insights into the organization wide approach. The constant updating for private mobile devices requires an architectural approach rather than fortifying the endpoint. Currently cybersecurity has overlapping charters. Government track record in legislating security has been poor. Part of the problem is the challenge of picking a security system that stands the test of time and doesn’t inhibit innovation in the IT industry.
Cybersecurity comes down to “basic hygeine.” Appropriate safeguards are: knowing what’s connected to your system is attached to, asset management through knowing your software, taking recommended steps for protecting hardware. Establish a baseline of your network security will allow you to detect anomalies in your network. Build a closed loop network for protection, detection, and remediation.
Alan Carswell, Chair, Cybersecurity and Information Assurance Dept, Uof Maryland College: Cybersecurity is not a “checkbox” exercise. Each employer and agency must think much deeper about security. Guidelines are only a starting point.
He suggests rethinking access to the internet as a right, not a priviledge. The issues of kids privacy would change.
Michael Dent, CISCO, Fairfax County, VA DIT : Their company answers issues about serving an increasingly mobile security base. Best practices are a server based approach that allows the user to access a server within their organization via VPN and proper credentials. Personally owned devices present a problem when accessing a cloud, shared, or security level system.
Michael Kaiser, Executive Director NCSA: People are unaware of what their mobile devices actually do. People need to be more aware of what apps are actually doing. Currently, people don’t understand the extent of device capability.
Recent research shows that schools are not teaching cybersecurity and cyberethics-cyberbullying issues. The lack of preparation for teaching cyberethics and cybercapable adults is a structural problem that brings up the question of what is means to be a citizen in the cybertechnology age.
Data breaches reflect the truth that data is the coin of the internet/cyber realm. Organizations that collect information must work to protect it. Currently, consumers are leaving e-commerce sites because they feel that the vendor is collecting more information than is necessary for the transaction.
K-12 education needs to be developed at all levels. STEM education, computer science education needs to start early to inspire people to go into cybersecurity. Every business and agency does or will use the internet. 2-2.5 million people will be needed to fill cybersecurity positions.
Detective Rich Wistocki, High Tech Crimes Unit, Naperville, IL Police Dept : Parent purchasing mobile devices for their kids don’t understand the capability of the kids to send inappropriate information and be accessed by pedophiles and bullies. Electronic responsibility is hard to teach because the parents don’t get it. They encourage parents teaching the “Thumb Generation” (they aren’t on computers but their mobile devices). Parents must make it a norm to see everything the kid does on thier devices. Kid privacy is a nonissue. If the parents pay for the device they have rights to all information. The kids have no rights to privacy on something they don’t pay for. His suggestion is mandatory curriculum for parents to teach them they are responsible for their kids online life.
Internet companies should partner with law enforcement agencies so they don’t infringe on citizens needs to assist victims of cybercrime. Time is of the essence in many hi-jackings, so legal red tape disables law enforcement.
Overall: Cybersecurity is an arms race and an educaion issue in a world where every system is being computerized and is vulnerable. There is never a “Victory” in cybersecurity. Providing technology for protection of the federal and private systems presents ongoing issues that are a moving target as technology continues to advance, particularly in private mobile devices. IT is not the sole answer. Economic and regulatory approaches must be included. At the governmental level, the need for increased knowledge and understanding in Congress is starting to change, but the Dept of Commerce Standards and Guidelines are more up-to-date.
Balancing privacy and security is a challenge. Parents need to be educated in their role, rights and responsibilities to their kids devices. Medical records are a huge issue. But privacy and security do not conflict. Without good security there is no privacy. Big Brother watching is the other side of everyone else watching. Everyone wants both. Finding a compatible level is the challenge.