Time for a ‘Ralph Nader moment’

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.politico.com/agenda/story/2015/12/ralph-nader-cyber-security-technology-000336

If you’re new to the world of cybersecurity, it might surprise you to learn
that the government and private industry have been trying to tackle the
problem for almost 50 years.

Despite their efforts, the problem continues unabated, and is only growing:
A 2015 study involving 252 major enterprises reports an average annualized
loss of $15 million per enterprise—up more than 80 percent over the last
six years. Other sources estimate the global cost of cyber breaches
approaches $500 billion a year. Furthermore, a survey of global CEOs
indicate that more than half now rate cybersecurity threats as having a
major influence on corporate strategy.

The commercial market for security technologies is marked by a series of
“silver bullet” offerings, each proposing to cure all problems and
strengthen the security stance of those wise enough to buy and install
them. But the level of attack and subsequent damage continue to increase.

Clearly, something needs to change. But what?

Based on thirty years in the field, both in the government and the private
sector, I’d suggest the U.S. needs what I call a “Ralph Nader moment”—a
well-orchestrated, cross-disciplinary movement that forces companies and
government to strengthen their information systems against attacks and
improve our capability to deal with the attacks that still come.

I call it a Nader moment because the closest analogue is his campaign in
the mid-1960s to improve auto safety, an effort that had languished for
close to 50 years. The car had become central to American life, but
huge—and fixable—safety gaps remained until Nader published his now-famous
“Unsafe at Any Speed,” a call to action that changed consumers, the
government and car companies.

The IT world is ripe for such a change. Over that time we’ve gained
significant insights from research and development, some of which have been
applied to good effect, even as others have gone largely ignored.

How might such an effort in the IT world take shape? It might involve legal
mandates for certain types of protections. It might also involve creation
of an agency charged with IT security—similar to the National Highway
Traffic Safety Administration, created as part of the reaction to Nader’s
efforts. In the meantime, there are several measures that would likely
serve to improve the security-worthiness of our current and future IT
systems, as well as some that would support the security management of
systems that are already in use.

How you identify yourself. Currently, huge amounts of data and valuable
devices are still protected by passwords, a fundamentally weak system. A
true wake-up call would lead to the industry broadly adopting more
sophisticated identification and authentication mechanisms, and using them
across their systems. The best example is the fingerprint scanner on the
newer versions of the iPhones, which both proves to the device that users
are in fact who they say they are, and tells the system who just logged in.
At other, critical levels of a network system, I&A techniques can also be
used to identify and authenticate devices and components to make it harder
to turn them into anonymous attack tools. This isn’t foolproof, but would
represent a significant improvement to the status quo; I’m also singling it
out because it already exists but hasn’t been well-integrated yet. Many
attackers have never bothered to move beyond simplistic password-driven
schemes to hack into systems. It’s time to close this avenue of attack.

Less patching. Better design. With cars, one kind of cost comes after an
accident, in the form of hospital bills and repair costs. Another kind
comes beforehand, with cars built to be more reliable to drive and safer
for the occupants. With cybersecurity, we spend an astonishing amount of
money patching holes and fixing the problems caused by stolen data. It
would be far wiser to apply that money and effort to designing and
developing stronger systems meant to withstand attacks without sacrificing
acceptable performance. Such security-enhancing design and development is
the focus of much of the last 50 years of security research. Though many
large (and wealthy) companies are already attempting to address these
issues, a true overhaul will come if we strengthen the requirements and
enforcement of those requirements for systems serving critical functions.

Constant improvement. One thing we’ve learned over the past decades of
security research is that even the strongest protections don’t necessarily
last. This concern is especially relevant in the realm of encryption, in
which researchers steadily discover flaws and errors in algorithms we use
to protect information. As computing power increases, some encryption
functions may become easier to defeat. So it’s key to have strong, legally
enforced processes that mandate replacing important security tools. Such
replacement might even be a part of a set of conditions for connecting to
any critical system, such as payment processing or banking.

A test lab. In too many cases, the current approach to security testing is
to field-test the system in question and simply allow the marketplace to
report issues as they arise. This keeps costs lower, but ultimately
victimizes the common user. It’s critical to do more rigorous testing of
all of these systems before putting them into production, and having an
independent test laboratory to conduct this testing might create additional
assurance that the devices are well-hardened. It may be naïve to expect all
systems to be well-tested, but as the cost and frequency of cybersecurity
incidents increase, the security-worthiness of systems may actually become
a major market advantage. Back to the automotive analogy, the market has
offered both Yugos and Volvos to drivers. It’s clear which one prevailed.

WHAT SHOULD HAPPEN next? Simple government mandates aren’t enough;
government has already funded significant security-research initiatives,
and needs to work closely with industry to assure that the results of this
research are transferred to practice in a timely fashion.

As bureaucratic as this sounds, the automotive analogy suggests that one
key driver of the change could be insurance. Right now, cyber risk coverage
exists, but many firms are reluctant to underwrite all cybersecurity
exposures, given the nature of the risks they’re being asked to indemnify.
But the insurance business, and associated areas of industrial risk
management, have several decades of lessons learned that would likely be of
value to the cybersecurity and risk management community. And there are a
number of government measures that might encourage participation in this
modern risk environment. For instance, new rules might require appropriate
coverage for contractors; the government might also re-insure certain types
of risks, thereby allowing insurance carriers to build up required
reserves. Ultimately, government should actually require cyber insurance
coverage for certain critical industries, with a portion of premiums set
aside to fund pressing research needs.

And what, one might ask, would be the payoff for all of this? There are
many. We all want to be able to use the power of the Internet and IT
without worrying about jeopardizing corporate or personal safety. Stemming
the financial losses associated with cyber breaches would improve local and
regional, if not national economic growth. And finally, risks will always
exist—but as systems assume more control over the routine trappings of our
everyday lives, the improvement of the security of these systems will allow
us to contain those risks that jeopardize life or limb of us and those near
and dear to us.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!