On the same day that the White House announced that the cybersecurity coordinator position on the National Security Council (NSC) was eliminated, the Department of Homeland Security unveiled its new cybersecurity strategy.
The first move was designed to reduce bureaucracy, and streamline the authority and increase the efficiency of the existing NSC members. The second move is meant to provide a blueprint to fulfilling the Department’s vision to “have improved national cybersecurity risk management by increasing security and resilience across government networks and critical infrastructure; decreasing illicit cyber activity; improving responses to cyber incidents; and fostering a more secure and reliable cyber ecosystem through a unified departmental approach, strong leadership, and close partnership with other federal and nonfederal entities.”
{mosads}Some may argue the timing of these dual announcements was strange. There is certainly outcry about the NSC approach. Putting politics aside, the real message that needs to get through is that we don’t have a cross-cutting strategy that addresses the real risks that we face. It doesn’t matter how this gets done but we are facing a critical challenge, not only from a national security perspective but a broader societal perspective. A DHS-only approach or even a government-only approach is not going to cut it, for multiple reasons:
The internet of things exposes the weakest link. It is projected that by 2020, the number of connected devices will reach almost 31 billion, yet a 2016 report issued by the National Association of State CIOs demonstrated that zero states at that time had implemented any IOT policies and there has been minimal progress since then. At the federal level, the closest we got was to bi-partisan legislation introduced last year. Meanwhile, we the potential impact of a breach or attack continues to grow exponentially. Getting into one node can provide access to what may appear to be unrelated networks that are fully connected.
Digital identity is broken. More than 9.7 billion records have been stolen since 2013 and the number of synthetic identities has skyrocketed, and some banks are reporting that new account fraud makes up 50 percent of their overall fraud losses. If records and online identities are being given to people that don’t exist, how can know who we are dealing with? Because we don’t have a national ID system and no systematic or biometric SIM card registration policy in place, there is also no existing framework to rely on, which makes this problem particularly difficult to solve here in the United States.
Traditional cybersecurity approaches are not working. The DHS document references the risk of “failure of imagination.” Yet, most of our federal agencies and infrastructure facilities leverage traditional cybersecurity approaches that are focused on the endpoint, building higher electronic walls and fences, which have all proven to be porous given the tools that fraudsters and hackers use today. Fraud today happens inside sessions that are believed to be secured via multi-factor authentication. It is imperative that the government not only mandate but also adopt techniques that look beyond static parameters (location, device, access history) and adopt dynamic approaches that assess the validity of the people that are behind all of our online activity.
A lot of the attention of breaches focused on the ability for criminals to use stolen identities to apply for credit and loans. People were told to freeze their credit, use free credit monitoring services etc. What has not received much attention is the risk of social engineering as a result of the data being out there. With every breach, criminals not only have more identities to steal, they also have more information to refine their databases. When a fraudster calls a victim, they are therefore more believable.
Insider threats are an even bigger problem — how can we ensure that even if the right person logged in, that the session hasn’t been taken over by a friendly fraudster, or that human error exposes an entire network? In fact, Computer Weekly reports that 84 percent of cyberattacks reported are due to human error, which could be something as simple as forgetting a mobile device somewhere. In a more sinister example, one source says that the Mexico bank heist revealed this week may have been made possible with inside help.
There are enough indicators that tell us that cybersecurity is a complex web (pun intended). We need a coordinated, national level approach. We need a task force of sorts akin to the 9/11 Commission, that involves the White House, Congressional leaders, industry leaders and experts on IoT, cybersecurity and identity and representation from our critical infrastructure sectors that understand we are all connected now, and having high-level vague directives and discussions will not move the needle or help change the trajectory we are on.
Who better to lead this charge than a well-appointed White House cybersecurity coordinator?
Frances Zelazny is vice president of BioCatch, a cybersecurity company that delivers behavioral biometrics to protect users and data.