Van Hipp
Cyberattacks inflict real harm on America.
This is especially so from a national security and economic standpoint.
Following air, land, sea, and space cyberattacks are the fifth dimension of warfare.
It's the most complex national security challenge we've ever faced.
Continued cyberattacks on our nation’s critical infrastructure, as well as numerous cyberattacks on American businesses actually damage the American economy.
Annually, we lose more intellectual property on government, university, and business networks than all the intellectual property housed n the Library of Congress.
As recently as last month, multiple U.S. agencies, including the Department of Energy, were hit with a targeted cyberattack.
A Russian-based cyber-extortion gang is the likely culprit, as the result of a hack of a file-transfer program commonly used by governments and businesses.
What's particularly sad is that this attack, as well as many other recent cyberattacks, could have been avoided, if only our government complied with its own cybersecurity recommendations.
Willie Crenshaw, the former program executive of NASA’s Continuous Diagnostics and Mitigation (CDM) program, whom this writer has known personally for a number of years, told me directly, "The government has a good program in CDM.
"Agencies and departments should stay the course and implement the program holistically, and that includes the best of breed tools, governance, and management.
"By staying the course, we can decrease the attack vector to government systems."
Experts believe last weeks’ Communist Chinese hack of email accounts belonging to the U.S. State Department and our commerce secretary could have been prevented had we been in compliance with the CDM program.
The Cybersecurity Infrastructure Security Agency (CISA) "was created through the Cybersecurity and Infrastructure Security Agency Act of 2018, which was signed into law on November 16, 2018." (Cynthia Brumfield, CSO Online: July 1, 2019).
CISA falls under the U.S. Department of Homeland Security (DHS) and is responsible for strengthening America’s cybersecurity and infrastructure across all levels of government.
It touts itself as America’s cyber defense agency and is tasked with ensuring that we have the best possible cybersecurity protections against both private and nation-state hackers.
The National Institute of Standards and Technology (NIST) has been around for over 100 years and is under the U.S. Department of Commerce.
Historically, it has done a great job in coming up with standards and recommendations for the implementation of new technology.
Through its cybersecurity framework, it has come up with a number of guidelines and best practices to manage cyber-breach risks. It has published specific guides, ensuring both the U.S. government and businesses are aware of the best cyber defenses available.
As an example, in 2015 it published its "Guide to Application Whitelisting."
Many consider this to be the best defense in preventing ransomware attacks.
Most cybersecurity experts agree that NIST has been forward-thinking in coming up with proven solutions and common-sense recommendations to prevent attacks, inclusive of ransomware.
The problem is that many agencies and departments of our federal government do not comply with NIST’s recommendations.
The complexity of cyberattacks against U.S. government infrastructure and American businesses is only getting worse.
Unfortunately, if the U.S. government is not complying with its own recommendations, the real damage to our nation’s infrastructure is only going to increase.
With American businesses, the problem is even worse as many are not even aware of NIST’s recommendations.
Thus, as the intensity and frequency of cyberattacks on our businesses increases, the real damage on the American economy will likewise increase.
How many more cyberattacks against our government’s infrastructure and major business institutions will it take before we start complying with our government’s own cybersecurity recommendations?
Here's what must be done right now to stem the tide in the cyberwar and ensure our government and business community are employing the best in cyber defense:
1.) Congress should mandate that the inspector general of both DHS and Department of Commerce jointly analyze which departments and agencies are complying with NIST’s cyber recommendations and call out which ones are not. We need full transparency on this.
Results should be provided to both Congress and the administration.
2.) CISA needs to have the actual authority to ensure compliance throughout the government of NIST’s cybersecurity recommendations.
Ask CISA what additional tools it needs to ensure compliance.
3.) Mandate through presidential executive order or through congressional legislation that all state and local governments receiving federal cybersecurity grants be in compliance with NIST’s security recommendations as a condition of receiving the grant.
This will help "big time" in preventing countless ransomware attacks on local municipalities, sheriff offices, and schools.
4.) Launch a cybersecurity education campaign through the Small Business Administration (SBA) in all 50 states to educate the business community on practical cybersecurity recommendations to prevent cyberattacks. The SBA should include leading business organizations, such as the American Free Enterprise Chamber of Commerce and the National Federation of Independent Business.
5.) Actively seek new solutions from American cyber experts in both business and academia. While some public-private partnerships are in place, much more can be done.
We must face the fact that we are in a full-blown cyberwar.
It affects almost every aspect of our lives — national security, healthcare, banking, education, energy, and transportation.
But — this is a full-on battle America can and must win.
The U.S. can start winning it by complying with its own advice. Now.
No comments:
Post a Comment