The annual National Cybersecurity Awareness Month in October presents the cybersecurity stakeholder community with a fresh opportunity to address basic gaps in cybersecurity protection and preparedness. The goal is to improve overall security and resilience while making the nation safer and more secure.
Much of the media and public attention in recent years has been directed towards high profile cyber events such as the Office of Personnel Management (OPM) data breach and the Sony Pictures hack.
However, with more and more people engaging in digital activity every day, there are an increasing number of victims of cybercrime, or other illicit cyber activities. While each incident may not produce headlines or social media discussion, it is time for each of us to examine how we can contribute to improving cybersecurity. We all have a role.
There was a time when many families never locked their doors and windows, believing they would not be the victim of an intruder. Today, most families not only lock their doors and windows, but many also install alarms systems, security lighting, fences, and even surveillance cameras as a means of trying to protect against an unauthorized intrusion. Similarly, many businesses invest in a wide range of protective measures including locks, security systems, and even guards in an effort to reduce the risk of theft, damage, or intrusions.
It was not too long ago when many consumers that surfed the Internet, exchanged e-mail, conducted online banking and commerce, and managed their investments, worried little about criminals and other bad guys stealing their identity, compromising their credit cards and bank accounts, or hijacking their computer for distribution of spam and malware. Times have most certainly changed.
While no one wants to have their identity stolen or their bank account compromised, many folks simply do not know what to do. Providing access to information that will help users of all levels of sophistication better understand how to protect themselves in a digital world is an imperative to overall security and resilience.
As more users come online and are able to leverage digital innovation to accomplish a wide range of tasks, it is critical that users of all levels of sophistication—including home users, small and medium-sized businesses, non-profits, K-12, and higher education as well as larger enterprises—are equipped with the knowledge of cost-effective protective measures to improve their personal and professional cyber protection profile. The proliferation of mobile devices and tablets, along with the explosion of intelligent devices and the Internet of Things, punctuates this need.
Basic Cybersecurity Hygiene: The Key to Improving US Cybersecurity Posture
Actions putforth in recent years by the White House, including the Presidential Policy Directives and Executive Orders that seek to address various elements of cybersecurity preparedness, are valuable in drawing attention to and driving dialogue on these critical issues. However, the demonstrated capabilities and sophistication of cyber adversaries at times appears to outpace the ability of the United States and other countries to detect, prevent, mitigate, and respond. It is critical that we work together to close that gap—and sooner rather than later.
Accordingly, National Cybersecurity Awareness Month provides an opportunity for all of us to focus on prioritizing cybersecurity protection and preparedness every day. This is an important element of our security awareness and culture.
Shortly after President Obama assumed office, he commissioned an examination of the state of cybersecurity across the United States. In a May 2009 speech at the White House, the President released the Cyberspace Policy Review – Assuring a Trusted and Resilient Information and Communications Infrastructure, which included a series of near-term and long-term action items. Near term action item number six called for an effort “to initiate a national public awareness and education campaign to promote cybersecurity”.
It is important to recognize that the source of many cyber intrusions often has been attributed to a failure to implement basic cybersecurity protection. Many times lost in the dialogue is recognition and acknowledgement that approximately 80 percent of exploitable vulnerabilities in cyberspace are the direct result of poor or no cyber hygiene, basic fundamental measures that will improve any user’s cyber protection profile.
The US Department of Homeland Security continues to accomplish much through its Stop.Think.Connect campaign, which aims to increase the American public’s understanding of cyber threats in an effort to empower them to be safer and more secure online. Furthermore, the National Cyber Security Alliance delivers a great deal of important information through its Stay Safe Online effort. Other countries have also proceeded to implement national efforts with examples, such as the United Kingdom’s UK Get Safe Online.
However, there is much work that needs to be done to achieve a comprehensive and sustained national education and awareness campaign that teaches users how to better protect themselves in cyberspace and scales the effort to achieve a national impact.
Through leadership from the White House, Congress, leaders in industry, media, non-profits, and other stakeholders, as well as state, local, tribal, and territorial governments, a comprehensive, sustained, and broadly embraced effort will produce meaningful results in raising the bar of cybersecurity and thereby improving the protection, preparedness, security and resilience of our nation.
Empowering average citizens, small businesses, and cyber stakeholders everywhere with knowledge about measures that they can implement or steps that they can take to better protect themselves in cyberspace will improve overall security and resilience. Reinforcing messages such as “don’t click it if you don’t know it” will help remind users to be cautious of links and e-mail attachments from senders they do not know. Periodically changing passwords and ensuring regular computer and smartphone system updates are examples of basic hygiene measures that will make a difference. Educating users is a key ingredient to an overall national cybersecurity strategy.
From home users to small and medium sized businesses to even larger enterprises, there are safeguards that are low- cost or even no cost that will raise the level of cybersecurity and make the illicit activity of the bad guys more difficult and more expensive.
For example, the AFCEA International Cyber Committee prepared a two-part analytical examination of the economics of cybersecurity that points to the value of investing in basic cyber hygiene. Part one can be found here and part two can be found here.
This is in no way intended to suggest diverting attention from the important ongoing work to address the more sophisticated and dangerous cyberattacks that could imperil our nation’s critical infrastructure and our everyday way of life. However, our efforts to disrupt activities by cyber criminals, nation states, and even terrorists should not cause us to ignore the 80 percent cyber hygiene factor. If we are successful in raising the bar of cyber protection, it will make the nefarious efforts of our adversaries more difficult and more expensive.
Cybersecurity – Raising the Bar
As a nation, we are only as strong as our weakest link and, collectively, we must remain committed to educating everyone about those basic cyber protection measures that will improve their overall cyber protection profile.
In addition, it is imperative that the United States mature an operational capability in cybersecurity to deliver effective information sharing, analysis and collaboration through a joint, integrated public – private partnership that leverages and respects the various capabilities developed across those communities and engages the cyber stakeholder community, including state and local government.
Achieving an operational capability that is able to routinely gather and analyze cyber data to identify patterns and trends of unusual, abnormal, or even malicious cyber behavior in order to issue timely alerts and warnings, and even recommended protective measures is crucial. This will lead to improved detection, prevention, mitigation, and response to cyber events that may become incidents of national or even global consequence.
Models exist that provide evidence of how an effective capability around information sharing, analysis, and collaboration can raise the bar of protection and preparedness and even save lives. Over the years, the National Weather Service has developed a capability for receiving data feeds from a wide range of sources and applying data analytics to improve the ability to predict weather events, such as hurricanes, and deliver early alerts and warnings to advise communities to board up buildings, install sand bags, and even evacuate if determined necessary. Such a capability improves protection and preparedness in communities at the local, state, regional, and national level.
Over the years, the Centers for Disease Control (CDC) has developed a capability of receiving data feeds from a wide range of sources, and applying data analytics to improve the ability to identify and predict episodes of disease that may prompt early warnings to medical professionals. Through information sharing, analysis, and collaboration, CDC is able to achieve the situational awareness necessary to make informed risk management decisions that improve protection and preparedness, and may even save lives. Let us learn from these examples. Let us build on the good work already underway.
Let us utilize advancements in technology and innovation to improve our analytic capabilities to achieve situational awareness necessary to inform cyber risk management decision making. Let us leverage existing, mature, and collaborative information sharing relationships that deliver value every day. Let us commit to a joint, integrated, public – private effort to improve cyber protection and resilience.
The American people are counting on us to get it right. Let’s get to it.
