Could revamped R&D change federal cybersecurity culture?
There needs to be a overwhelming change in the way people approach cybersecurity if the U.S. is ever going to effectively deter attacks, according to current and former government officials who have helped shape cybersecurity policy.
Former National Security Agency Deputy Director Chris Inglis and Assistant Director for Cybersecurity Strategy at the White House’s Office of Science and Technology Policy Gregory Shannon spoke Wednesday at the Department of Homeland Security’s Cybersecurity R&D Showcase, highlighting how the research and development community needs to find ways to meld security and user behavior, leaving behind the current flawed operations structure.
“I would say there are some pockets of best practice, but by and large people are still depending on the wrong thing, in the wrong time, holding the wrong people accountable, hysterical about the wrong things, [and] we’ve got the wrong goals,” Inglis said. “Otherwise we have a good thing going.”
The White House recently re-issued the Federal Cybersecurity Research and Development Strategic Plan, which aims to create objectives for federal agencies that conduct or sponsor cybersecurity R&D over the next decade. The report asks for directives shaped by risk management frameworks and technology that takes user behavior into account when it’s deployed, operated and upgraded.
Shannon said the plan needs to help the country get ahead of the tradeoff between security and convenience that currently impedes good cybersecurity practices.
“The fundamental challenge is this duality, this tension between how you make things secure and how you make them less onerous for users,” Shannon said. “How do we develop systems that are sustainably secure? There’s the notion of secure by design, but you have to implement it, you have to operate it and you have to upgrade it.”
Inglis agreed “the right continuum” needs to be found to make IT systems both secure and useful.
“If you thought the opposite of security is insecurity, then as a technologist or a system designer, you’d be scratching your head about why individuals who use those systems are everyday pursuing insecurity,” he said. “That’s not what they are pursuing. They are pursuing convenience.”
One of the practices Inglis would like to change is basing security on reactive, signature-based threat logs to one that anticipates threats.
“Signature-based security solves 80 percent of the problem, but we should be studying and understanding the remaining 20 percent of anomalies before they become an issue,” he said.
Kevin Kelly, CEO of LGS Innovations, said R&D strategies are often more useful than requests for proposals because they let his team of engineers develop products based on problem statements rather than meeting a list of requirements.
“What we don’t like is an RFI or an RFP, because that assumes whoever developed the approach to solving the problem has all the answers,” Kelly told FedScoop. “What we want to hear is the problem, what can’t you do, what can’t you see, what can’t you discover fast enough. What action can you not take today that you need to take in the event of an attack.”
Inglis, who now teaches cybersecurity at the U.S. Naval Academy, said once the product is developed, the challenge turns to educating a new generation on the right way to use these tools.
“At the end of the day, if we haven’t educated an incoming generation about the nature of the world in which they will serve, then we have not have served them well with respect to giving them the tools necessary for them to make intelligent choices,” he said.
Contact the reporter on this story via email at email@example.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.