vulnerabilities are to each other, primarily when it comes to preventing the exploitation of powerful administrative accounts and detecting and limiting unauthorized access to resources and networks.
Cyber attackers tend to use the same techniques for different targets – the DNC hack was conducted in a manner similar to the State Department hack, which was similar to the hack that exposed the Department of Energy. The frustration builds when we realize that these attacks also take advantage of the known vulnerabilities. Repeatedly.
Avoiding the October Surprise: Restoring Trust
The good news is that we’re not too far down the path of insecurity to restore trust in our infrastructure and IT systems. Security can be hard, but it’s not impossible.
Infiltration does NOT have to lead to massive data breaches and October surprises – it is possible to protect information, people, and critical IT systems. This is the path we need to take to start restoring cyber trust in our most valued institutions. But it has to be a coordinated and concerted effort, not focused on politics or candidates.
Following the OPM breach last June, the Fed CIO Tony Scott launched a 30-day sprint to cyber security to improve the resilience of federal networks. This effort focused on three primary efforts: patching critical vulnerabilities; tightening policies and practices for privileged users; and accelerating implementation of multi-factor authentication, especially for privileged users.
This was an excellent start – but to restore trust in our institutions, the current and future administrations need to turn the sprint into a marathon.
At this point, we know that motivated attackers will find a way on to a network – but do we have the fortitude and focus to embrace this notion and use it to establish security programs that adopt a post-breach mindset? Are we willing to see through the short-term disruptions dominating news cycles and focus on the broader insecurities that lead to the drip of sensitive information and theft of citizen data?
This new mindset isn’t just about technology; it should also be about adopting new processes, new ways of problem solving and developing products. It requires new private and public industry collaboration to help organizations overcome skills shortages by making investments in their success. It requires unprecedented levels of openness, integration, and cooperation.
These changes must start at the top. We can ask candidates what they plan to do about cyber security and argue about the answers – but we can’t get lost in the political battles that typically ensue. Any conversation about national cyber security needs to start with accepting our existing weaknesses and putting forth specific and concrete plans to address these vulnerabilities.
This is the path to restoring trust in our core institutions. 2016 feels unique in many ways, but we need to accept that cyber attacks, theft of sensitive information, and targeting of critical infrastructure is the new normal. Combatting this requires a clear understanding of what’s possible and what should be prioritized to keep citizens safe and their identities secure.