Viewpoints
Cybersecurity Challenges– Getting Proactive

 By Jim Flyzik, The Flyzik Group

I have taught a graduate class on cybersecurity at the University of Maryland, University College part-time on Saturdays for 17 years. Every year, my students complete research papers on current cyber topics so I have had a chance to follow along as cyber threats became more complex. The sophistication of the threats evolves right along with the advancement of technology.

I also watched as we reacted to cyber threats in the past with a “band-aid” approach—fixing problems after something bad happens. We have now reached a stage where significant vulnerabilities call for proactive approaches to prevent cyber attacks before they happen. Can we do this? Why is it so difficult?

Cybersecurity challenges are daunting for many reasons. First, the scope of the problem raises the question of where to put resources to begin to address the challenges? Do we begin with securing operating systems, databases, local networks, or the data itself?

What about wireless networks? What about the devices? The PC’s, notebooks, tablets, blackberries, iPhones, droids, routers, and switches to name just a few of the hundreds of smart devices that connect to our networks. Then there is the Internet! How do you secure something that has no centralized governance structure or single points of trust? Clearly, we need to start somewhere.

The National Cybersecurity Initiative addresses protection of the perimeter—defining ways to keep bad bits out and let good bits in. Internally, protecting the data requires encryption and tools for data loss protection and data masking of structured and unstructured information. Proxy data should mask real data while data is in transit. “Real” sensitive data should only exist in the secured production environment. We also need to use encryption techniques to the fullest extent to address the identity management (IdM) challenges and message authentication.

Law Enforcement plays a big role here too. Cyber attackers have the anonymity of the Internet on their side; the rules of evidence are often times complex computer logs difficult to trace and almost always difficult to understand by juries. No smoking guns, no DNA, no blood or fingerprints.

Attacks originate worldwide and these cyber laws vary widely.

Now, if technology and law enforcement challenges aren’t hard enough, consider who needs to be involved in this effort—everyone who uses a computer, a cell phone or any of the wireless network appliances in use in cyber space.

No government or industry entity can fix every vulnerability. It is the responsibility of everyone to practice good security practices when interacting in the cyber world. This means a massive awareness and education campaign as a national priority and cooperation and collaboration with international entities. Further, if we hire people of high integrity, a good deal of the internal threat is diminished. If we use physical security methods to restrict access to sensitive areas, we diminish that threat as well.

The federal government wants to hire more cybersecurity skilled employees. What are the qualifications for the job? Let’s see. They need computer skills, telecommunications skills, wireless and wireless devices skills, management skills, oral and written communications skills, and of course, cybersecurity skills. Where do we find them?

The good news is cybersecurity is now a national priority. Some great people are being called back to government service to address these tough issues. And our universities are stepping up to help train a workforce of the future to step up to the challenges. The proactive approach is underway.

Jim Flyzik is President of The Flyzik Group. He is the former CIO at the Secret Service and Treasury and served at The White House under Tom Ridge. He hosts the Federal Executive Forum on Federal News Radio and is the chair of the AFCEA 2010 Homeland Security Conference in February. Contact him at www.theflyzikgroup.com.

I admit it. I’m one of those “end users” on the frontlines of my personal and business cyber defenses.

When it comes to security, the CyberSpace Review Plan doesn’t have to spend its resources telling me. Believe me, I’m aware. You better be—especially when your email is in the Cloud.

I’ve long known and practiced the virtues of proactive cybersecurity and having multiple backups. But it didn’t prevent me from being attacked. I have one email account that has taken my provider more than 6 months to figure out the problem. And I’m still not 100% sure it’s solved.

If you are like me, here’s what you’ve got. I have a one program that provides a “Security Center” protecting my computer, files and email from viruses, spyware etc.

I have another program that scans, repairs and optimizes my PC. Plus, I have another anti-spyware program. I’m not sure whether these programs actually conflict or are complementary. In fact, I’m confused. I would ask my systems administrator, but of course, that’s me. And I don’t know the answer.

But I do know one thing: I’m practicing “cyber hygiene”. I’m cyber responsible, but still frustrated, still not sure I’m doing enough, and still wishing the whole cybersecurity process was easier and more transparent. Plus, error messages and warnings are written in “computerese”. Yikes!

So, I can’t tell you how refreshing it was to hear some leading security providers say the industry isn’t doing enough to help end users.

HP’s Sam Chun has written on security awareness. During our recent Roundtable he said, “I think we on the industry end have made it fundamentally too difficult for the end user to achieve security. I think we as an industry need to do better; it’s just too hard and too complex for the average user.”

Chun said we need to make security transparent, invisible, assured and persistent for the end user so it is just computing for them. “The industry needs to work harder to make this happen. We should not expect the user to do it effectively; so we as an industry need to help them do it.”

CSC’s Sam Visner added “for many years hardware and software manufacturers and SIs said ‘we are going to turn IT into a commodity; one that is increasingly available, increasingly useful and increasingly easy to use; so you shouldn’t worry about IT’.”

But now some are telling end users they haven’t done enough. They don’t update antivirus definitions or don’t configure their firewall right Visner explained. “Everything we told you about IT being inexpensive, easy and useful, now we have a big and difficult discipline that you—the user—have to do. That wasn’t the deal when we rolled out IT.”

Hallelujah!

I’d love to do nothing, but I’m a realist. It may become simpler, but proactive personal cybersecurity is never going away.

But I’d like every cybersecurity provider to have Chun’s and Visner’s attitude.

“If we design the system properly, we do not have to expect users to do all the maintenance; if we design it properly, users don’t have to become cyber experts; and if we “bake in” cybersecurity as an intrinsic system component, then IT becomes increasingly available and inexpensive, becomes easier to use and becomes useful to the mission,” declared Visner.

That’s the attitude I want. Bring it on.

Jeff Erlichman is managing partner of Public Sector Communications. He is the On The Frontlines editor and can be reached at jefferlichman@publicsectorcommunications.com.

Wanted: Trained Cyber Defenders

DHS is hiring 1,000 new cyber defenders. When they need training, they can get it from The Defense Cyber Investigations Training Academy. 
 

Enabling Cyber Defenders

Government relies on a wide variety of approaches and tools to keep the bad bits out and let the good bits in. Here are three examples. 
 

Cyber Implementers

As threats rise, so do the efforts of industry to provide the cyber solutions government—and the rest of us—need. More

Published In Partnership With