More than two weeks after the completion of the 30-day cybersecurity sprint, Federal CIO Tony Scott published a blog post outlining the eagerly awaited outcomes of the government-mandated assessment. According to Scott the sprint’s final results showed “significant progress” government-wide. As many of us anticipated, Scott placed a lot of emphasis on the need for privileged access, strong authentication, budget predictability and the importance of looking at cybersecurity as a strategic, national focus – not just a one-time deployment.
Scott made a brief comment on offense. Scott’s comments highlight the asymmetry of offense vs defense. It is cheaper to acquire offensive capabilities than to maintain and deploy defensive tools. But the focus here isn’t the price of the tools. It is the agility with which offense seems to leverage new capabilities. And defense continually struggles with the basics. The speed of patching known vulnerabilities is a strong indicator of that struggle.
Even when new defensive security tools increase an adversary’s cost of attack, it is a momentary advantage until the next attack tactic or offensive tool is created. For example, once an adversary learns to defeat a defensive measure, they will succeed for a long time. However, once a defender deploys a new security technology they are burdened with maintaining and managing it for an extensive period. Perhaps security architects and security buyers should evaluate the adversary’s cost when defenders deploy a new tool. If the change in the adversary’s cost is not significant while the defenders cost is disproportionately high, the tool in question should not be deployed.
In his blog, Scott also notes the importance of building strong partnerships across both government and industry to help bolster cybersecurity efforts. Increasing public-private cooperation is why the U.S. Chamber of Commerce recently formed the Cybersecurity Leadership Council. The Council is made up of diverse businesses including Splunk, Boeing, JP Morgan Chase and Blackberry. It was created to facilitate more discussion around what is missing or needed in regard to cybersecurity best practices. The Council’s members act as advocates for cybersecurity initiatives, supporting important information-sharing legislation such as the Information Sharing and Analysis Organizations (ISOAs) introduced by President Barack Obama in February.
While he didn’t say it directly, Scott’s post exposes an elephant in the room. The government’s cybersecurity policies aren’t properly aligned with the modern threat landscape. I think that most organizations, even well-meaning ones, are frequently burdened with policy for compliance and audit reasons. Unfortunately, some of those policies do very little to actually protect organizations against cyber threats. I strongly believe that cross-sector information sharing and collaboration will be a primary contributor to a more robust cybersecurity defense. Government leaders need to view cybersecurity as a continuous improvement process that requires nonstop attention and necessary funding.
While I feel Tony Scott’s blog post did not point strongly to any new vehicle of building strong partnerships in government or through technology industry, its encouraging to hear the importance of public-private partnerships in an increasingly reactive cyber world.
Myself and others have said this before and it warrants repeating: cybersecurity is not a sprint, it’s a strategic mission.
Chief Security Evangelist