What does the new US President need to do to improve online security?
President Obama calls for cyber-security collaboration
There is no escaping what the big news has been this week and the inauguration of Barack Obama as the 44th President of the United States dominated world news for a whole day. Or if you work for Sky News, every day for the next four days.
Aside from the pomp and circumstance of the ceremony, and the notable news headlines of the fluffed lines, U2 and Jay Z performances and the stepping down of George W Bush, one of the largest areas for the new President to tackle is that of internet security and cybercrime.
Steve Moyle, founder and CTO of Secerno, claimed that ‘what the CTO and Pentagon need to do is approach any initiative involving digital data with security as a first priority. The past year shows us the mistake of security as a last check-box item or an afterthought.'
Moyle is not alone in stating his intention of what President Obama needs to inject into the online world, something that was already stated in early December when he was urged to create a new White House office to protect cyberspace from hackers, thieves and foreign agents.
Then, James Lewis, a member of a Washington-based think-tank that organised a Capitol Hill commission, claimed: “Responding to a cyber attack is a tough issue. Do operators respond with law enforcement, espionage or military actions? The guidelines are really unclear. The rules designed in the 1980s are slow, and the internet is fast.” He also claimed that the President's new administration and Congress should pass new laws to allow for speedier investigations.
So what exactly does President Obama need to do to make things better? Amrit Williams, CTO of BigFix, was vocal in his welcome but precise in his demands on how ‘the United States and the world will securely and efficiently maximise the value of technology for the betterment of all'.
Williams laid the plans out for four basic requirements that, he claimed, ‘all public and private sector organisations need to implement to cope with the dynamic information security threat environment in an increasingly interconnected and complex technology landscape'.
The requirements were: real-time visibility and control into the detailed state of all computing devices; security configuration management; continuous policy compliance and enforcement; and support for mobile and intermittently connected devices.
Elsewhere he made requests for a consolidation of the efforts of Federal government organisations with information security responsibilities into a single organisation, to accommodate the interests of the private sector in communicating security incidents anonymously and enable public and private sector actors to respond quickly to fast-emerging and newly discovered threats. He also advised the development of a ‘World CERT' organisation to expedite cross-country coordination, planning and incident response. These should all be done within the first 90 days, which should give the President plenty to dwell on.
Another figure to highlight what needs to be done was Pat Clawson, chairman and CEO of Lumension Security, who pointed back to James Lewis's report ‘Securing cyberspace for the 44th presidency'.
Maintaining that the current state of information security ‘just isn't that good right now', Clawson claimed that ‘because there is no centralised security strategy emanating from the White House', ‘federal agencies have lost terabytes of data in the last several years and that billions of dollars worth of intellectual property and sensitive data have been drained from the private sector through cyber attacks'.
Clawson said: “I talk to CEOs all the time, and one of my main pieces of advice is that security is not about technology. It is about business process - and that can only be driven from the top down. It's about leadership, and Obama needs to step up and start changing our processes. Personally, I believe there are three ways he can get started straight from the gate.”
These were detailed as: appoint a cyber security leader, bring private industry leaders to the table and get them working together to make a meaningful effort towards improving the security of infrastructure and pave the path for businesses in private industry to change their security postures.
Clawson also echoed comments made by Amrit Williams about implementing tax incentives for security. Williams suggested ‘balancing tax incentives and enforcement mechanisms to move organisations from a minimal compliance culture to a do-the-right-thing culture in managing security risks and threats'; while Clawson proposed ‘ instituting a tax rebate for investing in certain security projects'.
Finally, Randy Abrams, director of technical education at ESET, claimed that ‘cybercrime is a social problem' and ‘to have made such significant progress on a social problem (racism) with such deep roots, in such a relatively short period of time really gives hope for our fight against a myriad of social problems'.
He admitted that although a fight against cybercrime will continue, the chance of it being eradicated is unlikely. But on a positive note, Abrams said: “We have not eradicated most types of crime, and certainly there is still racism in the US and throughout the world. Can we make progress? Yes, we can!”