By John McCumber, Federal Technologist, RSA, the Security Division of EMC
Cybersecurity is a process, not a destination.
That’s an uncomfortable fact for federal leaders responsible for protecting some of the most sensitive information in the world. It would be great if there was a security standard that could be met, or a checklist of actions that could be taken to guarantee protection from the entire spectrum of environmental and human threats, but it’s just not the reality we live in. The cyber landscape is constantly evolving, with enemies becoming more sophisticated by the day, and our approach to protecting IT infrastructure must continue to improve to keep pace.
In recent testimony to the U.S. Senate Committee on Commerce, Science & Transportation, my colleague Art Coviello, Executive Chairman of RSA, referenced recent GAO statistics indicating that the number of cyber attacks reported by federal agencies increased by 782 percent from 2006 to 2012. That’s an astounding increase that outlines the scope of our current challenge. We’ve been chasing defensive security standards and checklists for the past 35 years, hoping that some stamp of approval would make us 100 percent secure, but if that approach worked, we would have solved the problem by now.
The good news is that there is significant momentum leading towards new ways of thinking about the cyber challenge facing our country. Earlier this year President Obama issued an executive order calling for NIST to lead the creation of a Cybersecurity Framework designed to bring industry and government together to develop best practices for managing cyber risk across our nation’s critical infrastructure. That “managing risk” part validates the emerging understanding of cyber security, because that’s truly the approach that needs to be taken. We need an industry-led, voluntary process focused on providing tools and best practices to help critical infrastructure leaders understand and manage risk, so they can become more proactive about assessing threats and ultimately make the best decisions on behalf of their organizations.
An industry-driven approach will ensure that we’re keeping pace with the development of new private sector technologies, and the voluntary nature of the legislation will provide companies with the flexibility to develop creative approaches to securing their networks. We have to maintain an environment where security innovation is supported and encouraged, so that the best ideas bubble to the top for broad adoption. NIST has done an admirable job of leading this effort to date, hosting a series of productive workshops designed to bring the top security minds from industry and government together to share ideas, and begin building a foundation of best practices.
Last week the White House upped the ante, outlining a list of incentives available for critical infrastructure companies that are willing to embrace the Cyber Security Framework. It’s a great initiative because as our society, and the IT systems that power it, become increasingly interconnected, we need all hands on deck. But as we move forward, we have to remember how critically important it is to maintain an environment where organizations have the freedom to experiment with new methods, and to make their own decisions. We can’t afford a return to the past, where a set of overly complex, mandatory compliance requirements kept us all consistently one step behind the threat. It’s within that environment that the cost of the cure starts to become worse than living with the disease.