Cybersecurity Action Not Reaction Needed to Avoid Disaster

To better protect the nation's critical digital infrastructure, lawmakers must enact policies to address a shortage of trained cybersecurity professionals, a panel of experts warned at a joint House subcommittee hearing on Tuesday.

Stressing the urgency of the threats, witnesses from industry and academia told members of the Committee on Science, Space and Technology's research and technology subcommittees that cybersecurity, as a profession, is hobbled by scant funding for research and development and education.

"I do not have to tell you that we are under attack in cyberspace. Those of us in the field of security have known about it for some time now, but now the problem has broadened and deepened in scope," said Frederick Chang, president and COO of the data-analytics firm 21CT.

"The field of cybersecurity is too reactive and after the fact. We wait for something bad to happen, and then we respond. We lack the fundamental scientific understanding of causes, of solutions, of counter measures. Science uses words like 'evidence,' 'metrics,' 'repeatability,' 'predictability.' In cybersecurity, these words are not used often enough," Chang added. "Indeed, when it comes to predictability, about the only thing we can predict with a high degree of confidence is that a determined hacker will be able to compromise the target system."

Tuesday's hearing comes at the beginning of the new congressional session when lawmakers are once again working to build support for legislation to bolster defenses against digital attacks on critical infrastructure operated by the government and private sector.

Lawmakers and witnesses both expressed support for one such bill, the Cybersecurity Enhancement Act, which passed the House in 2010 but did not clear the Senate. The authors of that measure, Reps. Michael McCaul (R-Texas) and Dan Lipinski (D-Ill.), are trying again in the 113th Congress. That legislation includes provisions to establish cybersecurity grant programs, improve coordination among federal agencies and develop cybersecurity scholarships at the National Science Foundation.

Whether the Cybersecurity Enhancement Act progresses as a standalone bill or as part of a more comprehensive package, McCaul is hopeful that new cybersecurity standards, after years of debate, will become law in short order.

"I do believe this is the Congress when we will get cybersecurity legislation passed through the House, the Senate and signed by the White House," he said. "Whether it's criminal, whether it's espionage, whether it's cyberwarfare, we can't afford to wait any longer."

But in the absence of congressional action, President Obama earlier this month issued an executive order directing federal departments and agencies to develop a system for reporting cyberattacks, expanding coordination with the private sector and other measures.

That executive order, limited in scope by the bounds of presidential authority, was not designed as a substitute for cybersecurity legislation, which as a general matter enjoys strong bipartisan support.

"This challenge requires a thorough and comprehensive effort in both the public and private sectors," said Rep. Lamar Smith (R-Texas), the chairman of the full House science committee. "Private companies are increasing their investment in cybersecurity. Congress should support those efforts. Only Congress can provide the incentives and protections that would permit necessary information sharing among companies and more importantly between private companies and the federal government."

Of course, at a time of contracting agency budgets, finding new federal funding for cybersecurity research and development is a tall order. Cybersecurity writ has never been a significant line item in the federal budget, amounting to just a fraction of a percentage point of government spending.

But it might be time to make cybersecurity a bigger piece of the pie, Chang suggested, particularly given the increasing reliance on digital systems across virtually every sector of the economy.

"If you think about the priorities that the nation is now placing on cybersecurity, the fact that it's something less than 1 percent seems to be a small number. It's not for me to determine what the priorities are, but that just strikes me as sort of a low number," Chang said.

The debate over cybersecurity often gives air to dire warnings and dramatic rhetoric, with officials warning of an event like a "cyber Pearl Harbor" or "cyber 9-11". Michael Barrett, the chief information security officer at PayPal, pointed out that the true extent of hacking and other criminal activity is shrouded by a shortage of information about attacks, and called for the government to undertake new research aiming to illuminate the scale of the problem.

"What we have found from our years of combating cybercrime is that quantifying the full cost is difficult, if not impossible, because many incidents aren't reported," Barrett said. "Estimates of the magnitude and scope of cybercrime vary widely, making it difficult for policymakers and industry to fully understand the problem and the level of effort needed to combat it. We recommend that policymakers fund some research that helps fill some of the information gaps that currently exist as it relates to cybercrime. We believe that this research will be a critical tool in arming policymakers, law enforcement and industry against the growing threat of cybercrime."

Terry Benzel, deputy director for cyber networks and cybersecurity at the University of Southern California's Information Sciences Institute, urged a broader rethinking of the traditional approach to cybersecurity. Instead of a piecemeal focus on specific attacks and vulnerabilities, she suggested a more holistic view of the threat landscape that would ingrain security across the enterprise.

"All too often our research is narrowly focused on single topics. For example, we have many people conducting excellent research in distributed denial-of-service, worms, botnets and Internet routing, each studied individually and deeply," Benzel said.

"But believe me, our adversaries are not looking narrowly," she added. "In fact, they are looking at the combination of these different kinds of threats and vulnerabilities, as well as combining that with cyber-physical systems and social engineering. We can no longer afford to look narrowly at the hard problems."

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for

Follow everything from on Twitter @CIOonline, on Facebook, and on Google +.

Read more about security in CIO's Security Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecurityeducationresearch and developmentR&DTechnology Topicsgovernmentindustry verticalscyber securityTechnology Topics | Securitydigital infrastructurePresident Obamasecurity

More about BillFacebookGooglePayPalTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts