Hacked Opinions is an ongoing series of Q&As with industry leaders and experts on a number of topics that impact the security community. The first set of discussions focused on disclosure and how pending regulation could impact it. Now, this second set of discussions will examine security research, security legislation, and the difficult decision of taking researchers to court.
CSO encourages everyone to take part in the Hacked Opinions series. If you would like to participate, email Steve Ragan with your answers to the questions presented in this Q&A. The deadline is October 31, 2015. In addition, feel free to suggest topics for future consideration.
What do you think is the biggest misconception lawmakers have when it comes to cybersecurity?
Rodney Joffe, SVP, Neustar (RJ): I have been talking to Senators and Representatives about cyber issues since 2008 and I can tell you that they, like the general public, have a much better understanding of the nature and complexity of the threats we are facing now than they did five, or even two, years ago.
I think some lawmakers now understand the challenges faced by industry when trying to protect against the most advanced, nation-state threats. Unfortunately, some of these attacks are unavoidable because of zero-day vulnerabilities and it is not right to blame the companies, who are truly victims.
There simply is no “silver bullet” piece of legislation that they can pass which will end all of the threats. On the other hand, this doesn’t mean that they should do nothing. Passing legislation, which would provide companies with a safe harbor for information sharing and encouraging all companies, perhaps through tax incentives or some other means, to employ basic, cyber hygiene practices would go a long way to lessening the volume of successful attacks that we have seen recently.
What advice would you give to lawmakers considering legislation that would impact security research or development?
RJ: I would advise them to create more programs to encourage young people to study computer science and engineering at every level of education. In fact, the earlier we start, the better our chances of developing a world-class workforce.
Also, I would encourage them to create and expand work/study partnerships between large local employers and area community colleges. We simply must get more young people into the pipeline to meet tomorrow’s jobs. And, more than all, we have to start teaching digital responsibility in grade school. Kids need to understand from the outset what the impact of their activities in cyberspace can have.
If you could add one line to existing or pending legislation, with a focus on research, hacking, or other related security topic, what would it be?
RJ: I would amend procurement laws, both military and civilian, to place a greater emphasis on security. All too often, the lowest-cost bid wins. We need to be looking for best value with a strong positive weighting for those companies willing and able to provide the highest level of security in their products, services and systems.
Now, given what you've said, why is this one line so important to you?
RJ: After the record number of hacks we have seen in the past year or two, I think it is obvious why I think all levels of government, as well as the private sector, need to focus on security. And, with more and more devices being tied into the Internet every day, the security threat will continue to expand to new industries and areas. As such, there needs to be a core focus on security practices, before any other. If it isn’t secure, we shouldn’t purchase it.
Do you think a company should resort to legal threats or intimidation to prevent a researcher from giving a talk or publishing their work? Why, or why not?
RJ: Most researchers will give a company ample time to fix a vulnerability before disclosing it.
If a researcher is presenting controversial information, most reporters and scholarly journals will seek out all points of view to ensure the topic is being covered impartially. When the disclosure happens, I think it’s appropriate to address the alleged findings and respond in a timely manner to articulate the company’s viewpoint and resolution plans.
What types of data (attack data, threat intelligence, etc.) should organizations be sharing with the government? What should the government be sharing with the rest of us?
RJ: With the proper legal protections in place, I support sharing anonymized threat data with the government and others within the private sector. Keep in mind though that threat data quickly goes “stale” so the sharing arrangements must be automated and real-time. The DIB (Defense Industrial Base) cybersecurity and information assurance program is a good example of a collaborative environment where this occurs, as are the ISACs.