If you read the news, or the trade media, it is not difficult to picture how modern society has performed in securing our world. The point is made all too frequently with lists of recent, large-scale intrusions and breaches. Offense is outpacing defense in cybersecurity. My conclusion is that we are treading water, at best, in our efforts to be secure. And while treading water is clearly preferable to drowning, it doesn’t demonstrate the kind of control that we need. I would prefer that my conclusion about the state of cybersecurity were closer to enjoying a nice sail on the winds of change.
According to a 2016 study by the Internet Association, Digital services and commerce accounts for six percent of U.S. GDP. Eighty-one percent of the US population has a social media profile in 2017. The availability of these services has improved the economy in countless ways, however very little has fundamentally changed in how we secure digital services. A user ID, password, and in some cases an additional form of proof of identify are the most common protections applied today.
It has taken the public sector a bit longer than commercial counterparts to embrace newer technologies. Funding for public sector technology is more limited than in the private sector. Governments must serve all citizens, both those with access to technology and those without. The necessity to serve both the traditional and digital citizen compels the government to maintain lower service cost. Security is one of the areas that suffer from under investment.
To pull ourselves from the threat of sinking under the surface, states must take two fundamental actions.
The availability of digital services has improved the economy in countless ways, however very little has fundamentally changed in how we secure digital services
The first action is to continue those incremental improvements that steadily reduce risks. Executives at the highest levels must understand the risks and be briefed on what is being done to improve. The executives must then set the tone for improvement. Security and business teams must measure their performance on critical controls and practice responses for the inevitable breach.
The State of Connecticut has begun the conversation about how to improve cybersecurity in a strategic manner. The Connecticut Cybersecurity Strategy, released in July 2017, outlines an approach to reducing the risks facing the state. The strategy begins the conversation on how to take incremental improvement to the entire state.
The second necessary, fundamental action to improve our security environment is to boldly rethink everything we believe to be true about how we operate in the digital age. Examples include:
• Passwords as an authentication method should be completely eliminated. They have not provided a reasonable measure of security since the closed networks of the 70’s. Perhaps we need a digital identity authority that can be used by both the public and private sector to improve our insight into who may be accessing our systems.
• States should reorganize service delivery by focusing on a digital platform that can be used to process all transactions. This digital platform must be citizen focused and secure. Governments would bring these digital services to technology disadvantaged citizens through the use of trusted and expert assisters.
• The public sector should lead the effort to bring the element of trust to the internet. Trusted machines, trusted users, trusted Internet Service Providers and trusted networks. There are segments of the internet in which it is acceptable to remain free and anonymous for those who choose to browse and lurk. That is one branch of the internet family tree. However, a fundamentally different and trusted internet is required given the need to protect the identities, health records, financial information and privacy of all digital citizens.
Action one is required to continue to stay above water. Even the most accomplished swimmer will tire after treading for extended periods of time. The public sector should heed that warning. Action two is required to bring confidence and control to the digital services upon which our citizens rely. It may still be possible to have an enjoyable “cyber sail”, but to get there, we must navigate some choppy water ahead.