The Center for Strategic and International Studies (CSIS), one of the world’s leading public policy research institutions, released its cybersecurity recommendations earlier this month for the new US Administration. The highly anticipated report from the CSIS’s Cyber Task Force comes at a major turning point in history. Within 24 hours of its release, the Office of the Director of National Intelligence issued its own report that determined that Russia intended to influence the 2016 US presidential election through its cyber activities.
The timing of these two reports offered a striking juxtaposition between the threats we face and our stymied efforts to overcome them, often of our own creation. While much attention has been paid to the political ramifications of Russia’s hacking campaign, little has been said about the inherent lack of network security that allowed these breaches to happen. The CSIS report recognizes this, commenting that “the high frequency of espionage and cyber crime reflects the generally weak defenses of most networks and the ease with which they can be penetrated.”
Yet, while frequency continues to rise, attackers are on the whole using the same tactics and techniques they’ve employed for the last ten years: exploiting known vulnerabilities, phishing schemes, and macro-based malware. These techniques work because organizations, both public and private, too often are using woefully outdated IT platforms and have minimally useful tools for understanding what’s happening on their machines, much less who is trying to get in.
What’s Missing in The Report
The CSIS Task Force identified five major issues that the incoming Administration should address to improve our country’s security: developing a new international strategy; making a greater effort to reduce cyber crime; accelerating protection of our critical infrastructure and government agencies; identifying where federal involvement can support items like research or workforce development and what’s best left to the private sector; and how the government should organize itself to defend against our cyberspace.
In some cases, these recommendations fall short. Improving cyber hygiene, for instance, should be required and immediately addressed for organizations operating critical infrastructure. A set number of penetration tests for all covered federal agencies should also be required and should be implemented by qualified third parties, not, as the report recommends, by the Government Accountability Office (which should instead act in their oversight capacity, reviewing testers’ qualifications and periodically overseeing tests).
Meanwhile, the federal government still uses technology that is decades old, wasting billions of dollars and countless hours on inefficient processes. It does not have to be this way. The largest businesses — many close in size to some government agencies — are using modern, flexible IT platforms that have proven effective at scale. There is no reason the government should not also be using these platforms.
Extraordinary changes to our world’s digital architecture are on the way, and the world will not wait for us. As the new administration and Congress begin work, their challenge will be to ensure those changes improve citizens’ lives, rather than endanger their data and the infrastructure they rely on. Our future prosperity, security, and way of life depend on it.