Note:The #CyberAvengers are a group of salty and experienced professionals who have decided to work together to help our country by defeating cybercrime and slowing down nefarious actors operating in cyberspace seeking to exploit whatever their tapping fingers can get a hold of. How? We do this by raising our collective voices on issues critical importance so that we can keep this great country in the lead – both economically and technologically – and to keep it safe and secure. All the issues are intertwined and more complex than ever, which is why we have different backgrounds but have a common cause. We complement each other, we challenge each other, and we educate each other. What do we get out of writing articles like this? Nada. Goose egg. We are friends. We are patriots. And we are not satisfied to sit around and do nothing. We want to keep this nation and its data safe and secure.
Expectedly, our cybersecurity issues are growing. We say expectedly for a variety of factors including, but not limited to: size and scope of breaches, increasing costs that cannot be accurately estimated or predicted, a proliferation of technologies and abilities, and geopolitical tensions. Given current conditions, we do not see a particularly bright future if our current cybersecurity strategy remains more or less constant.
What is our current strategy? In short, it is the accumulation of a lot of expensive toys to hold together decaying infrastructure, along with a healthy dose of the putting aside or worse, ignoring, the basics. In short, we look to more technological solutions, but we avoid the single greatest problem: our decisions. The growing track record of failures demonstrates that this “technology-heavy” approach is not working.
The underlying problem with this strategy is that it is simply untenable unless there is some revolutionary technology that completely changes the landscape. And while we do think artificial intelligence and quantum computing will be game-changing, we do not necessarily believe they will solve all our problems. Poor handling and implementation of these two technologies may, in fact, accelerate our demise. Therefore, we cannot continue to throw what limited resources we have at supposed technological wizardry, fixes, and repairs when the root of our deepest problems are inherently insecure systems, poor maintenance, and social engineering.
The Realities of Cybersecurity
The reality is, cybersecurity is a tax. For only a very few of us is “cybersecurity” a revenue generator and that group is more or less limited to vendors, researchers, developers, contractors, consultants, and some academics. For everybody else, it is a cost that brings us no return. Yet, just as other costs, such as insurance, a necessary operating cost and an ever-increasingly expensive one.
Cybersecurity is also a liability. Unless you are in the “business of cybersecurity” the only conceivable way that “cybersecurity” is an asset for you is if you can demonstrate to your stakeholders that your cybersecurity posture makes you better than a competitor. Therefore, your “asset” in this case is more of an intangible one, such as in the form of trust or confidence to conduct transactions, the very bedrocks of properly functioning market economies. As a result, for most of us, cybersecurity is an item on both your income statement and a balance sheet that costs you and puts you in jeopardy. And when this is the case, what are the prudent courses of action? Minimize the cost while reducing exposure to liability. But these adjustments need to be concurrent and tied, not independent of each other. And you need to find the right balance for you and your operations.
To elaborate, minimizing your cybersecurity costs by not doing as much as you should saves you money upfront, but you may also be increasing your exposure to liability as you pile on additional vulnerabilities that need to be resolved in the future. Translation, this route potentially costs you more later. The flip side is maximizing your cybersecurity expenditure, specifically in the form of bells and whistles, that lead to the cybersecurity promised land. This route, which costs most now, not only fails to guarantee a decrease in liability, but potentially adds to a different type of liability burning through your hard-earned assets.
In either case, we are not doing a good job quantifying our efforts. And while both approaches are being used, we see the latter one as the predominant mindset in industry, and that is worrisome to us for the following reason: If we continue down this current strategy, there is only one inevitability - over time, cybersecurity budgets will become the single greatest cost to your operations to the point that they will become so cumbersome that they will force you out of business, even if you are at peak business. Non-profit organizations and yes, countries too, are no different and not immune to this trajectory, prone to suffer the same fate as our dependence on bits, bytes, and potentially qubits rise in the future. Even individuals are vulnerable to this model as personal monitoring services cost money but do not provide total prevention of fraud. And of course, buried in service fees are the passed down costs from large corporations as a means to self-insure. Do not think for one moment that if you are “covered” for fraud you have not paid for that coverage in some other form already.
Therefore, if you view cybersecurity through this lens, you will begin to understand that throwing money at more gadgetry that tacks onto overstressed and inherently vulnerable systems is not only a foolish strategy but one that will run you straight out of business and in the long run ruin your country’s economy.
The Challenge of Eliminating Cybersecurity’s Gray Areas
If these were our only problems we would still have a herculean task ahead of us. But we do have more issues that compound the cybersecurity challenge. If money is the first of our concerns, the second would be lack of international norms. It is a challenge that is influenced more by culture than technology and driven almost exclusively by interest. It would be easy to say “the rules have changed” but we suggest instead that no rules for this domain were ever established in the first place. How else can we explain nation-state involvement in breaches and espionage? How do we allow our supply chain to be so vulnerable? How can we explain that we have, effectively, normalized a type of theft?
The envelope of this gray area is being pushed so far that there is a legitimate reason to worry about who blinks first. There simply is nothing to compare to, particularly when the stakes have never been higher. And if we are to be blunt, who has the most to lose? The United States, of course, which is yet another reason so many actors are pushing the thus-far unestablished limit.
We kindly ask those who say “we’re at war” in public with bravado fashion to stop. Yes, we are challenged and challenged severely by foreign actors, but the “this is an act of war” talk fails to appreciate a delicate nuance; if indeed “this is an act of war” then what exactly is the response? By definition, an “act of war” should elicit a response, but being in the uncharted territory that we are (along with everybody else), particularly when attribution still is so incredibly difficult, a miscalculated response will lead us to down a dark path and fast.
Back to why we say there is nothing to compare to, we simply cannot estimate the costs of such action because not only are there no models for us to run or historical examples for us to compare to, but also because the loss will not be linear when the potential catastrophe will impact so many. This is why calculating the aftershocks of a response are so incredibly difficult.
To be clear, we are not saying do nothing. We are saying don’t burn the farm you rely on to live in order to save the house. And we regrettably see a lot of fires being started unnecessarily because even those tasked with “cybersecurity” responsibilities are failing to both understand and implement the basics. When decision makers do not know the difference between “steal” and “copy” we have a problem. These words do not mean the same thing, even more so in the cyber domain.
We have enjoyed the benefits of a digitized world but never took the care to clean up after ourselves, which is why we sit in this accumulated mess. There is only so much we can sweep under the carpet and in a world where data is everything – literally, everything – we need to do a better job if we are to maintain and expand on the living standards we have inherited. If you accept that data is the richest form of currency today, you will appreciate our concerns. Therefore, whether it is personally identifiable information or intellectual property, we simply cannot allow this continued drain and loss of our most valuable resource, whether by accident, malicious intent or natural disaster. It simply costs us too much.
Implementing Strategies that Work
In order to save what little we have left, our suggestions for a National Cybersecurity Action Plan are meant to be easy to implement, easier to understand, actionable, and most importantly will help reduce our costs while reducing our liability, particularly over the long term in a manner that will not drain all our cash. We are not illusionists. We know these achievements are incredibly hard and there will be strong forces that disagree with our approach, in large part because of its simplicity and cost-effectiveness. But we are trying to chip away at a strategy that has not been working with the singular intent: protecting the United States of America. Our National Cybersecurity Action Plan is as follows:
- Make the NIST Cybersecurity Framework (CSF) mandatory for critical infrastructure (CI). The Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure is a good start for government, but the CSF is merely guidance for CI today. Making the CSF mandatory for CI creates a level of accountability that currently does not exist.
- Create a type of Underwriters Laboratories (UL) facility to test Internet of Things (IoT) devices, using the principles of NIST 800-160, Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. We are relying on IoT more and more to run our businesses and protect our homes, but these devices are inherently insecure and we have no positive control of the supply chain. We do not allow cars on the roads without passing safety tests. IoT devices should be passing safety tests and receive a type of “star rating” that takes into consideration: out-of-box security configuration, historic defects, and patching timelines. And these facilities are a great way to generate well-paying American hi-tech jobs.
- A National Cloud Computing and Offline Back Up Action Plan for SMB. With the cooperation of the private sector, we can help move business to a safer and more secure environment. There are legitimate privacy and data protection concerns here, but we can work through these problems if we respect SMB and individual concerns. We are not calling for the complete uploading of SMB data to the cloud. What we are calling for is a cloud-based solution that gives SMB operational continuity in the face of disruption, which means there needs to be a type of offline data protection method that is in the sole control of the SMB owner. The SMB community is and will always be one of the most critical drivers of the economy. We need to protect this community, particularly since it is one of the most vulnerable.
- All new critical infrastructure projects must, by law, be built using the security-by-design methodology. We cannot continue to build projects with flimsy technology that is inherently vulnerable. The NIST 800-160 lays out in “plain English” the security-by-design concept. If we could summarize the concept, it would be like this: build the project with security as the primary concern, not an add-on concern. This includes consideration of all types of threats, whether they are foreign actors or hurricanes. This approach understandably comes with a greater upfront cost, but generally, it will be easier to calculate than a post-event cost for an insecure system and over the long term will be cheaper. Do not be fooled by the gadgetry of AI and Machine Learning as the superior defenders, as the adversaries use these tools as well. As we look to build more smart systems, smart cities, and smart countries, anything other than a security-by-design approach is signing a death sentence. And this approach also has the possibility of creating more good-paying U.S.-based jobs.
- Incentivize proactive cybersecurity steps for SMB. Offer a yearly 10 percent tax credit of annual revenue, up to $5,000,000 annual revenue, for SMBs that use a certified, 100 percent fully U.S. -based Managed Security Services Provider (MSSP). When we mean 100 percent fully U.S. -based we mean all staff, all servers, and all support are U.S.-based, no offshoring, not even a call center. Most SMBs do not have the budgets to employ full-time cybersecurity staff, nor do they have the necessary know-how to do it themselves. MSSPs can fill this gap. And by using a U.S.-based MSSP, we have multiple benefits: the SMB is encouraged, through incentive, to take protective cybersecurity steps and they indirectly staff a good paying U.S. -based job. This model can work because an MSSP will have the ability to be cost effective since they should operate based on volume (there are plenty of SMBs out there that will require this service).
- A National Cybersecurity Curriculum. We believe that cybersecurity training should be made available to every citizen. But getting everybody to do that is no easy feat. Therefore, we propose the following: mandatory nationally-approved cybersecurity and cyber safety education beginning in Grade 1 all the way through to Grade 8. There is a method to our work here, as this approach gives an opportunity for parents to learn some cybersecurity basics as well. The training will also be made available online for all others. We know what you are thinking here: won’t the adversaries be reading? Yes, they will. But better for us to be informed and the adversaries know that the days of sticking our head in the sand and hoping for the best are over. And we can at least try to slow them down in this form: IP block access to the website. Only U.S.-based IP addresses operating from U.S.-based internet service providers will be able to access material. Yes, we know, there are so many ways around this, from simple screen caps to sophisticated IP spoofing workarounds, but lets at least make the other side work for it a bit. Don't give it up for anything!
- Expand the smart cities/smart countries initiative, smartly. The power of big data is not all bad. Our management and potential abuse of big data of it are what is bad. Stop the myth that algorithms are free of bias. They do have a bias. They are made by us, so there is bias, even if unconscious. But big data, harnessed, can transform how cities and states will be run, whether it is efficiently regulating energy consumption to clearing traffic congestion from our roads to managing our the maintenance of our green spaces. There is a potential environmental benefit, but it all starts by protecting big data first. That means security-by-design.
- Expand public/private partnerships that allow sharing of threat intelligence in timely, network speed fashion. We have not done as well as we had expected here, even if the “sharing is caring” mantra is regularly repeated. Some concerns are unwarranted, but some also are. We are protective by nature, where vulnerability and liability scare us off. If there are mechanisms that can protect the private sector for their good faith efforts, we could make some meaningful steps here. Some thoughts to consider: a council of senior decision makers from both the public and private sector where, not only can they speak candidly amongst themselves, but also have legal protections that discussing their vulnerabilities will not be used against them, by the government or competitors, if they are acting in good faith. A type of “reverse Miranda” for example. And extremely punitive fines plus “outcast status” for those who use the privileged information against competitors for their own benefit.
- The national identification system – social security numbers – is broken. And potentially fully compromised for reasons you may have recently heard of. We understand this is a touchy issue for very legitimate historical and cultural reasons. There are also serious privacy concerns that must be addressed. But we cannot go on like this. We are shattering all meanings of “invasion of privacy” and “right to privacy” as this information keeps finding itself in the wild. Therefore, a new system needs to be created that takes into account these two issues: how do we protect the data in the identification system and how will this data be used. The first issue again requires a security-by-design methodology. For all those claiming that biometrics is the answer to this problem, we say this: prove to us, through relentless testing, that you can protect nine numbers before you start asking us for our eyeballs. We simply cannot institute a nation-wide platform that has possible non-repudiation built into it if we do not have a high level of confidence in the system. This includes a mechanism to resolve the following scenario: what happens if that system does break or is breached? Similarly, we should put limits on how this national identification system will be used. The SSN became such a commonplace identifier for virtually everything we do that it was simply impossible to protect.
- A fast-moving task force that will offer recommendations on how to secure voting and registrations during elections. To be specific, we are not talking about information campaigns from foreign actors. These are not “hacks” and should never be characterized as such. The only way this word has any meaning in this context is to say that your mind was hacked through injections of information by foreign sources. Let us be serious for a moment: if we are that susceptible to this type of influence, we have much bigger problems than cybersecurity (more on this on the next point). In this point, we are talking about providing the technical safeguards to ensure that vote tabulation cannot alter and that only legitimate voters can participate in our elections, with some level of consistency throughout the nation. We must control the supply chain, including all voting machines and ensure that 100 percent are made in the U.S., hardware and software, no exception.
- Early education in civics and critical thought on how to validate information on your own, free of political influence. And it would help if adults do some of that too. Don’t believe what you are told. And to prove we’re serious, don’t believe a word of what we are telling you in this piece: go and validate what we have said. If you come to your own conclusions that we were right, we will be enthusiastically pleased and thankful for your support, but that is not what we are looking for. We are looking for a better American future, which includes the reestablishment of trust and confidence in institutions. What this also means is that institutions need to change and evolve, particularly the Fourth Estate. The Internet has provided for the democratization of speech and ideas, which means the United States is influenced by foreign ideas today more than ever. Give us the information and let us validate it based on our own thought process. Our #CyberAvengers group is by no means politically uniform. We differ. And that’s fine, we welcome it, but we don’t particularly spend much time on those differences. Instead, we focus on the common cause. We do not let political difference override that, nor influence our friendships. And no matter who would be president or which party would control Congress, we would not change a single word of this piece, because this challenge we face is an evolution of decades which began the moment we flicked on the Internet switch. This cybersecurity challenge is not some sudden flash that has happened over the last year. If you do not believe us, read some history and see that all our concerns are rooted in problems that began decades ago, and from a geopolitical perspective, centuries ago.
And finally, some shameless self-promotion. We encourage you to adopt the basics we talk about in the #CyberAvengers Playbook. It is free for download, written in simple speak for everybody to understand, and meant to be easy to implement.
Cybersecurity is No Mystery and is Everybody’s Business
That is our National Cybersecurity Action Plan. We think it is actionable and executable, right now. We have more ideas as well, but we believe what has been proposed is manageable. Our intent is to get everybody thinking about cyber risk, cyber process, and cyber hygiene, from very practical perspectives. We need to break this mystique of cybersecurity being the exclusive play space of tech gurus. It is not, but we all have played a role in letting that happen. If we are to make the next big leap into smart cities and smart countries, we all need to be working off a simple playbook that everybody can understand.
Finally, we cannot allow this slow economic bleed of our economy to continue. It slows down and even reverses living standards. We simply cannot invest billions into research and development and have it siphoned from us with a few clicks. There is no justifiable reason to let this happen anymore. Smart and competent people have been sounding the alarm bells for some time, but they need more voices to back them. This is something we are trying to do, give voice.
We invite your comments. We need them even in order to maintain and grow upon this American prosperity, which, like so many other achievements we created, can be shared throughout the world with those who share our vision of a more prosperous and safer world. But to do this, we need to start at home, by protecting our networks and our economy.
The #CyberAvengers are: Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma and Christophe Veltsos.