Does America have a cyber plan?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.tidewaternews.com/2015/05/06/does-america-have-a-cyber-plan/

Today, the Internet is the new frontier in which Americans live, play and
conduct business. With this new realm comes both incredible potential for
new opportunities, as well as a host of new challenges. Information is
exchanged at the speed of light, but boundaries are elusive — not the least
of which is safeguarding privacy while simultaneously protecting Americans
from the 21st century threats of terrorism.

> From the beginning, we’ve attempted to build our cybersecurity approach
with siloed objectives. Here are three: We must protect privacy; we have to
maintain our international competitiveness; we have to ensure safe browsing
by making cybersecurity a core part of our national security strategy.
We’ve traditionally treated these as three mutually exclusive issues each
with their own intricacies and challenges.

Unfortunately, this approach is ineffective. The Internet, by its nature,
is interconnected — as must be our cybersecurity objectives. We cannot
address one without addressing the other. That is why, as we build a
stronger cybersecurity framework, we need to understand the interplay
between these issues in the context of the massive cyber challenges we face
today.

It begins with a proper understanding of the boundaries of the U.S.
Constitution. The Fourth Amendment guarantees that, “the right of the
people to be secure in their persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be violated.” Americans’
right to security cannot come at the cost of their constitutional right to
privacy. While our government has a responsibility to protect Americans
from cybercriminals and terrorist organizations, who abuse the capabilities
of the internet to invoke harm on Americans and our allies across the
globe, we cannot do it at the expense of public trust. That is why any
cybersecurity related framework must have the Fourth Amendment as its core
guiding principle. If the government fails here — for example, by becoming
intrusive and disrespectful of the American people’s fundamental rights and
liberties — then we cannot achieve our objectives.

Secondly, creating a stronger cybersecurity framework involves
understanding the threats we face. Cybercriminals are evolving every day
and challenging the latest cybersecurity technologies faster than ever
before, obtaining valuable information such as health records, social
security numbers and credit cards. Individual hackers can invoke data
driven damage and cause a state of alarm. State-sponsored attacks — those
originating with foreign governments — offer a new form of warfare,
however, deadly in the way they can exploit government agencies, critical
infrastructure and public facing companies. That is why it is crucial that
we are equipping law enforcement and our military with the tools they need
to fight cyber threats and adequately protect citizens.

Another core pillar in creating a multi-faceted cybersecurity strategy must
be ensuring local, city, and state governments are prepared for, and
protected against, attacks. The Sony cyber attack last year, which many
speculated was sponsored by North Korea, gives us a glimpse into one of the
many types of attacks that may be executed when unpredictable states feel
provoked. At the government level, we also learned the White House and the
State Department’s networks were more than likely penetrated by
sophisticated Russian hackers. Unfortunately, government agencies and many
companies are still not fully prepared to defend against such attacks,
leaving our government and economy incredibly vulnerable.

However, while we equip our law enforcement, government and military to
guard against cyber attacks, citizens must also be equipped to protect
themselves and their families. This includes access to educational tools to
recognize cybercrime and safeguard against it. Simple steps like regularly
changing and creating diverse and elaborate passwords for online accounts,
securing home Wi-Fi networks and securing sensitive data from phishers will
be increasingly important as we move into the future, not only to personal
safety, but also to our collective society and economy. The more connected
we become, the more important individual responsibility becomes in securing
personal information.

Finally, in creating a framework to protect consumers and address cyber
attacks, a key component must be facilitating businesses to share cyber
threat information to ensure a safe and secure cyberspace that protects
intellectual property, trade secrets and consumers from hackers and other
bad actors. Although measuring our competitiveness in terms of economics,
trade and R&D will continue to hold true, our competitiveness will also
depend on a globally open internet, where the movement of data across
borders is uninterrupted and uncensored.

While it may seem like America’s debates over cybersecurity are crowded
with competing goals — protecting privacy, ensuring international
competitiveness and providing for national security — the reality is these
goals are not mutually exclusive.

Cybersecurity isn’t about meeting one and moving to the next. Our aim
should be a cybersecurity framework that pushes us to address these
challenges simultaneously and seamlessly. Recently, the House of
Representatives voted on a collection of bills aimed at moving the needle
in cyber security preparedness. The bills address issues like allowing the
private sector and federal government to share cyber threat information,
and providing liability protections for private companies who share
cybersecurity information. These are important steps, but we must do more.
We need to create a cybersecurity framework to adapt to the changing
landscape, take a proactive posture, ensure our security, and — most
importantly — reassure all Americans that our rights are being respected.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!