Why governments need to take the lead in cybersecurity

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.net-security.org/article.php?id=2411

Time and time again we hear people lament about the impact cybercrime has
on our businesses, our individual lives, the economy, and on society.
Report after report show the impact cybercrime is having on our economies,
with some estimating the global cost of cybercrime is approaching $3
trillion per year. As each of these reports is published, there is the
usual handwringing over why the state of cybersecurity is so bad.

We blame companies for not protecting our personal data properly, we blame
the vendors for producing ineffective solutions that do not address our
problems properly, we blame standards bodies for developing standards and
frameworks that address only the basic elements of security, we blame users
for falling victim to phishing emails and other scams, we blame law
enforcement for lack of action and/or capability in dealing with
cybercriminals, we blame academia for not training students in the proper
skills or not conducting research in the proper areas, and finally, we
blame criminals for conducting these attacks.

There is one group that I often see missing from all of the above finger
pointing and arguably this group has the most influence in how we improve
cybersecurity and how we tackle cybercrime: the governments of each of our
countries. For the past number of decades, governments have failed to
recognize or even acknowledge that cybersecurity is an important issue. The
collective attitude has been that cybercrime or cyberattacks were not an
issue that governments should be concerned with and that individuals and
companies should protect themselves.

It is this short-sightedness that has led us to the poor state of
cybersecurity we now face. Lack of leadership and investment into
cybersecurity by governments has resulted in many law enforcement agencies
lacking the appropriate capabilities and resources available to tackle
cybercrime. This lack of leadership has also resulted in many government
systems being less secure than they should be.

It is said “nature abhors a vacuum” and so, too, does leadership. Without
leadership from our governments, the private sector has stepped into the
role of defining what good security practice is and we now have countless
standards all competing for our attention. Due to the lack of resources and
skilled staff, law enforcement agencies have had to look to private sector
companies to bolster their capabilities. We regularly see security vendors
working with law enforcement to take down botnets and disrupt online
criminal activity. These services are offered to augment the technical
capabilities of law enforcement and are often provided at no cost.

The value for the security companies is the media attention they get for
doing this work. Law enforcement agencies welcome the help, but this
practice highlights the severe lack of funding by governments in this area.
When the marketing budget a security vendor can spend on its involvement in
botnet takedowns exceeds the annual budget that the law enforcement
cybercrime units receive, there is something seriously wrong with our
priorities.

In effect, private sector companies are the ones who are driving the
cybersecurity agenda and not governments. The danger is that the
cybersecurity agenda will be driven by the goals of the private sector
companies involved, which in many cases do not align with the greater
requirements of society. We have seen companies create a niche in the
market for their services and then campaign that their services should be
government policy. The push by a number of companies promoting hacking back
as a valid approach to deal with a cyberattack is a good example of this.

But the biggest concern is the practice by security vendors to quickly
attribute attacks to certain nation states based only on the information
those private companies hold. As a result, we see press release after press
release saying that certain countries are the source of major attacks,
often with only the flimsiest pieces of evidence to support those claims.
Time after time we have seen so-called facts and evidence from vendor
reports being used to support political arguments, and then later witnessed
that evidence being refuted.

This constant flow of “news” stories, no doubt supported by political
lobbying on behalf of those cybersecurity companies, runs the risk of
shaping public and political opinion on how government foreign and domestic
policy should be formed in relation to cyberattacks. When government policy
in relation to cyber security is based on marketing reports and press
releases from private sector cybersecurity firms, we are opening ourselves
to major problems in the future.

As security professionals, let’s make sure that when we see companies
making their marketing propaganda part of the political agenda we call them
out on their hype with fact-based arguments.

As private citizens, let’s make sure we lobby our politicians to take
cybersecurity seriously and highlight to them where the real issues lie.

It’s time our governments focused their priorities on developing better
policies regarding cybersecurity, so let’s make sure they develop those
policies based on the greater needs of society and not the marketing
requirements of private companies.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!