Here’s how the US government can bolster cybersecurity

Experts at the RSA show suggest government can push changes through its IT contracts and with a better policy on cyberwar

Almost 20 years ago, Chris Wysopal was among a group of hackers who testified before U.S. Congress, warning it about the dangers of the internet.

Unfortunately, the U.S. government is still struggling to act, he said. "You’re just going to keep ending up with the status quo," he said, pointing to the U.S. government's failure to regulate the tech industry or incentivize any change.

It’s a feeling that was shared by the experts who attended this week’s RSA cybersecurity show. Clearly, the U.S. government needs to do more on cybersecurity, but what?

Public and Private sector

Perhaps, the need for U.S. action hasn't been more urgent. In last year's election, Russia was accused of hacking U.S. political groups and figures in an effort to influence the outcome.

In addition, major internet companies, including Yahoo, have also reported huge data breaches, one of which exposed details to a billion user accounts.

The list of problems goes on and on. However, what the U.S. government's role should be in cybersecurity isn't as clear-cut as one might think. That's because most of the IT infrastructure is in the hands of the private sector, which is constantly churning out new -- and sometimes vulnerable -- tech products. But it's not always the biggest fan of regulation.

"Every year, people talk about improved collaboration between the public and private sectors," said RSA CTO Zulfikar Ramzan. "And of course, every year, it feels like we haven't made that much progress."

rsa cto Michael Kan

RSA CTO Zulfikar Ramzan speaks at RSA 2017.

He predicts the state of cybersecurity will first get worse before it gets better. Nowadays, one relatively simple hack involving a phishing email can affect an entire U.S. election, like it did, last year.

Ramzan recommends that the U.S. fully outline the public and private sectors' roles in cybersecurity, as opposed to leaving this muddled. "That would help things move forward," he said. "Each respective sector can do what they do best."

For instance, the U.S. should be pushing out more standards on IT security, based on guidance from the industry. Meanwhile, the private sector can focus on developing new innovations that government bureaus can beta test and support.

Practical approaches

Others like Wysopal, who is now CTO at Veracode, think the U.S. government is in a unique position to spark change that can reach out across the industry.

Imagine if tech vendors all suddenly decided to build securer products -- not because of any new regulation -- but because they wanted to win bids from a customer.

The U.S. government happens to be one of the biggest customers of technology. So it's in a prime position to demand tech vendors secure their products, which would pass those benefits on to other buyers such as enterprises and consumers, Wysopal said.

"It isn’t regulation. It’s securing the government and getting that ripple effect," he said.

"But they've never really done that," he added. "They've never put acquisition requirements in place. There's recommendations. But they're not as stringent as we see with the banks."

Experts at the RSA show also brought up the urgent need for the U.S. government to train new cybersecurity talent – which is scarce in today's industry – and to readily share its intelligence on the latest cyber threats, rather than wait until it's too late.

"Don’t tell us what to do, how to do it," said Jeremiah Grossman, chief of security strategy at SentinelOne. "Just tell us what's out there."

"The faster we get the data out to the masses, the sooner we can counteract," he said. "By sharing threat intel data, we force them [the hackers] to change their tactics."

Hard questions

But in the cyber realm, perhaps the biggest challenge facing the U.S. government is what to do about state-sponsored hacking.

The U.S. still doesn’t have a clear policy on how to retaliate, which does nothing to discourage foreign governments from striking again. But at the same time, many of these cyber attacks might be considered an act of war, said Mike Rogers, a former U.S. congressman who was chairman of the House intelligence committee.

rogers Michael Kan

Former U.S. congressman Mike Rogers.

During a panel at the RSA show, he pointed to the example of North Korea's suspected hacking of Sony Pictures in 2014, which costs millions of dollars in damages.

"Is that an act of war?" he asked. "It's so hard to come to that conclusion, because [these cyber attacks] are happening a million times a day."

In 2007, U.S. officials began realizing they needed a policy around cyberwarfare, Rogers said. But the government still isn't close to defining it, despite wrestling with the topic for years.

"We were having a hard time coming to any agreement, and we're not there yet," he said.

But clearly, something needs to change.

"I think the United States is in cyberwar and most Americans don't know it. And I'm not sure we're winning," he said.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Michael Kan

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?