Here’s how the US government can bolster cybersecurity

Experts at the RSA show suggest government can push changes through its IT contracts and with a better policy on cyberwar

Almost 20 years ago, Chris Wysopal was among a group of hackers who testified before U.S. Congress, warning it about the dangers of the internet.

Unfortunately, the U.S. government is still struggling to act, he said. "You’re just going to keep ending up with the status quo," he said, pointing to the U.S. government's failure to regulate the tech industry or incentivize any change.

It’s a feeling that was shared by the experts who attended this week’s RSA cybersecurity show. Clearly, the U.S. government needs to do more on cybersecurity, but what?

Public and Private sector

Perhaps, the need for U.S. action hasn't been more urgent. In last year's election, Russia was accused of hacking U.S. political groups and figures in an effort to influence the outcome.

In addition, major internet companies, including Yahoo, have also reported huge data breaches, one of which exposed details to a billion user accounts.

The list of problems goes on and on. However, what the U.S. government's role should be in cybersecurity isn't as clear-cut as one might think. That's because most of the IT infrastructure is in the hands of the private sector, which is constantly churning out new -- and sometimes vulnerable -- tech products. But it's not always the biggest fan of regulation.

"Every year, people talk about improved collaboration between the public and private sectors," said RSA CTO Zulfikar Ramzan. "And of course, every year, it feels like we haven't made that much progress."

rsa cto Michael Kan

RSA CTO Zulfikar Ramzan speaks at RSA 2017.

He predicts the state of cybersecurity will first get worse before it gets better. Nowadays, one relatively simple hack involving a phishing email can affect an entire U.S. election, like it did, last year.

Ramzan recommends that the U.S. fully outline the public and private sectors' roles in cybersecurity, as opposed to leaving this muddled. "That would help things move forward," he said. "Each respective sector can do what they do best."

For instance, the U.S. should be pushing out more standards on IT security, based on guidance from the industry. Meanwhile, the private sector can focus on developing new innovations that government bureaus can beta test and support.

Practical approaches

Others like Wysopal, who is now CTO at Veracode, think the U.S. government is in a unique position to spark change that can reach out across the industry.

Imagine if tech vendors all suddenly decided to build securer products -- not because of any new regulation -- but because they wanted to win bids from a customer.

The U.S. government happens to be one of the biggest customers of technology. So it's in a prime position to demand tech vendors secure their products, which would pass those benefits on to other buyers such as enterprises and consumers, Wysopal said.

"It isn’t regulation. It’s securing the government and getting that ripple effect," he said.

"But they've never really done that," he added. "They've never put acquisition requirements in place. There's recommendations. But they're not as stringent as we see with the banks."

Experts at the RSA show also brought up the urgent need for the U.S. government to train new cybersecurity talent – which is scarce in today's industry – and to readily share its intelligence on the latest cyber threats, rather than wait until it's too late.

"Don’t tell us what to do, how to do it," said Jeremiah Grossman, chief of security strategy at SentinelOne. "Just tell us what's out there."

"The faster we get the data out to the masses, the sooner we can counteract," he said. "By sharing threat intel data, we force them [the hackers] to change their tactics."

Hard questions

But in the cyber realm, perhaps the biggest challenge facing the U.S. government is what to do about state-sponsored hacking.

The U.S. still doesn’t have a clear policy on how to retaliate, which does nothing to discourage foreign governments from striking again. But at the same time, many of these cyber attacks might be considered an act of war, said Mike Rogers, a former U.S. congressman who was chairman of the House intelligence committee.

rogers Michael Kan

Former U.S. congressman Mike Rogers.

During a panel at the RSA show, he pointed to the example of North Korea's suspected hacking of Sony Pictures in 2014, which costs millions of dollars in damages.

"Is that an act of war?" he asked. "It's so hard to come to that conclusion, because [these cyber attacks] are happening a million times a day."

In 2007, U.S. officials began realizing they needed a policy around cyberwarfare, Rogers said. But the government still isn't close to defining it, despite wrestling with the topic for years.

"We were having a hard time coming to any agreement, and we're not there yet," he said.

But clearly, something needs to change.

"I think the United States is in cyberwar and most Americans don't know it. And I'm not sure we're winning," he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Michael Kan

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?