This morning I had the privilege of speaking before the Congressional Subcommittees on Research and Technology and Oversight at a hearing titled Cyber Security: What the Federal Government Can Learn from the Private Sector. Other panelists included Dr. Martin Casado, Senior Vice President and General Manager, Networking and Security Business Unit, VMWare; Mr. Ken Schneider, Vice President of Technology Strategy, Symantec Corporation; and Mr. Larry Clinton, President and Chief Executive Officer, Internet Security Alliance.
Here are the thoughts I shared:
I’d like to thank Chairwoman Comstock and the other chairs and ranking members for the invitation to share some thoughts on behalf of Telos Corporation on industry best practices for cyber security and risk management.
As I noted in my written statement, Telos protects the world’s most security-conscious enterprises, providing our customers with solutions and services for cyber security, secure mobility and identity management.
The first point I’d like to highlight is that all enterprises — private and public — need to emphasize cyber hygiene in their day-to-day operational practices and employee training.
Why do I make this the first point? Because the 2015 Verizon Data Breach Investigations Report found that the overwhelming common dominator in security incidents is people. Nearly all of the security incidents Verizon catalogued might have been avoided if organizations had taken basic steps to help their employees follow simple cyber security precautions.
Here are five basic steps that organizations should take to better protect themselves from attacks:
- Establish – and enforce – cyber security policies and procedures;
- Include effective password management practices;
- Require regular security awareness training;
- Implement timely updates and patches to manage vulnerabilities; and
- Use up-do-date endpoint security solutions.
These five basic steps serve as the foundation for a strong cyber security program. Every IT security professional knows them, and yet the importance of following through with them cannot be overstated. Further, these practices must be embraced in the boardroom and by management so that a culture of cyber security is created throughout the organization.
That being said, every organization with high-value digital assets needs to assume it has already been breached or will be. This leads to my second point, that incident response and remediation are just as important to organizations as cyber defense-in-depth strategies.
Telos has developed a rigorous framework for incident response — with essential steps like preparation, containment, eradication, and recovery — which we use ourselves and implement for our customers.
Further, it isn’t realistic to expect every organization to have the time or financial and human resources needed to successfully defend everything. That’s why risk management is so critical to effective cyber security.
Risk management involves identifying, evaluating, and either accepting or mitigating uncertainty in decision-making.
Private and public sector organizations need to make cost-benefit choices about which systems to defend and how to defend them, based on the likelihood of the asset being attacked, the value of the asset being attacked, the cost of defending the asset, and the cost of losing the asset.
That approach is reflected in the Continuous Diagnostics and Mitigation program, established by Congress “to provide adequate, risk-based, and cost-effective cyber security and more efficiently allocate cyber security resources.”
The CDM program extends continuous monitoring into the areas of diagnostics and mitigation, while acknowledging that risk management is called for when you have to meet nearly infinite needs with finite resources.
That’s also the value of initiatives like the NIST Risk Management Framework and the NIST Cyber Security Framework. They put cyber security solutions and best practices in the context of risk management and compliance.
Which brings me to my third point. The standards in the NIST Cyber Security Framework are very good… but they cannot succeed unless companies follow them.
We should be looking for ways that market forces can incentivize companies to voluntarily take the strongest possible actions to protect themselves, which includes following the NIST standards and best practices.
The various critical infrastructure sectors are just that — “critical.” They are so important to our national defense, our economy and our way of life that it is imperative government and the private sector encourage organizations in these sectors to use best cyber security practices.
One promising area of incentivizing companies is tied to the growth of the cyber insurance market.
The Commerce Department has described cyber insurance as an “effective, market-driven way of increasing cyber security.” The Treasury Department has also suggested that the increasing demand for cyber insurance may help drive private sector policy holders to adopt the NIST Cyber Security Framework. Here’s why.
As insurance companies get their arms around the cyber security actuarial data they accumulate with each new breach, they will want to have insights into what their clients are doing to protect themselves. Are their clients employing adequate controls and security practices? Are they applying sufficient ongoing protection for their systems and data? And are they using the NIST Framework or an equivalent standard?
In fact, insurance companies may well require their clients to adopt the NIST Framework in order to demonstrate insurability and reduce their premiums. When that happens, we could see greater market-based pressure brought to bear that will effectively “require” other companies to do the same, even though the NIST standards themselves remain voluntary.
So market forces and the fear of legal liability may make NIST’s voluntary guidelines the de facto standards for companies to demonstrate to insurers or in court that they have exercised all due care to protect their assets and customers.
These same market forces and fear of legal liability can also further incentivize companies to participate in the voluntary cyber threat and best practices information sharing program that Congress recently approved as part of the omnibus funding bill. Choosing to participate and thus be eligible to receive as much threat and best practices information as possible will be in their best interest.
One additional point — cyber security is just too important to do on the cheap. Over-reliance on “Lowest Price Technically Acceptable” contracts can be very risky in a field that has so little room for error.
Similarly, our fifth warfighting domain – cyberspace – must be appropriately funded. Years ago our government designated cyber as a warfighting domain, on a par with land, sea, air, and space. The Army, Navy, and Air Force each received roughly $150 billion (give or take) in funding for fiscal year 2016. U.S. Cyber Command has been allotted about $460 million — a mere one-thousandth of the overall DoD budget and roughly one-third of one percent of each of the services’ total funding.
By contrast, just four banks — JP Morgan Chase, Bank of America, Citibank, and Wells Fargo — are spending three times that amount on cyber security. J.P. Morgan Chase alone is spending $500 million — that’s more than Cyber Com’s entire budget for the year.
The financial sector is an example of the private sector taking its cyber security risk management responsibilities very seriously and devoting the resources necessary to protect themselves and their customers.
Defending our nation in cyberspace requires a long-term national effort and commitment, much like the Space Race — we have the equivalent of a cyber-race to the moon on our hands, and we are falling behind.
Again, I appreciate this opportunity to share with you Telos’ perspective on these important issues.