We are all aware of the many threats plaguing our cybersecurity defense apparatus with new ones emerging almost daily. Why we got here is more interesting than how we got here, but focusing on reversing the course and slowing momentum in the how reveals the lowest hanging fruit and the way we can get out of the position we are in today if we move fast enough.
If we stay in denial and do nothing to change the course, in the not too distant future, the cybersecurity landscape will worsen significantly and any chance of protecting information assets, assuring truthful social media and providing data privacy will disappear completely.
In fact, just the ability to defend our country against cyberwarfare is in the balance.
Existential threats? Forget about Global Warming. Soon, we all may all be speaking a different language.
Course Reversal
Here are ten ways we can reverse course and get ahead:
- Change the reporting rules and prevent companies from reporting on their cybervulnerabilities;
- Apply granular controls over all Chinese-owned venture capital firms;
- Stop using any products or services, including mobile devise and telecom made in China;
- Develop and apply rigorous process for fundamental hygiene with consequences;
- Start sharing in earnest between public and private sectors;
- Modernize our cyberlaws to enable offensive security;
- Mandate a Zero Trust migration for every computing environment within an aggressive timeframe;
- Create and enforce national security mandates that specify technologies (not products) that must be part of every Zero Trust implementation;
- Create the equivalent of a Manhattan project for the application of AI/ML to the problem space, with appropriate funding and speed to market; and
- Implement mandates on insurance providers to match coverage against a standardized NIST framework requirement.
Why?
By removing excessive trust from our systems and networks, isolating our critical assets, amping the identity authentication process and reducing the overall attack surface, we will have removed 50% of the breach risk and made cybercriminals jobs much harder.
By eliminating products and services provided by our number one adversary, we will put an end to pre-engineered leakage and impossible to detect hardware vulnerabilities.
By throwing the IP thieves out of our tents, we will stop the theft of the key technologies that our adversaries now use against us.
By reengineering the way we apply fundamental hygiene for patch and configuration management, we can decrease the number of vulnerabilities we now present.
By modernizing cybersecurity laws, we will remove the handcuffs that currently hinder law enforcement from apprehension and prosecution. In addition, we can open the doorways to a controlled offensive or forward defensive cybersecurity program at the national level, so that targets and victims can identify and seize bad actors in the process of committing their crimes.
By establishing mandates (vs recommended) national security rules, we will assure that every organization is building and managing their IT and OT systems in accord with best practices that have demonstrated their ability to increase resiliency while decreasing risk. One mandate can cover Ransomware attacks, by preventing the payout, but also providing insured coverage for the damage recovery, adjusting for negligence and attendant liability, within a year of the attack under the jurisdiction of a special court.
By insisting on a mutual sharing of information and intelligence, private industry will have access to signals and behavioral data, now protected which will enrich new product design and development.
By instituting an aggressive AI/ML Manhattan project, we will be able to expand the concept of a YCombinator with a specific product focus, aggressive funding, curation and vetting and guidance from experts in those disciplines. It took only 4 years and $2 billion ($40 billion in 2022 dollars) to produce FatMan from whole cloth – it should take half that time and twice the money today.
By forcing insurers to provide and align their coverage against a standard for proper defense and controls, the burden is transferred to NAIC and FIO, forcing an actuarial proxy that will mature over time, yet set consistent expectations for both insurers and insured.
The Result.
If we do all of this, will cybercrime come to an end? Will we reverse the asymmetry within our current attacker/defender dynamic? Will we achieve world peace?
Of course not, BUT ….
It will slow the acceleration of that asymmetry, begin a reversal of course, shift momentum to our team, make the bad guys work a lot harder to accomplish what they do today, take a key adversary out of the game, provide our military with modern tools to prosecute a modern war, put the U.S. back in a position of global strength while re-arming our country to defend our allies against threats from the world’s worst actors, and force industry to make the investments it must to safely operate in the current threat environment.