For all the effort that is being put by enterprises, government and vendors into combating cyber threats, there are still a few areas where progress has been slow at best and non-existent at worst. Here in no particular order are four cybersecurity items that need more action and less talk.
Federal cybersecurity legislation
Congress has been grappling with this one for years but has failed to deliver anything truly meaningful. Year after year, bills have been introduced in the United States Senate and the House of Representatives aimed at bolstering cybersecurity within the government and critical infrastructure. Year after year, the bills have been discussed, debated, criticized, marked up, modified, revised and voted on and yet they have ended up going precisely nowhere.
Ironically, both Republicans and Democrats agree in principle that some sort of legislation is needed to push government agencies and those in critical industries such as utilities and financial services to bolster their security. The disagreements have been over how to go about achieving that goal. As with everything else in Congress these days, debates over cybersecurity legislation have tended to get bogged down along hyper-partisan lines. While Democrats have wanted a more regulatory approach, the Republicans have favored more self-regulation.
Meanwhile, attacks against critical U.S. assets in cyberspace have been steadily escalating. President Barack Obama has promised (threatened?) to issue a cybersecurity executive order since Congress has been unable to come up with a bill on its own. It’s unclear what such an order would contain, but it’s unlikely to be as effective as a well-written piece of cyber security legislation would be. And that means it’s now up to the 113th Congress to get the job done.
Supervisory Control And Data Acquisition (SCADA) systems control critical equipment at utility companies, energy and oil firms, nuclear power plants and other critical infrastructure areas. As the Stuxnet attacks on Iran’s nuclear facility at Natanz demonstrated with chilling results, such systems are vulnerable to all sorts of tampering. Yet, many SCADA systems continue to be full of security vulnerabilities that their manufacturers appear to be in no particular hurry to fix, according to security experts.
In the past, SCADA systems used to be standalone systems, completely isolated from the Internet and therefore pretty hard to attack without physical access to the systems. That’s changed in recent years and with that so has the risk profile. With a growing number of SCADA systems becoming accessible via other systems and even the Internet these days, the risk of vulnerabilities being discovered and exploited has grown exponentially. According to Digital Bond, a SCADA consultancy, the number of flaws discovered in industrial control systems and SCADA systems increased 400 percent over the past two years alone.
SCADA vendors can no longer claim their systems are relatively well protected from external attacks because the systems are not directly connected to the Internet. Many are, some aren’t. It’s time for SCADA vendors to stop downplaying the risk to these systems and start addressing the vulnerabilities in a more expeditious manner than they have demonstrated in the past.
Never mind that security experts and practitioners have long advocated the use of encryption as the most effective way to protect sensitive data. For many enterprises, that’s an epiphany they almost always seem to have only after a major data breach. Consider NASA and the South Carolina Department of Revenue. Both organizations last year scrambled to implement enterprise wide data encryption measures after suffering major data losses. Both organizations are almost certainly going to spend a lot more money dealing with the aftermath of those breaches than they would have if they had just encrypted the data in the first place.
Encryption may not always be convenient. But most of the excuses for not using the technology have gone. Most security experts agree that encryption tools have gotten cheaper to use, are easier to implement and relatively straightforward to manage. Many state regulations and industry regulations such as the Payment Card Industry Data Security Standard mandate the encryption of certain types of data. Companies that encrypt data also often have safe harbor from breach disclosure laws and liability issues. There really is no real reason for companies to keep deferring encryption until there are forced to do it anyway because of a breach.
Passwords, as a security technology have been seriously failing for some time now. It’s the reason why the federal government has mandated the use of two-factor authentication for remote access to its systems. Yet the private sector as a whole has continued to drag its feet on the issue. A Verizon data breach study last year last year showed that attacks exploiting weak passwords are especially endemic in the retail and hospitality industries. Over the past few years, cyber thieves operating mostly from outside the U.S. have stolen hundreds of millions of dollars from online banking accounts belonging to small and medium businesses and others mostly by exploiting weak user authentication credentials. Numerous technologies, many of them relatively inexpensive, are available to enterprises today. While integrating such technologies may not be always easy, companies absolutely should be using multi-factor authentication to control access to non-trivial assets at this stage of the game, according to analysts.