Built-in Cybersecurity is a Matter of Will–Not Ability, NIST Expert Says

(Illustration: Shutterstock)

Technology developers and government agencies know how to incorporate cybersecurity into their products, but the question is whether they have the will to do it, according to National Institute of Standards and Technology fellow Ron Ross.

“There is a soft underbelly to all this technology and the bad news is that we have to be able to protect what we deploy,” said Ross. “And I think there has to be a conversation at some point, probably fairly soon, that recognizes our cybersecurity problems, because […] with all of the money we spend on cyber, we still have significant numbers of breaches and damaging attacks going on in the public sector and private sector.”

Ross, who spoke at the Cloudera Government Forum on Tuesday, categorizes threats as “above the waterline,” which includes the basic cybersecurity best practices that average people deal with every day, and “below the waterline,” which includes vulnerabilities in the applications, code, and services of an organization.


From the Cloudera Government Forum:
Federal Agencies Need to Manage Big Data ‘Janitorial Work’ to Succeed
Privacy Act Update Could Improve Federal Big Data Collaboration

“Unless and until we understand the problems below the waterline, how to build trustworthy, secure systems, components, and services, we will continue to be having these devastating attacks as long and as far as the eye can see,” said Ross.

Cybersecurity in the tech industry will have to go the way of safety in the automobile industry, according to Ross, where a combination of regulation and consumer pressure drove car manufacturers to include things like seat belts and airbags as a standard feature.

“In my automobile, they don’t ask me to install my own airbag, it comes with the car. I don’t install my own seat belt, it comes with the car,” Ross said. “We’re kind of in no man’s land right now. We don’t have any carrots and there’s no sticks. There’s no incentives for some of the companies to build those things.”

According to Ross, people are not going to stop buying these unsecured products. And if they continue to sell, they could be responsible for another mass distributed denial of service attack like the one against Dyn last October.

“I think there’s going to have to be a dialogue that involves government, industry together working to figure out where that balance point is, because, if we don’t do that, we’re going to see things like what happened last fall,” said Ross.

However, even resolving many of these security problems will not prevent all successful attacks, particularly those that come from an entirely unknown tool or vulnerability.

“It seems like every time we think we’re secure, there’s going to be another hack,” said William Vanderlinde, chief scientist at the Intelligence Advanced Research Projects Activity. “I think all we can do is the best thing we know how to.”

Ross suggests implementing a triage system, in which a small number of critically important systems are heavily protected.

“Everything in the Federal government is categorized in the low, moderate, or high bucket based on mission impact if that asset is compromised or lost,” said Ross. “You really have to go lean and mean for the things that you care about.”

Recent