Focusing solely on cybersecurity practices to prevent breaches won’t result in the security that government agencies need, according to Dale Meyerrose, former chief information officer and information sharing executive for the U.S. Intelligence Community.
“We talk about cybersecurity as if that is the end. It is not. I don’t care about cybersecurity. I care about protecting the enterprise, I care about protecting the activity, I care about protecting the value,” said Meyerrose. “Cybersecurity in and of itself cannot fix the issue.”
Meyerrose, who spoke Tuesday at the Cyber Resilience Summit in Reston, Va., said most security professionals think of a network like a physical boundary to protect, which doesn’t work in cyberspace.
“They don’t want your network, they want the stuff that’s in your network. So why are we protecting the network?” he said.
According to a Department of Defense inspector general report, 87 percent of intruders into their networks were employees and insiders. This includes both malicious and accidental exposure by privileged users.
“Insider behavior accounts for 90 percent of all hacks and attacks,” said Meyerrose. “It’s social engineering by and large. It’s acts of omission and commission. Why do we give cybersecurity problems to cybersecurity professionals when they can’t fix it in the first place?”
Meyerrose also criticized the hiring and education practices of the U.S. government, explaining that the common requirement that workers have a university degree isn’t practical, due to the fact that many of the best cyber experts don’t have degrees and universities are reluctant to institute cyber programs.
“The United States’ higher education system doesn’t produce people that work in that business,” Meyerrose said, adding that he has worked with universities throughout his career and struggled to sell degree programs that focus entirely on cybersecurity.
By contrast, industries that often hire employees without much higher education, such as the video game industry, are capable of responding to threats much faster, in one week, than the government’s average of two years.
“The best cybersecurity folks in any industry are in the video game industry,” said Meyerrose.
He explained that another problem in government cybersecurity is the antagonistic treatment of industry contractors, expecting failure before it even occurs.
“Those tribal attitudes exist and exist more often than not,” Meyerrose said. “Out in the corporate world, when you take on a partner, you’re a partner. You’re not treated like the enemy.”
Ultimately, Meyerrose said leadership needs to invest more directly in changing the cybersecurity culture and practice of their organization.
“I truly believe we’ve got to change the cybersecurity business; we’ve got to change the software business,” said Meyerrose.