Embrace the ‘power of simple’ to fix federal cyber problems

Cyber attacks and major data breaches have reached the crisis stage. Real security can begin today. The cybersecurity community must focus on prevention, not continue to offer analysis, containment and recovery alone. Strong cyber policy and best practices must be developed and enforced in a way that simplify the user experience, thus removing the opportunity for compromising mishaps.

Employing the “power of simple” provides each citizen the means by which they can authenticate themselves using something they have (an asymmetric digital signature), activated by something they are (a biometric) and initiates a unique chain of trust between the devices they are using and the resources being accessed. This will protect public and private critical infrastructure and individual privacy.

Cyber experts continue to state that further data breaches are inevitable. This is only true if we continue to do business as usual. The definition of insanity, as widely attributed to Albert Einstein, is doing the same thing repeatedly and expecting a different outcome. Isn’t it ironic that we continue to employ obsolete signature-based systems, such as “EINSTEIN,” to monitor and detect only known attacks?

daniel_turissini
Daniel Turissini, chief technology and chief information security officer of SolPass LLC.

Computers as attackers are complicating the war on cyber. As the Internet of things evolves, zombie-like entities with heuristic computing capability that leverage harvested big data will automate dynamic attacks rendering current solutions even less effective.

The ineffectiveness of cybersecurity in both government and industry has undermined the confidence of the public. When the cybersecurity industry should be focused on interoperability, trustworthiness, citizen privacy and critical infrastructure protection, we are distracted by snake oil salesmen focused on short-term exploitation of cyber fears. The root cause of nearly all cyber vulnerability is continually dismissed as too hard to address. The notion that there is no immediate preventative strategy that can curtail future attacks is fundamentally flawed.

The fact that authorized system or network users are sometimes careless does not mean that these actions have to result in catastrophe. I have been perplexed for a long time that our government has not taken advantage of the significant investment already made in asymmetric technology, a technology that, when combined with self-managed and locally-protected biometrics, can present an enormous roadblock, if not eliminate, most cyber attacks.

By embracing these existing capabilities, instead of trying to build more complicated shared secrets, transactions that do not originate from an authenticated, known, and trusted authority, can easily be discarded and we will all live in a safer virtual ecosystem.

As the Internet has evolved, enterprises and users have created, deposited and replicated large bodies of vulnerable and inadequately protected data. Criminals, terrorists and even nation states are increasingly taking advantage of that information. Too much personal data is maintained for accountability and ease of communication, with a misguided sense that this information is needed for security.

The recent Office of Personnel Management breach is a classic example of this vulnerability. Massive data breaches such as this are used to harvest personal information for criminal or subversive purposes. Much of our security relies on knowledge-based authentication, sharing private information that only the user and the system knows. Data breaches have compromised much of the data used for this purpose. There are far better methods to use.

The technologies necessary to attain cybersecurity in our open society are available. Asymmetric credentials fully support non-repudiation and ensure user privacy coupled with multiple levels of credential protection based on the requisite security need.

However, to do so we must embrace change, continue to evolve technologies as advancements emerge and technologies mature, and put complex systems into user-friendly packaged solutions. Through proper integration and configuration, cybersecurity can be achieved and privacy protected. Leveraging these technologies is not a panacea. It is an achievable undertaking that will, as the Constitution says, “provide for the common defense, promote the general welfare, and secure the blessings of liberty to ourselves and our posterity” and avoid the pending “zombie apocalypse” from consuming the global economy via cyber and the evolving Internet of things.


 

Daniel Turissini is the Chief Technology and Chief Information Security Officer of SolPass LLC. In these roles, he oversees all of the development, engineering, and integration functions, as well as, establishing and maintaining the enterprise vision, strategy and program to ensure information assets and technologies are adequately protected for the company and its clients.

Comments