Cybersecurity wasn't even the stuff of dreams when George Washington delivered the first State of the Union message to Congress on Jan. 8, 1790. But fast forward to 2015 and there it was, playing a prominent role in Barack Obama's annual address to the nation.
Obama called for better cybersecurity in his televised address last night, urging Congress to pass legislation that will improve computer protection. “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids,” he said.
For the record, Article II, Sec. 3, of the US Constitution requires the President to, "from time to time give to Congress information of the State of the Union and recommend to their Consideration such measures as he shall judge necessary and expedient." And leaders from Washington to Obama have been doing just that in one form or another for more than 200 years.
Last night's State of the Union Address featured Obama’s new legislative focus on cybersecurity issues including identity protection, information sharing between the public and private sector, harsher punishment for those engaged in cyber crime and even touched encryption. So how did the security community weigh in?
In the past year, online security and data theft has been making international headlines, starting with huge security breaches at retailers like Target and Neiman Marcus and going right up to the recent cyberattack — reportedly by North Korea — on Sony Pictures Entertainment. And just this week, in an embarrassing turn of events, hacking group Lizard Squad was hacked itself in an attack that exposed the entire database of people who signed up to use its services.
No one, apparently, in an era of increasing digital connections, is safe.
What are the most important take-aways from President Obama's comments on cybersecurity in his State of the Union Address?
Chris Roberts, VP, Public Sector, Good Technology
Roberts joined Good Technology in May 2010 as the Vice President World Wide Public Sector. He is responsible for the development and growth of Good’s Public Sector Industry practice worldwide. Since joining, the Good Public Sector team in the United States has signed agreements with the US Army, The US House of Representatives, The US Senate, The Department of Homeland Security and most recently the White House. He with previously with Microsoft for nine years where he held roles at the Redmond, Wash. corporate headquarters, Istanbul and Johannesburg. Tweet to Chris Roberts.
We're extremely pleased to see France, Germany, the UK and the United States focus on avenues to improve cybersecurity. It’s our hope that legislation will provide law enforcement and intelligence agencies with the tools to aggressively combat cyber criminals, terrorists and cyber vandals. Our hope is that legislation designed to make citizens safer does not weaken law abiding individuals, companies or organizations' ability to protect themselves and their data from those who wish to exploit it.
Marc Gaffan, Co–Founder and Chief Business Officer at Incapsula
Before founding Incapsula, Gaffan was Director of Product Marketing at RSA, EMC's security division, where he was responsible for strategy and activities of a $500 million IT security product portfolio. Before that, Gaffan was the Director of Marketing for the Consumer Solutions Business Unit at RSA. While at RSA, he appeared before the US Congress, FDIC and Federal Trade Commission on cybersecurity and identity theft topics. Tweet to Marc Gaffan.
Recently, we have watched cyber criminals not only engage in more complex attacks, but also seen the proliferation of hacking guns for hire. Creating legislation that clearly states the illegality of selling botnets will combat the exponential growth of malicious bots trolling the Internet, which by our own research makes up 30 percent of all Web traffic. We also see great potential in allowing courts to shut down bots engaged in DDoS attacks and other illegal activity. These types of attacks cost businesses an average of $500,000 in damages, and as we saw recently with the Sony hack, organizations under attack are largely helpless in protecting themselves once their network has been breached.
While we are encouraged to see the government address this burgeoning threat, it is still imperative for organizations to put protective measures in place. Securing a network against attacks not only protects against the threat of a site shutdown, it ensures that customer or employee data does not fall into the wrong hands.
Uri Sarid, CTO, MuleSoft
Sarid brought more than 20 years of technology and research leadership experience to MuleSoft. He was previously Vice President of the NOOK Cloud at Barnes & Noble, where he architected, led and released the flagship digital content and user platform for NOOK. Before that, he was VP of Engineering at eMeter (acquired by Siemens), a provider of enterprise software for the SmartGrid. He has also held CTO and VP of engineering positions at companies including Loyalize, Aptana, Accomplice, Noosh and digiGroups. Tweet to Uri Sarid.
What is most important about cybersecurity today is for everyone to remember these three lessons.
Lesson 1: The age of security by obscurity is over. We now know for sure that hackers have the time, skill and incentive to find you — and your vulnerabilities.
Lesson 2: Complexity is the enemy. Modern IT systems are incredibly powerful, but they’re also dangerously complex and deeply interconnected. Every smartphone, tablet, web server and office application is a potential vulnerability. No one can fix them all, and a hacker only needs to find one.
Lesson 3: Simplicity is your best defense. That's one reason so many businesses are using custom APIs for their IT. APIs reduce an organization’s “attackable surface” by exposing a select set of IT functions: updating or reading a sales record, for instance. Users (or hackers) never touch the underlying IT systems, just the API. Even if hackers do manage to access the API, they can’t do anything the API doesn’t allow. Instead of locking down everything equally (an impossible task) businesses can focus on securing the API and the systems it touches. It’s not a foolproof strategy. You still have to protect the API correctly (see Verizon’s recent mishap), but this is a practical and increasingly popular way to manage security in the face of complexity.
David Campbell, CSO of SendGrid
Campbell has nearly two decades of experience providing security assessment and business-focused remediation assistance to organizations ranging from startups to public companies. A highly technical entrepreneur, he developed one of the first effective DDoS mitigation services in 2001. He went on to build MobileScope, a mobile security and privacy service that was acquired by Evidon in 2013 after winning The Wall Street Journal’s Data Privacy and Transparency Hackathon in 2012. Before joining SendGrid, he was the founding CEO of JumpCloud, a venture backed SaaS based server management and security startup. Tweet to David Campbell.
2015 is the year that encryption becomes mainstream. We can’t expect consumers to understand or take on the burden of implementing encryption, so the security industry and technology providers need to take this on.
We’re already seeing the impact of broken security standards, such as the global PKI which is only as strong as the weakest link. Breaches and privacy debacles related to poor crypto implementations will continue until we can agree on a new approach forward.
There have been improvements, including certificate pinning, SSL Perspectives, Convergence and DNSSEC/DANE, that have seen some traction, but until the community, the governments, and the standards bodies can achieve consensus, all of the work we are doing may be wasted effort. Without evolution of global encryption, we expose the enterprise and consumers to unnecessary risk.
Sean Sullivan, security advisor, F-Secure
Sullivan brings security issues to a global audience, actively communicating with media. His goal — to make technology more approachable — is most visible in the F-Secure Labs Blog, where covers security, privacy and other tech topics. Always understated, he describes his role on his LinkedIn profile by simply stating: "I research security related stuff." Tweet to Sean Sullivan.
Prediction: Section 215 and Section 206 of the USA PATRIOT Act and Section 6001 of the Intelligence Reform and Terrorism Prevention Act will be reauthorized before their June 1, 2015 expiration date.
Post-Snowden, it appeared as though the controversial provisions might lack the political support needed to avoid sunset. But now, we are confident that Washington D.C. will act to protect itself from 'nation state cyber-terrorism' and will renew them after all.
Don't expect reform in 2015. The violation of your digital freedom will continue. Mark your calendars.
Title image by Asa Aarons Smith / all rights reserved.