Remember the classic comedy movie, “Caddyshack”? The beloved Judge Smails (played enthusiastically by Ted Knight) reaches the 18th hole in a golf match with a sizeable wager on the line (“Gambling is illegal at Bushwood, sir.”). It comes down to one putt for our hero, Danny Noonan. As he takes his sweet time laboring over the lineup of the putt and slope of the green, the Judge gets impatient and in exasperation, cries out: “Well…we’re waiting!” It’s not unlike the formation, future actions, and enforcement of a U.S Cyber strategy. We’re STILL waiting.
Since 2008, it’s almost like “Groundhog’s Day”, over and over again. Meetings were held, committees formed and disbanded, and an entirely new administration set it all in motion again. Believe it or not the same day as this “strategy” was announced, the Department of Defense (DoD) quietly released an unclassified summary and fact sheet of its own 2018 Cyber Strategy - replacing the previous administration’s 2015 DoD Cyber Strategy.
The following is a summary of actions highlighted in their own published document: National Cyber Strategy of the United States of America, September 2018. Also identified is where we are, according to the current U.S Administration, after 18 months of deliberation:
- The U.S. has sanctioned malign cyber actors, indicting those committing cybercrimes, and publicly attributed malicious activity to the adversaries responsible. Also released are details on methods used for malicious activity.
- The U.S. has required departments and agencies to remove vulnerable software.
- The U.S has created accountability standards for departments and agency heads that manage cybersecurity risks and the systems they control, empowering them to provide adequate security.
- The U.S. has previously implemented Executive Order 13800, strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.
So, all that is nice. But what happens now? If you read the table of contents this new, 26-page National Cyber Security Strategy proposes, you’d think now someone finally has a handle on U.S. cyber security. This should certainly begin protections and enforcement. But as my friend John Pinette was fond of saying, “Nay-Nay”.
While the National Cyber Strategy is a good first step and represents the United States’ “first fully articulated cyber strategy in 15 years” – there’s still actual, practical hard work to be done.
For example, the recent Marriott breach doesn’t pose a “national infrastructure threat,” but it does create serious issues for the 500 million users whose personal data was stolen. This was the second-largest hack of all time. Extrapolated to all North American services businesses, retail, industry, federal contractors and any other places data is stored, and you have a national — or even international - threat.
In reality, there is no ONE solution that’s a panacea for all that ails us. Looking at the National Cyber Strategy, it is perhaps one of the most forward-looking and proactive approaches to the cyber world ever seen. The document puts forth four key areas:
- Aggressive oversight of government contractors and systems
- More and better trained cybersecurity workers
- Securing the federal supply chain
- Updating computer crimes statutes and legislation
Certainly comprehensive, but analysts note it still lacks any form of detail, specific initiatives or even deadlines for completion. Coordination with other plans, such as those by the Department of Defense, is also lacking. Finally, every initiative proposed by this strategy causes complicated legal issues – from privacy to civil liberties. The implications for any one of these issues can tie up implementation for months, or even years.
The question is: Just how long are you willing to wait? In a world where new attacks happen every day – action must be taken now - regardless of the state of a larger US cybersecurity strategy. And while the security landscape is confusing, there are definitely specific areas where you can start. For example, a formalized Public Key Infrastructure (PKI) forms a framework – including roles, policies and procedures – to create, manage, distribute, use, store and manage digital certificates and manage public key encryption. By starting with an internal/external PKI for all endpoints – from users and machines to e-mail and mobile devices – companies can engineer a foundation upon which a larger security infrastructure is built.
One effective way to get started is with a Managed PKI solution. These cloud-based SaaS platforms reduce the cost, effort and time associated with managing multiple enterprise digital certificates. One account can support multiple entities, with a user administrator having complete, centralized control of certificate needs across the organization. APIs, Active Directory integration and inventory tools make it simple to automate and track certificate deployments.
So while the image of Judge Smails pushing for action is funny, it’s not how you should run your business. It’s critical to begin building on what we know from the new National Cyber Security strategy – and align for stronger policies, programs and infrastructure internally. No more waiting. Now’s the time.