“Cyber Awakening: Protecting a Nation’s Security” was the theme of the recent AFCEA Cyber Symposium, where Suzanne Spaulding, undersecretary for the National Protection and Programs Directorate at the Department of Homeland Security (DHS), delivered the opening keynote. Cyber security, according to Spaulding, is not a public sector issue. It is a national issue.
In today’s environment there are very real physical consequences of cyber attacks, and, according to Spaulding, the DHS’s commitment to strengthen the nation’s defenses against acts of cyber terrorism is of upmost importance. “The consequences that really keep us awake at night are physical consequences,” she stated. Cyber security in and of itself isn’t the end game, it’s a means to an end – to keep the cyber infrastructure safe and working for both citizens and businesses, and to mitigate cyber attacks so that not only infrastructure but real structures and systems in the physical world—such as the power grid—are safe.
Spaulding stressed that the physical and cyber worlds are interconnected not only in terms of what could happen in the event of a major breach, but also in terms of organizational structure within agencies—cyber security issues go beyond the purview of just the IT department, and all departments across an organization must be involved in cyber security efforts.
Expanding on this theme of working together, Spaulding addressed the need for public/private partnerships to advance cyber security in the U.S. “We need to break through in terms of innovation,” Spaulding said, pointing out that most cyber security efforts concentrate on identifying malware, which isn’t the most effective way to protect against future attacks. Instead, she emphasized, we must protect ourselves against future threats by developing profiles of past attacks and gain an understanding of attributes to be on the lookout for.
She went on to address the need for innovation in the context of malware detection and prevention. Vitally important in this need for innovation, said Spaulding, is the Critical Infrastructure Cyber Community C³ (pronounced “C Cubed”) Voluntary Program (C³VP), which launched in February 2014 to support and promote the use of NIST’s Cyber Security Framework. The Framework encompasses standards, guidelines and best practices for reducing cyber risks to critical infrastructure.
The C³VP has developed resources for businesses across a number of sectors, including academia; federal government; state, local tribal, and territorial (SLTT) governments and business. C³VP resources center around four key tenets of the framework: Identify Protect, Detect and Respond.
Spaulding ended with a “wish list” of items she’d like to see with regard to cyber security. First on her list was basic cyber hygiene on a personal level among American citizens, noting that basic safeguards such as strong passwords could stop about 90 percent of the cyber attacks we see today. Second was a wish that we as a nation focus on what information we need to protect, therefore enabling us to focus resources as effectively as possible.
Her third and final wish is that the U.S. will break through in terms of innovation and become more forward-looking in terms of cyber threats, focusing not only on past attacks but on attributes to look for in the future. “What we really need is greater innovation, particularly in the context of malware,” Spaulding concluded, advising attendees to help be part of building a more secure cyber landscape for the future.