Opinion: Cybersecurity needs less talk, more action
As this year's RSA Conference, the world's largest cybersecurity gathering, comes to an end, it's time for the digital security industry to start sharing threat intelligence information in earnest and training the next generation of cybersecurity workers.
We've grown accustomed to a steady flow of bad cybersecurity news. Scarcely a month goes by without another massive data breach, but they attract less attention as they grow more common.
While headlines question whether critical national infrastructure – the power grid, transport, or financial systems – is vulnerable to cyberattack, those news stories quickly fade.
At this year's RSA Conference, the world's largest annual cybersecurity industry gathering, industry professionals regularly challenge one another to think different and innovate in order to conquer a new world of worries. It's good, if sometimes predictable, rhetoric.
But our cyberadversaries aren't giving keynotes at elaborate industry conferences. Instead, they are busy giving us more than 500,000 new varieties of malware every day. We need to take real, tangible action. Many options lie before us, but here are two that are already working – action plans my industry can embrace more fully right now.
First, we can take more action in the area of threat intelligence sharing. We have a great pilot program in the two-year-old Cyber Threat Alliance (CTA), where competitors pool resources to analyze threat intelligence. The CTA's first successful campaign was waged against CryptoWall v.3, a family of ransomware that cost innocent users $325 million last year.
In a fairly cutthroat business, this kind of collaboration is not a natural impulse. Nobody wants to cede a proprietary advantage. But I say we must set aside the notion that cybersecurity competitors gain power by hoarding threat data. The CTA proves collective knowledge is more powerful. When everyone shares, we’re all more secure. And we can still distinguish ourselves from one another – by acting more creatively on shared intelligence, serving different customers, and securing different parts of the infrastructure.
I urge action-minded security firms to find or form a cyberinformation exchange, or join the CTA itself. Threat intelligence sharing that thwarts attacks can make positive headlines – which would be a welcome change from the current usual.
On a second front, we can take action right now to improve our labor force pipeline. Neither cybersecurity businesses nor governments invest enough in recruiting talented young people. The US today lacks more than 200,000 qualified security pros, and we’re approaching a cybersecurity talent shortage of 2 million people worldwide.
The White House has proposed creation of a national cyber corps: good news. But private firms can move faster, partnering with state and municipal agencies and academic centers. The Pathmaker Internship Program at Purdue University, which enlists science, technology, engineering, and math graduates to staff a security operations center, or SOC, tasked with protecting Indiana infrastructure from cyberattack, gets support from private companies in need of talent – and it gets results.
So does the SANS Institute, a private cooperative security training organization operating worldwide, with its worldwide NetWars tournaments – online security problem-solving competitions that attract young people by adopting the syntax of interactive games.
If we got 1,000 security companies following suit or partnering with local resources, orienting today's students toward tomorrow's cybersecurity jobs, the results would resound across the country. Every digital security company can contribute something to the cause – be it tangible resources or technology, or simply their expertise. We’d be a safer country, a safer world. My industry can instigate that.
"Action speaks louder than words," said Mark Twain wryly, "but not nearly as often." The cybersecurity industry has long talked a good game. This is our year to act – to take feasible, collaborative steps.
Chris Young is general manager of Intel Security at Intel Corporation. Follow him on Twitter @youngdchris.