Modern field guide to security and privacy

Opinion: Cybersecurity needs less talk, more action

As this year's RSA Conference, the world's largest cybersecurity gathering, comes to an end, it's time for the digital security industry to start sharing threat intelligence information in earnest and training the next generation of cybersecurity workers.

 

Eric Risberg/AP
Attorney General Loretta Lynch (l.) was among the many speakers at this year's RSA Conference in San Francisco that drew cybersecurity professionals from all over the world.

We've grown accustomed to a steady flow of bad cybersecurity news. Scarcely a month goes by without another massive data breach, but they attract less attention as they grow more common.

While headlines question whether critical national infrastructure – the power grid, transport, or financial systems – is vulnerable to cyberattack, those news stories quickly fade.

At this year's RSA Conference, the world's largest annual cybersecurity industry gathering, industry professionals regularly challenge one another to think different and innovate in order to conquer a new world of worries. It's good, if sometimes predictable, rhetoric.

But our cyberadversaries aren't giving keynotes at elaborate industry conferences. Instead, they are busy giving us more than 500,000 new varieties of malware every day. We need to take real, tangible action. Many options lie before us, but here are two that are already working – action plans my industry can embrace more fully right now.

First, we can take more action in the area of threat intelligence sharing. We have a great pilot program in the two-year-old Cyber Threat Alliance (CTA), where competitors pool resources to analyze threat intelligence. The CTA's first successful campaign was waged against CryptoWall v.3, a family of ransomware that cost innocent users $325 million last year.

In a fairly cutthroat business, this kind of collaboration is not a natural impulse. Nobody wants to cede a proprietary advantage. But I say we must set aside the notion that cybersecurity competitors gain power by hoarding threat data. The CTA proves collective knowledge is more powerful. When everyone shares, we’re all more secure. And we can still distinguish ourselves from one another – by acting more creatively on shared intelligence, serving different customers, and securing different parts of the infrastructure. 

I urge action-minded security firms to find or form a cyberinformation exchange, or join the CTA itself. Threat intelligence sharing that thwarts attacks can make positive headlines – which would be a welcome change from the current usual. 

On a second front, we can take action right now to improve our labor force pipeline. Neither cybersecurity businesses nor governments invest enough in recruiting talented young people. The US today lacks more than 200,000 qualified security pros, and we’re approaching a cybersecurity talent shortage of 2 million people worldwide.

The White House has proposed creation of a national cyber corps: good news. But private firms can move faster, partnering with state and municipal agencies and academic centers. The Pathmaker Internship Program at Purdue University, which enlists science, technology, engineering, and math graduates to staff a security operations center, or SOC, tasked with protecting Indiana infrastructure from cyberattack, gets support from private companies in need of talent – and it gets results.

So does the SANS Institute, a private cooperative security training organization operating worldwide, with its worldwide NetWars tournaments – online security problem-solving competitions that attract young people by adopting the syntax of interactive games. 

If we got 1,000 security companies following suit or partnering with local resources, orienting today's students toward tomorrow's cybersecurity jobs, the results would resound across the country. Every digital security company  can contribute something to the cause – be it tangible resources or technology, or simply their expertise. We’d be a safer country, a safer world. My industry can instigate that.

"Action speaks louder than words," said Mark Twain wryly, "but not nearly as often." The cybersecurity industry has long talked a good game. This is our year to act – to take feasible, collaborative steps.

Chris Young is general manager of Intel Security at Intel Corporation. Follow him on Twitter @youngdchris.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.