Acknowledging that you have a problem is the first step to
addressing the problem in a serious way. This seems to be the
reasoning for the White House recently announcing its
“Strengthening America’s Cybersecurity” initiative.
The text of the announcement contains several statements that
anyone who’s ever read about cybersecurity will have heard many
times over: increasing resilience, greater awareness, countering
ransomware attacks – the list goes on.
There are some novel aspects to the text as well, including a
realization that cybersecurity is not, has never been, and will
never be something that can be solved at the nation-state
level.
The White House also pointed to IoT warning labels as a solution
– and reminded us all (and we do need reminding) about the
importance of cybersecurity education. Let’s take a look.
International cooperation is critical
A key point that the White House statement makes very clear is
that cyberattacks are asymmetric in the sense that threat actors
can operate across borders with impunity. Meanwhile, defenders will
often be restrained by legal requirements that do not allow for
proportional responses.
Attackers feel a sense of protection because they enjoy lighter
regulatory and enforcement measures at home, while they can target
systems operating virtually anywhere on the planet – no matter how
strongly the law is enforced in the target’s country of
residence.
As long as the issue is not addressed at an international level,
any solutions that are found will be no better than band-aids. The
White House initiative correctly states, in multiple instances,
that international partners and organizations like NATO will play a
decisive role in the cybersecurity space.
This is not an ideal solution. Yes, international partners
working together expands the defense landscape to a size that more
closely resembles the size of the problem. However, this is still a
patchwork solution with limited effectiveness.
What we need is something more like a global treaty that
actually enforces cybersecurity law. Just think about the impact of
international maritime law, for example.
Nonetheless, sharing information about threat actors,
methodologies, and novel techniques is undoubtedly in everyone’s
best interest and, if set in motion adequately, will enable faster
responses to new threats.
Cybersecurity education continues to matter
Another interesting aspect of the Strengthening America’s
Cybersecurity initiative is the focus on boosting cybersecurity
education. As we are constantly and painfully made aware,
cybersecurity is first and foremost a people problem rather than a
technology problem.
Increasing cybersecurity literacy and teaching people the basics
of how to behave securely online at all stages of private and
business life will have compounding effects both in reducing risk
and in lowering the impact of any incidents that will inevitably
still occur.
Take the National Initiative for Cybersecurity Education (NICE)
supported by the NIST, for example. With a formal framework,
regular events, and newsletter updates, it makes a strong effort.
No solution is foolproof, of course, but the cumulative effects of
every initiative will make a difference.
What about risk labels for IoT devices?
There’s a hot debate around a new risk label scheme for IoT
devices. Consumer cybersecurity labels are intended to act as a
route to disclosure, similar to the way that food labels list
ingredients and nutritional scores.
However, the jury is still out on how effective a consumer
cybersecurity label will be. New vulnerabilities emerge all the
time, so how accurate a label printed half a year ago will be when
a device is sitting on a shelf at Best Buy is debatable.
Also, without adequate international support, the labeling
initiative will probably lead to fragmentation, just like GDPR did
– as some websites now choose to simply block off all visitors from
GDPR-covered regions rather than try to comply with GDPR
requirements.
There’s also a concern that a label could simply be an “a la
carte” menu for attackers. If a label clearly specifies all the
cybersecurity measures a device has in place, it just makes it
easier for an attacker because they can save time by skipping
attack strategies that obviously won’t work.
It’s a step-by-step process
A consumer cybersecurity label is a step in the right direction
in a landscape where it’s often tough to make any progress. If
implemented correctly, consumer cybersecurity labels could lead to
an overall improvement of security conditions across the Internet
and its assorted networks. The same goes for the growing number of
cybersecurity education initiatives.
But, as they say, the devil is in the details, and those are
still to be announced. The takeaway is that the US government is
making at least some effort to help the country’s citizens and
businesses get a grip on the cybersecurity crisis.
Will it be enough? Probably not, but some movement is better
than no movement at all.
This article is written and sponsored by , the industry leader
in enterprise-grade . TuxCare
offers unrivaled levels of efficiency for developers, IT security
managers, and
seeking to affordably enhance and simplify their cybersecurity
operations. TuxCare’s Linux kernel live security patching and
standard and
assist in securing and supporting over one million production
workloads. To stay connected with , follow us on
, , , and YouTube.[1][2][3][4][5][6][7][8][9]
References
Read more https://thehackernews.com/2022/10/a-quick-look-at-strengthening-americas.html