Representative Ro Khanna (D-Calif.) recently introduced cybersecurity legislation that would, “mandate Congress [to] direct OMB to require cybersecurity training for federal employees and include information on the risks of Internet of Things (IoT) devices…”
On the surface, this seems like a great idea. Rep. Khanna represents a district in the heart of Silicon Valley, so if there’s anyone who knows and understands the threat landscape facing federal agencies, it’s him. Also, since people are one of the largest vulnerabilities facing federal agencies, it makes sense that Rep. Khanna would want to require cybersecurity and cyber hygiene training.
But is this an effective way to solve the problem, or just window dressing? I would argue it’s the latter – and it’s certainly not the first piece of cybersecurity legislation intended to solve this problem.
The “Promoting Good Cyber Hygiene Act of 2017” (H.R.3010) was introduced in the House of Representatives years ago. That bill would require the National Institute of Standards and Technology (NIST) to, “…provide for the identification and documentation of best practices for cyber hygiene…” Much like Rep. Khanna’s bill, it will only function to give the illusion that the government is doing something to make itself more secure.
Where did this cybersecurity legislation go wrong? Let’s dive in.
No metrics, no definitions…no impact
One of the biggest problems with bills like Rep. Khanna’s bill and the “Promoting Good Cyber Hygiene Act of 2017” is that they don’t define the broad terms and topics that they’re using.
What is cyber hygiene? Is it patch management? Is it spotting phishing and spear phishing attacks? Is it training on not using the same passwords for all systems and applications? Cyber hygiene is a broad, inclusive topic.
The government needs to define the terms and understand what they’re looking to accomplish before they can set out to change behaviors or make a difference. Then, they can establish clear, tangible and definable outcomes. Without defining the terms and establishing the goals, any action is like boiling the ocean.
Then there are the actual steps that both of these fundamentally-flawed pieces of legislation take to try and solve the problem.
Rep. Khanna’s legislation would have the Office of Management and Budget (OMB) require agencies to train federal employees on cyber hygiene. But training doesn’t work. That’s been validated by Dr. Arun Vishwanath, who has studied human behavior extensively and found that people seldom change their behaviors as a result of training. All training really does is make federal employees “check the box” and get the training out of the way.
With the “Promoting Good Cyber Hygiene Act of 2017,” NIST would be required to create a list of cyber hygiene best practices. That’s even less useful than training. In fact, it’s counter-productive.
Technology moves quickly and laws move slowly. By the time NIST establishes the list of best practices, they won’t be applicable anymore. Worse, a publicly available list of best practices provides hackers with a roadmap of exactly what federal employees are told to do to mitigate cyberattacks – making it easier to perpetrate cyberattacks.
What should the government really do?
Instead of legislation that requires agencies to commit to ineffective training or compiling lists of archaic best practices, agencies should just commit to the basics. There are fundamental processes and procedures agencies should have in place and probably don’t.
Each federal agency should have an inventory of what is on their network. Once they know the endpoints on their network, they should implement adequate end point protection and ensure that they have the latest versions of everything. Patch management – and lack thereof – is a huge issue across agencies.
These are fundamental things that aren’t flashy, but they’re important, and an astonishingly large number of attacks against agencies are perpetrated by exploiting them.
Once agencies have their houses in order, they can then start to look at the newer, more advanced technologies that are being introduced. That includes:
- Moving target defense – polymorphic defense that looks the same but acts different to the attacker, ensuring that the same attack won’t be effective on similar systems.
- Zero Trust and cloud adoption – moving to the cloud requires rearchitecting all of an agency’s systems, giving them a once-in-a-lifetime chance to start from scratch and implement Zero Trust solutions. These solutions place as many protections as possible as close as possible to the data. Zero Trust approaches validate every access to every system and only give people access to what they need.
- Artificial Intelligence – AI makes it possible to automate threat intelligence. Using AI, agencies can easily and quickly go through threat intelligence and develop threat profiles and models.
The federal government doesn’t need “window dressing” cybersecurity legislation. They need agencies to commit to the basics and fundamentals. And, once the fundamentals are in place, they can then look to a new generation of cybersecurity solutions that can add another layer of protection to their networks.