Acknowledging that you have a problem is the first step to addressing the problem in a serious way. This seems to be the reasoning for the White House recently announcing its "Strengthening America's Cybersecurity" initiative.
The text of the announcement contains several statements that anyone who's ever read about cybersecurity will have heard many times over: increasing resilience, greater awareness, countering ransomware attacks – the list goes on.
There are some novel aspects to the text as well, including a realization that cybersecurity is not, has never been, and will never be something that can be solved at the nation-state level.
The White House also pointed to IoT warning labels as a solution – and reminded us all (and we do need reminding) about the importance of cybersecurity education. Let's take a look.
International cooperation is critical
A key point that the White House statement makes very clear is that cyberattacks are asymmetric in the sense that threat actors can operate across borders with impunity. Meanwhile, defenders will often be restrained by legal requirements that do not allow for proportional responses.
Attackers feel a sense of protection because they enjoy lighter regulatory and enforcement measures at home, while they can target systems operating virtually anywhere on the planet – no matter how strongly the law is enforced in the target's country of residence.
As long as the issue is not addressed at an international level, any solutions that are found will be no better than band-aids. The White House initiative correctly states, in multiple instances, that international partners and organizations like NATO will play a decisive role in the cybersecurity space.
This is not an ideal solution. Yes, international partners working together expands the defense landscape to a size that more closely resembles the size of the problem. However, this is still a patchwork solution with limited effectiveness.
What we need is something more like a global treaty that actually enforces cybersecurity law. Just think about the impact of international maritime law, for example.
Nonetheless, sharing information about threat actors, methodologies, and novel techniques is undoubtedly in everyone's best interest and, if set in motion adequately, will enable faster responses to new threats.
Cybersecurity education continues to matter
Another interesting aspect of the Strengthening America's Cybersecurity initiative is the focus on boosting cybersecurity education. As we are constantly and painfully made aware, cybersecurity is first and foremost a people problem rather than a technology problem.
Increasing cybersecurity literacy and teaching people the basics of how to behave securely online at all stages of private and business life will have compounding effects both in reducing risk and in lowering the impact of any incidents that will inevitably still occur.
Take the National Initiative for Cybersecurity Education (NICE) supported by the NIST, for example. With a formal framework, regular events, and newsletter updates, it makes a strong effort. No solution is foolproof, of course, but the cumulative effects of every initiative will make a difference.
What about risk labels for IoT devices?
There's a hot debate around a new risk label scheme for IoT devices. Consumer cybersecurity labels are intended to act as a route to disclosure, similar to the way that food labels list ingredients and nutritional scores.
However, the jury is still out on how effective a consumer cybersecurity label will be. New vulnerabilities emerge all the time, so how accurate a label printed half a year ago will be when a device is sitting on a shelf at Best Buy is debatable.
Also, without adequate international support, the labeling initiative will probably lead to fragmentation, just like GDPR did – as some websites now choose to simply block off all visitors from GDPR-covered regions rather than try to comply with GDPR requirements.
There's also a concern that a label could simply be an "a la carte" menu for attackers. If a label clearly specifies all the cybersecurity measures a device has in place, it just makes it easier for an attacker because they can save time by skipping attack strategies that obviously won't work.
It's a step-by-step process
A consumer cybersecurity label is a step in the right direction in a landscape where it's often tough to make any progress. If implemented correctly, consumer cybersecurity labels could lead to an overall improvement of security conditions across the Internet and its assorted networks. The same goes for the growing number of cybersecurity education initiatives.
But, as they say, the devil is in the details, and those are still to be announced. The takeaway is that the US government is making at least some effort to help the country's citizens and businesses get a grip on the cybersecurity crisis.
Will it be enough? Probably not, but some movement is better than no movement at all.
This article is written and sponsored by TuxCare, the industry leader in enterprise-grade Linux automation. TuxCare offers unrivaled levels of efficiency for developers, IT security managers, and Linux server administrators seeking to affordably enhance and simplify their cybersecurity operations. TuxCare's Linux kernel live security patching and standard and enhanced support services assist in securing and supporting over one million production workloads. To stay connected with TuxCare, follow us on LinkedIn, Twitter, Facebook, and YouTube.