Too Much Cybersecurity Awareness
RSA CEO: Responsibility Falls on Vendors, GovernmentLess than a week into National Cybersecurity Awareness Month (see President Proclaims Cybersecurity Month), the chief executive of a leading IT security provider contends there's too much cybersecurity awareness.
In testimony before the House Select Committee on Intelligence on Tuesday, RSA Chief Executive Art Coviello challenged a widespread belief that cybersecurity awareness could curb cyberthreats:
See Also: JAPAC | Secure Your Applications: Learn How to Prevent AI-Generated Code Risk
"Not a day goes by that I do not see some indication of a cyberattack in the press. ... There's too much awareness without anything being done. The problem is that when consumers see time and time again, nothing happens to correct it. They throw up their hands. There's no amount of consumer education to make them smart enough to resist attacks. They're just too sophisticated."
Coviello, to be fair, wasn't calling for consumer cybersecurity ignorance. Indeed, in his prepared remarks, Coviello cited several cybersecurity awareness programs RSA supports. But, he said, the complexity of IT and IT security places the core responsibility to safeguard systems to others, most notably government and business, adding:
"It's incumbent upon us to get together to protect the consumer. ... not create more awareness in public."
Coviello's company, as you recall, was victimized by an advanced persistent threat earlier this year that exposed code of its SecurID authentication product (see 'Tricked' RSA Worker Opened Backdoor to APT Attack).
Lack of Clarity on Approach to Cybersecurity
The public has a part to play in cybersecurity, not just practicing computer hygiene, but helping policymakers decide what role government and business should play in leading the national cybersecurity effort.
In his testimony, former CIA and National Security Agency Director Michael Hayden said the greatest, single impendent to enhanced cybersecurity is neither technology nor more trained personnel, but the lack of clarity as it comes to law and policy.
Hayden said the American people must establish the rules of the road. From his prepared testimony, Hayden said:
"Most (questions) we have not yet answered or at least have not yet agreed on answers and none of them are easy. How much do we really want to empower private enterprises to defend themselves? Do we want necessarily secretive organizations like NSA or CyberCom going to the mats publicly over privacy issues?"
The lack of a political consensus is based on a reluctance to talk about cybersecurity, Hayden said. "This information is horribly overclassified inside the government," he said. As a three-star Army general heading the NSA, Hayden said he was reluctant to use the term "computer network attack."
That hypersensitivity has bled over into the cyber domain, where a reluctance exists in government and business to share information. Without transparency, he said, a consensus can't be built to address IT security threats and privacy concerns:
"We need to recalibrate what is truly secret. Our most pressing need is clear policy, formed by shared consensus, shaped by informed discussion and created by a common body of knowledge. With no common knowledge, no meaningful discussion, and no consensus, the policy vacuum continues. This will not be easy, and in the wake of WikiLeaks it will require courage, but it is essential and should itself be the subject of intense discussion. Who will step up to lead?"
Many look to the Obama administration and Congress to lead. So far, they've been understandably very disappointed in what they perceive is a lack of leadership emanating from Washington.