MIT: US cyber insecurity a ‘disgrace’ that Trump needs to take seriously

MIT says that unless cybersecurity becomes a priority and more than just lip service, US core services will be at risk.

screen-shot-2017-03-28-at-13-09-25.jpg
Stock photo

 

MIT experts have warned the Trump Administration that unless urgent action is taken to control the influx of sophisticated cybercrime, US core services and infrastructure will be placed at risk.

The Massachusetts Institute of Technology, together with the educational establishment's Computer Science and Artificial Intelligence Laboratory (CSAIL) said on Tuesday that over the past 25 years, leaders of the United States have done little to promote or encourage cybersecurity solutions, education, and training.

Instead, they have done nothing more than pay "lip service" to the topic or agree to short-term fixes which have led to a game of "Whack-a-Mole."

However, things have changed. In the past decade, cybersecurity expertise in both the white and black-hat arenas has expanded, and as part of this transformation, we now have state-sponsored threat actors with resources at their disposal to target governments and companies alike, teenagers that are able to take down tech vendor websites from their bedrooms with ease, and hardly a week goes by when we do not hear of yet another data breach which has led to the release of credentials belonging to millions of accounts online.

If nothing more than lip service continues to be paid, MIT experts have warned that national security is in serious danger, and everything from US oil pipelines to the grid could be brought down in the future.

We've already seen cases where hackers have targeted core services. Ukraine's power grid has been hacked multiple times, South Korea's nuclear plant operator Korea Hydro and Nuclear Power was targeted last year by who are believed to be North Korean hackers, and researchers have shown how easy it is to manipulate core city water systems for the purposes of removing or poisoning supply.

The leak of the new administration's executive order on cybersecurity tends to focus on taxes and regulations for private companies but does not touch upon privately-owned critical infrastructure. However, the MIT team has tried to fill in the gaps.

The report, "Making America Safer: Toward a More Secure Network Environment for Critical Sectors," recommends that the White House tackle the risks associated with cyberattacks levied against utilities, oil, and gas, as well as finance and communications.

Led by former senior NSA official Joel Brenner, the document describes a total of eight challenges the Trump Administration must face, as outlined below.

  1. Improve Coordination: MIT says that critical infrastructure defense is "insufficiently coordinated" across the government, but by elevating the position of cybersecurity advisor to the position of deputy national security advisor for cybersecurity, this official should work with the Office of Management and Budget (OMB) to create a long-term policy to improve cybersecurity funding and research.
  2. Measure cyber risk and infrastructure fragility: Without being able to quantify risks, it is difficult to portion investment and funding properly -- and so MIT recommends that representatives should meet to create a national strategy to tackle this issue.
  3. Review laws and regulations with the goals of reducing risk and optimizing security investment: MIT says that there is a "material disconnection" between compliance demands and improvements in cybersecurity as a whole, and current regulations either impede or do not encourage high levels of cybersecurity investment.

To change this, President Trump should propose better tax treatment for cybersecurity investment in critical infrastructure, especially when products and services comply with the framework issued by the National Institute for Standards and Technology (NIST).

  1. Enable critical infrastructure operators to quickly identify and respond to cyber risk arising from cross-sector linkages as well as from their own networks: As core services become connected, links create opportunities for an attack on one sector to take down others. MIT recommends that meetings should be held to promote threat data sharing.
  2. Reduce component complexity and the vulnerabilities inherent in them: Supply chains and core services are placed at risk by manufacturers and utilities' usage of cheap, all-purpose hardware and equipment, despite their varying security levels.

MIT says that the Trump Administration should work towards promoting the use of more secure and less complex hardware, software, and controls for use in critical infrastructure.

  1. Address fundamental issues of system architecture: With many IT admins believing that certain aspects of their systems cannot be kept safe without isolation, MIT would like to see the president's team explore the feasibility, expense, and timelines required to isolate the controls and operations of critical systems away from public networks.
  2. Formulate an effective deterrence strategy for the nation: MIT says the US does not have an effective way or policy to deter hackers from attacking critical infrastructure and to tackle this issue, the Trump Administration should create a strategy which includes hardening these systems, raising the price of attacking them, and promote a diplomatic way to work with "potential adversaries" to keep these targets off the list.
  3. Accelerate and improve the training of cybersecurity professionals: There is a lack of skilled cybersecurity professionals in the US, and the MIT team believes the president should work to increase this supply through new schemes and programs.

MIT also suggests that tax and regulatory changes which reward cybersecurity investment could be an important factor in ensuring the US remains up-to-speed with evolving cybersecurity threats.

"Our current cyber insecurity is a national disgrace," Brenner says. "We've got to defend the networks that the safety of our nation depends on."

No Comments Yet.

Leave a comment

%d bloggers like this: