President Obama is making online security a key goal for his administration in 2015. These intentions culminated in this week’s State Of The Union address, in which he spoke of aims to allocate greater resources towards domestic and military cybersecurity. Almost concurrently, negotiations with David Cameron resulted in a new joint venture between each nation’s law enforcement agencies, who will collaborate on ‘stress-testing’ each other’s cybersecurity capabilities.
Given their political proximities, each country’s cybersecurity exploits have a knock-on effect for the other. The US has introduced new legislation to ensure that companies notify consumers of data breaches within 30 days of discovery. At present, the UK must comply with EU laws that dictate a 72-hour notification period. Some may argue that the US still lags behind in this sense. Others believe this may cause the EU to relax its own measures.
Clear and concise communications are vital in the wake of a breach, but demonstrating compliance with relevant regulations is also key (for the company at least) as it’s a ‘get out of jail’ card once the dust has settled.
But while bolstering law enforcement capabilities and reporting requirements are good steps that will help us punish offenders and mitigate embarrassing mega-hacks, they'll do little to stop data breaches in the first place. Fundamentally, the US and UK must focus on prevention in the first instance. The recent Sony hack shined a light on the activity that we see everyday: networks of hackers exploiting the US’s weak cybersecurity defences and causing real economic harm.
The current proposals from Obama and Cameron are the equivalent of putting up more security cameras instead of buying a better safe. But the costs of inaction (or weak action) go well beyond film releases and red faces. Cyber-attacks erode consumer confidence at a time when greater consumer participation in the recovering economy is essential. Hacks slow innovation, as consumers and enterprises hesitate to adopt new services, devices and platforms. They threaten national security, as adversaries see new pathways to injure the economy and even critical infrastructure such as power grids, pipelines and power plants.
More stringent and directive regulations must be implemented to educate consumers and businesses about the current use of easily-hackable computing devices and networks that rely on dated and vulnerable software-based security. We must take advantage of the hardware-based solutions that are ready and available today, and are built-in to many modern devices. It is time for hardened cybersecurity.
"Fundamentally, the US and UK must focus on prevention in the first instance"
Solutions such as the trusted platform module (TPM) chip that is already deployed on almost a billion computers are dramatically more difficult to compromise, as proven by their impressive record over the last several years in the field.
This approach is not intended to benefit a few commercial entities – the TPM is subject to strict industry standards achieved through collaboration and a democratic approach to testing. In most use cases, the cost of deployment is often cheaper too.
Any cybersecurity legislation should require the immediate use of two simple components that are a fundamental part of any overall solution aimed at stopping data breaches in corporations and government agencies:
1) Multi-Factor Authentication. In essence, you start with ‘something you know’, like your user identity (user ID and a password or PIN), and then add ‘something you have’, like a physical or virtual token based on hardware in your computer like the TPM chip. By having multiple identifying factors, it is dramatically harder for a hacker to gain entry to the system. With this kind of solution in place, a hacker would not only have to gain possession of an employee’s valid user credentials but would also need to take physical control of their computer (in a TPM-based solution) or the security token itself. This effectively eliminates the most common remote hacking attempts and now requires an element of physical presence for a malicious intrusion to succeed.
2) Security Rooted in Hardware. Too many corporations rely solely on software-based security solutions that protect sensitive data as long as the integrity of the software itself isn't tampered with. As we have seen, software remains vulnerable anytime there is sufficient incentive to crack it. Hardware-backed security such as the trusted platform module (TPM) provides a highly tamper-resistant location to store encryption keys and unique identity credentials.
Now is our opportunity to confront these threats. If it doesn’t happen now, the same conversations will continue for years as the consequences of inaction become only more severe. Two great allies run the risk of falling further behind in addressing them unless a fundamental shift from reporting to prevention is taken.
About the Author
Bill Solms is the CEO of Wave Systems, a role he took on after serving as the company’s vice president of North American sales. His résumé includes executive positions at IT consulting firm Intellidyne, and A-T Solutions, where he led a team engaged in a strategic program acquisition in anti-terrorist and counter-IED professional services within the US DoD and European defense markets