Security Issues: Agencies Are From Venus – Legislators Are From Mars

Bridging the gap

About two weeks ago I had the privilege of briefing legislative staff members in Washington DC on a variety of cybersecurity issues. I met with staffs from the offices of three senators and one congressional office. Some of the meetings were one-on-one and others were in a group setting. I went as part of group of cybersecurity experts lead by the Institute for Critical Infrastructure Technology (ICIT). Their goal is to bridge the knowledge gap between private sector thought leaders with awareness of cutting edge technology and the folks behind writing cybersecurity legislation. Exabeam had contributed to a briefing paper published by ICIT that was widely distributed to congressional offices.

Jump-start the process

Often by the time authors of legislation do their research, write the legislation, get it through committee, and get is passed into law, 18 months to two years have gone by. Given the fact that the attacks we see in the headlines and the attackers that perpetrate them evolve their modus operandi so quickly, the legislative process simply can’t keep up. Our meetings were a way to jump-start a portion of the process and provide a “safe zone” for them to ask any question they like. Most of their questions were around the Anthem and Office of Personnel Management (OPM) data breaches–what caused them and what could be done legislatively that might help to prevent the next data breach.

It was an enlightening and interesting trip to say the least. For the most part, I was impressed with the quality of the questions asked. Most, at a high level, had a good grasp of the problem. However, it was clear that there is a lot of work private industry could do in a thought leadership role, to take the complexity out of the discussion. 

I was able to state in plain and simple terms why many of these large data breaches are occurring and why this is a pervasive problem for the private and public sectors. I also discussed with them the need for wide spread use of user behavior analytics so that the behavioral divergence between an employee’s use of a credential and an attackers use of the same credential can be identified and the account marked as having been taken over. There was also discussion about whether increasing the use of encryption would address the problem. However, if the right level of account is in use by the attacker, the attacker will have the right level of access to decrypt the data anyway.

Communication, and lack thereof

The biggest surprise for me was that the legislative branch and agency heads don’t informally speak to each other. Formal hearings occur but only after there’s been a problem. On balance, I was encouraged. Legislators want to act. They see these data breaches as a problem. They just need to be informed.

Below is a link to a podcast about what we heard and the importance of educating the legislative branch.