The Four Cybersecurity Questions Government Agencies Should Ask
“Much of the cybersecurity world operates the way emergency department doctors often have to operate,” observed Professor Steven Weber, founder and former director of the UC Berkeley Center for Long-Term Cybersecurity at AI x GOV 2022. Rather than tackling long-term problems, their focus is on solving the crisis of the day.
UC Berkeley’s Center for Long-Term Cybersecurity aims to counter this trend with its long-term perspective spanning years and decades — envisioning tomorrow’s cybersecurity challenges today.
During his keynote address at the AI x GOV cyberdiplomacy panel, Weber discussed how a diversity of responses today can better prepare the world for a more resilient cyber landscape in the future. He also shared four key questions government agencies should ask when developing cybersecurity strategies.
The need to avoid uniform attack surfaces
To look to the future, you have to look to the past. Weber pointed to the period of optimism around the Internet in the 1990s, when it was believed that the Internet would usher in greater democratization and decentralization. This ignored two factors: technological monocultures and human complacency. Today, these factors have led to an increase in uniform attack structures that are easy to exploit.
First, technological monocultures make it easier for attackers to focus their research and development, with “a promise of massive returns,” Weber said. A computer monoculture occurs when a community of computers all run identical software and therefore all have the same vulnerabilities.
There’s a strong tendency for a market to land on a single standard, even if it’s not the best option, Weber explained. For example, in the 1980s, VHS became the standard videotape format despite the presence of superior alternatives. That win had less to do with how good the VHS was than with coming first, Weber noted.
Today, nearly 85% of the US federal government uses Microsoft software, according to a study. This could be a national security risk. In 2021, hackers used multiple software vulnerabilities within Microsoft Exchange Server to attack more than 30,000 organizations in the United States, Weber noted. When organizations rely on the same software for the most part, one weak point can be catastrophic.
Second, human complacency can compromise attack surfaces, Weber warned.
The average American has more than 50 accounts with digital services, but only one in five uses a password manager, he cited. When complacency over passwords and other security issues increases, government agencies and private businesses can become vulnerable.
IT departments can be overstretched teaching people new protocols and new ways to interact with their devices, which contributes to weakening attack surfaces, he explained.
We should have “a less uniform and more diverse attack surface and digital ecology,” Weber suggested.
There could be more successful attacks, but each one would be much smaller than cybersecurity attacks that target a widely used software system instead.
No single cybersecurity best practice
There are multiple paths to cybersecurity success, he shared. This can be a good thing: with several experiments going on at the same time, there are multiple chances to learn and see what works best. It can also help organizations avoid becoming embedded in a larger cybersecurity monoculture.
Here are four questions cybersecurity experts should ask themselves when designing their cybersecurity strategy, Weber suggested:
Is cyber risk a unique aspect of risk management, or is it unique?
Can cybersecurity be managed as just another element of an organization’s risk management strategy, or should it be treated as “something unique, distinctive and existential?” Weber asked.
Should cybersecurity knowledge be distributed or concentrated?
Should everyone in your agency have some level of cybersecurity knowledge, or should you have a team of highly specialized cybersecurity experts overseeing the agency?
Beyond individual agencies, it is also important that citizens have a basic understanding of cybersecurity at the national level, said Gaurav Keerthi, Deputy Director General (Development) of the Cyber Security Agency during his keynote address. opening before the same panel.
Is cybersecurity a collective or competitive mission?
Is cybersecurity a collective effort, something you need to share with your competitors and allies, private and public agencies? Or is it a competitive advantage, where your security posture acts as a differentiator?
On the national scene, governments can consider viewing cybersecurity as a collective effort. The 2021 ASEAN Cybersecurity Ministerial Conference was a recent showcase of ASEAN’s cybersecurity cooperation model. One of the highlights of the conference was the opening of a training center in Singapore for ASEAN national cybersecurity teams, GovInsider shared.
Do we assess cybersecurity in a standard or non-standard way?
To evaluate the performance of an agency, should we rely on a standard set of measures? Or should the CSO assess the data more holistically?
“In fact, you can do well with a variety of answers [to these questions]but only if the organization knows what it is choosing and everyone in the organization understands,” Weber explained.
In 1996, John Perry Barlow declared the independence of cyberspace from governments. Although his vision of a decentralized cyber future has not materialized, today’s cyber landscape can still benefit from a decentralized and diverse approach to cybersecurity, with each organization making the choices best suited to its needs.