Is an NIH for InfoSec the Proper Cyber Attack Response?

NIH for InfoSec the Proper Cyber Attack Response Feature

Let’s imagine something for a second. A new disease is sweeping the world, some deadly thing akin to Zika, Ebola, or bird flu. The entire world clamors for a cure, but the only entities interested in working on it are private companies. The FDA, the CDC, and the NIH all remain silent.

If this sounds weird to you, recast the disease as a computer virus. While our analogy leaves out not-for-profit institutions, universities, and independent researchers, it points out a central issue: the government response to cyberattacks is disunified and ineffective.

We were recently intrigued by an argument put out by security researcher Dean Kaminsky, of creating a centralized, taxpayer-supported organization that deliberates the proper cyber attack response to systemic threats. In his words, “The Internet is not a safe place right now, and, more importantly, the tools we’re using to interact with it are relatively broken… I think we need to have a larger-scale response to the problems of the Internet.”

Let’s talk a little bit about the current failings of government cyber protection, and what a unified institution might look like.

A Slow and Disorganized Response to Malware

First of all, the government isn’t currently taking convincing, unified action to protect companies and individuals from hackers. Yes, there is individual action against individual hackers, and yes, there are some concrete actions taken against poorly performing industries. However, each government agency is taking its own direction—and the results are far from the proper cyber attack response.

For example, last fall it was reported that a pacemaker developed by Saint Jude Medical was flawed and vulnerable to attack by unauthorized users. The government didn’t disclose this—rather, it was revealed by a major shareholder in the company. In response to these allegations, the FDA put out guidelines for manufacturers of networked medical devices.

The guidelines are what you’d expect—they ask manufacturers to test their products for vulnerabilities, keep records of the tests, document exploitable loopholes, and then issue firmware patches within a reasonable timeframe. These are reasonable requests—but that’s exactly the problem. They were requests, without any enforcement mechanism, or any expectation of compliance.

By contrast, the FTC has been much more aggressive. Early in 2016, the agency forced the router manufacturer Asus to settle a lawsuit over insecure products in an agreement that included two decades of audits. It recently opened up another lawsuit against D-Link. Yet, by playing whack-a-mole with one company at a time, the FTC is letting hundreds, maybe thousands, of new IoT manufacturers go unchecked. These companies still don’t see massive drawbacks in pushing insecure products.

The Proper Cyber Attack Response is Centralized and Enforceable

In order to properly respond to cyber attacks, we need an organization that has the capability to examine all industries, propose enforceable regulations, and provide uniform self-defense guidance for both corporations and consumers.

NIH for InfoSec the Proper Cyber Attack ResponseCurrently, organizations like the FTC are constraining themselves by going after one category of manufacturer at a time. Agencies like the FDA are constraining themselves by issuing broad guidelines that don’t have any teeth. These actions aren’t just insufficient on their own—they miss an entire universe of information that’s critical for the public.

 

For example, we’d like to see consensus guidelines on the best tools and techniques to replace antivirus and safeguard data. We’d like to see a uniform set of enforceable guidelines for manufacturers to design hardware and software.  We’d like to see in-depth information on the systemic issues that make so many companies and individuals vulnerable to ransomware. Maybe a centralized repository of threat intelligence.

In its time, centralizing medical science had the result of completely eliminating several endemic threats to the human race—smallpox, measles, scarlet fever, and other ailments are now confined to the pages of history books. By taking the same approach to information security, perhaps we can also take malware to its grave.

In the meantime, SentinelOne provides an avenue for businesses to protect their critical data in ways that leave them immune to exploits, ransomware, and even file-less malware. Our behavioral detection engine intelligently scores the behavior of running processes, then flags and terminates actions—such as creating unauthorized executables or exfiltrating data—that appear malicious. For more information, check out our Next Generation Endpoint Protection Buyer’s Guide.