Page 10 - Cyber Warnings
P. 10
Rationale
This conundrum has evaded a solution and governed direction. There are three primary options
with this. As an indicator, the leadership can do nothing. This would only continue to perpetuate
the InfoSec issues that abound in the news with breaches, compromises, data being stolen, and
increased expenses for the affected parties due to incident response, credit monitoring, and
lawsuits. This is optional.
A second option would be for the industry to regulate itself, apply common sense, and a
sufficient level of resources to research, analyze, and implement these security rules. Over the
years, this likewise has not been successful. This lack of focus, multiple protocols, and mixed
levels of implementation have led directly to the breaches and compromised systems. This
option likewise is not viable in the long-term. As an industry and field, the self-regulation in any
form has been lacking.
The third option is to form an entity to research, publish, mandate, and evangelize these
standards. The intent is not to overreach and be dictatorial, but to form a safer, more secure
environment the industry has not been able to do so yet. The intent is also to be an altruistic
movement. This would greatly assist the field, and users. The guidance to this point has been
splintered. The standards in place effectually have been merely recommendations, with the
exception of the state statutes for autonomous vehicles. These though are different per state
with each state’s judicial interpretation being unique. These specific industries (e.g. FDA, DTS,
and DH) have their own guideline in place, which are not unified.
There should be a central standard for each type of transaction in InfoSec. For instance with
communication, this should be secured with a form of encryption, regardless if this involves a
vehicle communicating to an application on a smartphone, a user checking their email account
from a phone, a website being secured (HTTPS) versus not (HTTP), SSO using SAML 2.0, or a
pacemaker transmitting data to its base equipment and not in clear text or a low, inappropriate
level of encryption (e.g. MD5 or AES 56). The data at rest also is notable, and should be
encrypted with an acceptable protocol. Instead of each type of equipment or action having its
own method, they should each have the same standard.
This is being proposed simply for the common good. These and other protocols being placed
onto systems would be in the least a baseline needed to be secure. These standards being
applied across the U.S. or further would provide a minimum baseline the industry and users
would be required to follow. This would need to be on a national level due to the fluidity and
dynamic nature of data and InfoSec. A user is able to scan an IP from nearly everywhere on the
globe. A state border oriented system as it relates to InfoSec is meaningless.
Unification
Unfortunately, the number of attacks exploiting the same vulnerability continues to grow due to
each industry’s own standards guiding the same act, wasted concurrent efforts, and other
factors. This has made it rather clear the industry is at a bit of a loss to govern itself in certain
instances. There needs to be a single, unified application of InfoSec for each type of
10 Cyber Warnings E-Magazine – April 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
