Cybersecurity policy is a must in government

TechRepublic’s Karen Roby talked with Fred Cate of Indiana University about cybersecurity and the importance of cybersecurity policy in government. The following is an edited transcript of their conversation.

Fred Cate: I’m vice-president for research, but for 30 years, I’ve been a professor at Indiana University in the school of law. And I was the founding director of the Center for Applied Cybersecurity Research. What I do, which is a little different than a lot of other cybersecurity people, is really coming at cybersecurity from a policy and a usability point of view.

SEE: Identity theft protection policy (TechRepublic Premium)

Karen Roby: The election’s just right around the corner. When we talk about security, we think so much about that because we hear so much about it, right? We’re hit with this all the time in the news, but we were talking before this recording about how we can’t take our eyes off our own security needs. What is it that concerns you the most in that realm? I know that’s a broad question, but kind of try to bring it down for us a little bit, if you could.

Fred Cate: Let me say first, everything has a security issue, and so everything worries me. And it’s important to keep that in mind, as you say, because even though we’re talking about the election, it won’t really matter if we secure the election, but we lose everything else. Now, in terms of where we’re looking specifically, I think one big concern is that of course, we’re all working online, like you and I are right now. It suddenly means we’re dependent on a digital infrastructure more than ever, and we’re dependent on our home infrastructure. Suddenly all those things that we frankly may not have paid that much attention to, like, “Is my computer on my desktop or my laptop secure? How about my devices? How about computers I’m sharing with my kids or with other family members, how secure is that? How about my router and the way I connect to the internet?”

I think we’re now focused, not so much on just big institutional security, but on individual security and the way in which that feeds into a larger system. And then it might just flag one other thing, I think, ransomware is still a big issue and we see ransomware, of course, it affects individuals and it affects many others, but it affects a lot of healthcare institutions, hospitals, city governments, and many times those kind of smaller businesses.

Businesses who don’t have a security officer, they may not even think about security and suddenly they find they can’t get to their computers, they can’t get their records, they can’t get their credit card machine to work, now they’ve got trouble. Particularly with the holiday season coming, when you are really even more dependent for commerce on these technologies, I think ransomware is something to be really attentive to.

SEE: How an IBM social engineer hacked two CBS reporters–and then revealed the tricks behind her phishing and spoofing attacks (free PDF) (TechRepublic)

Karen Roby: And that can be so scary, Fred. We talk about this and work in this environment a lot, so we understand it a little bit better than the average person. But when you talk about ransomware and not always hitting a huge company, but even some smaller ones, in many cases forking out hundreds of thousands of dollars to gain access to their systems again, it can be truly devastating.

Fred Cate: You’re absolutely right. And it’s something that has really evolved. Although some people say, well, ransomware is sort of declining, that’s not really true. It may be the number of compromised computers is declining, but the ransom numbers are going up. The impact of ransomware is going up. I think there’s good reason to be concerned. And we’ve seen a lot of highly publicized attacks against cities and hospitals, and what I think of as sort of public sector institutions that we all count on and suddenly they’re not available. They’re not working. You can’t book a court date. You can’t pay a parking ticket. You can’t get a permit to build. This is a real drain on the economy, and it’s a real threat because what happens in a lot of cases is people are paying the ransom, the ransom numbers are going up. This then, of course, creates more incentives for people to engage in the ransomware business if they can get the ransom paid.

Karen Roby: Absolutely it does. And, Fred, when we talk about where companies tend to be vulnerable and obviously their passwords aren’t secure, or they aren’t connecting to VPN. But social engineering, the criminals obviously, know how to take advantage still when it comes down to the human factor, which can be difficult for leaders within a company to get their employees to understand just how easily they can be manipulated.

Fred Cate: You could not be more correct, and it’s something we’re seeing. We always say the human is the weakest link and that’s not something critical. We’re human, but we are the weakest link and it’s really easy. We see even more of it now with COVID keeping us online instead of in the same room. When you get that email or you get that text that purports to come from your boss or from the CEO [Business email compromise] and it says, “I need something, do something, wire this money, transfer this, make this payment.” And we’re all in such a rush to get our jobs done while also balancing taking care of the rest of our lives, too often we’re acting on this without pausing and thinking, has the right procedure been followed? Is this normal? Is this in the ordinary course of business? 

SEE: Business Email Compromise attacks are on the rise (TechRepublic)

I’m approached by a lot of small-business owners, people who own real estate firms and title companies who are suddenly finding that they’re being asked to wire the closing money on a house to a bank account that’s not the right bank account. But of course, they engage in so many one-off transactions, it’s hard to know what is the right bank account. Sometimes, really the best advice, is just slow down a little, pick up the phone, call and see, is this really the order you’ve been given. Otherwise, we’re going to be seeing more and more of this social engineering.

Social engineering is at the heart of more than 90% of all successful attacks. You get a password from someone, they may not even know that their computer has been compromised. They may not know that they’ve given up their password, and suddenly you take advantage of that to then go attack others. You don’t want to become an unwitting accomplice in somebody else’s attack, either. It’s really worth that extra moment of care.

Karen Roby: When it comes to cybersecurity, I think a lot of people think that things are just taken care of or that things are secure and, as we know, they’re truly not, we’re all vulnerable. Talk first about the average person in America, what can they do? What should they do to be pressing leaders, those who can make decisions in legislation and that kind of thing, what can they do?

Fred Cate: I think there are two sets of actions that we all ought to be thinking about. One is what do we do to secure ourselves? Recognizing that good cybersecurity is a partnership. We’ve got to play our role. Even the best cybersecurity tools will be instantly eliminated if the user turns them off or does something to get around them. If I give my password to someone, if I share it with my kids, if I tape it to the bottom of my laptop, all of these are things that there’s nothing that the government can do to protect me from. I think we should be aware of our own individual responsibilities in the fight to keep our data, to keep our systems secure. 

But I also think we should expect more out of government and industry as well. In other words, we now get in our cars and we sort of take it for granted they’re secure. They have airbags, they have seatbelts, they have antilock brakes. They have all these things, all of which are now required by law, it took law to get there, we didn’t get there alone. And I don’t put my own seatbelt in a car. I don’t put my own airbags in a car. I buy it and expect it to have those tools. So, it seems like we should be pressing our political leaders. We should be agitating more on social media. We should be working in, again, starting in local areas, Chambers of Commerce, I speak to a lot of library groups and Rotary clubs and people about the importance of this.

And so what we’d like to imagine is a day in the not too distant future when you don’t have to spend much time thinking about cybersecurity, it’s really a benefit that’s provided when you buy or subscribe to or rent a system. And for that to happen, I think we’re going to need a little bit more of market pressure and also probably some regulatory pressure to get better security built in.

Karen Roby: Like you said, you’re not going to put your own airbag in your car, you expect it, it’s going to be there and it’s regulated to be there. So that takes care of it for you. Do you think that when we talk about whether it’s the average person or when you do go to Rotary meetings, let’s say, and you’re talking to some C-suite individuals, do you think they are afraid to take this on? Is it something that still seems like it hasn’t really gotten through yet? Where are we? Where’s our sensibility when it comes to cybersecurity?

Fred Cate: I think it’s gotten through to the C-suite in most places. And I think people worry about it, frankly, even people who don’t necessarily have the knowledge or the resources to deal with it. I think they worry about it. I think, again, we’ve kind of treated cybersecurity though like it’s idiosyncratic like, there’ll be your cybersecurity and my cybersecurity, and everyone will have their own cybersecurity, and it’s not going to work that way. In other words, the bad guys are cooperating, they’re using the internet to supply each other with attack tools. Most phishing is done with a handful of phishing kits that are just downloaded from the web.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

Most ransomware is done with just a handful of ransomware kits that are downloaded from the web. You don’t have to be a computer scientist to launch a good cybersecurity attack. So we need to start standardizing responses more. We need to know that there are basic tools built in. We need to know that there are basic responses that will work and not expect everyone to do it on their own. Now, there are things we can do to help facilitate that, like use good antivirus software, that’s what I mean by standardizing it. I don’t have to figure out what it is, I just go buy it and I let somebody else figure out what it is and do it. But I think we should expect more of that from industry leaders and frankly more from the government, so that the government, for example, might set standards, especially for critical industries.

We ought to see more than just the very limited federal steps we’ve seen related to healthcare and financial services to apply more broadly so that really consumers would be able to expect that there would be good cybersecurity. Long ago, I heard an industry executive related to Amazon say, “We would turn on dual-factor authentication by default if we were required to, but if we do it and we’re the only ones who do it, people will go shop elsewhere.” And I took that as an industry executive begging for regulation saying, look, level this playing field. Say, “If you sell directly to consumers, you must require a multi-factor authentication.” We know how to do it. We see it all the time in banks where it is required, why don’t we see it everywhere?

We see things stolen out of the iCloud. Again, not because the passwords were compromised, but because the passwords were shared or given away or guessed because they were pet names or child names or other things that were easily ascertained. Well, again, if you required multi-factor authentication, it wouldn’t matter if you guessed my password if I chose a bad password. Because you would also have to have my phone or my token or my something else that would make that authentication work. So, we’ve got the tools, this isn’t a case of building a better mouse trap, this is a case of getting people in creating the right incentives for people to use those mouse traps.

Karen Roby: It would seem the message being sent to these criminals, hackers, is, “Hey, keep doing it because unless we regulate this and help out the average person, the large enterprise and everybody in between, they’re going to keep doing it,” right?

Fred Cate: You bet. It’s like the old thing about, why do you rob banks? Because that’s where the money is. Why do you engage in cyberattacks? Well, they work, they really work, and you’ve got scale on your side. If you can launch an attack against a million machines at once, you only have to succeed one out of a thousand times to have a profitable business. And very few of us could stay in business if we only succeeded one out of a thousand times, so it’s very attractive. We’re going to have to do better, and we will do better, I don’t doubt that for a second, but it’s going to be a real challenge for the new administration, whether it’s a change of political party or not. After they’re elected to come in and take cybersecurity seriously and act on some of these things that have been sitting around for, frankly, years now.

Also see