Is the Cybersecurity Act of 2015 effective?
While many are decrying the newly signed Cybersecurity Act of 2015 for its privacy issues, DB Networks is taking the Act to task for an equally troublesome reason: It is based on erroneous assumptions, rendering it nearly completely useless at improving cybersecurity.
“Cybersecurity through information sharing is like driving a car by looking in the rearview mirror,” explained Brett Helm, chairman and CEO of DB Networks, the database cybersecurity provider of choice for the world’s largest financial institutions, manufacturers, healthcare providers and governments. “It presupposes that there will always be a first attack – a zero-day attack where some organization is attacked and then everyone else can see, for the first time, this new attack vector. Further, it assumes from knowledge of the attack that countermeasures will be developed so that everyone else is protected in the future. However in today’s environment of constant zero-day attacks, threat information sharing has proven to be of little value and yet it happens to be the cornerstone of the Cybersecurity Act of 2015.”
Although understanding past attacks has some value, it can’t fully describe what will happen in the future. DB Networks maintains that threat information sharing fails to get to the root cause of the problem, because the vast majority of large breaches and high profile attacks over the past decade have been highly targeted APTs, with no previous intelligence available that could have prevented them.
The methodology upon which the Cybersecurity Act of 2015 is built upon has consistently failed to protect against such threats. APTs are used to attack a specific organization in a unique way that has never been seen previously.
Sharing threat intelligence after the fact is of little use in such cases, and the attackers know that better than anyone. Therefore, instead of approaching cybersecurity through sharing threat intelligence, as the Cybersecurity Act of 2015 requires, Helm explains the key to keeping information systems secure is the combination of rigorous hygiene, identifying compromised credentials, and autonomous cybersecurity.
Basic security hygiene includes applying software patches, prohibiting the use of default passwords, keeping thorough inventories of information system assets, etc. “The Computer Emergency Response Team states that simply applying patches in a timely manner would stop 95 percent of network intrusions,” Helm stated. “If Congress really wanted to make a difference, they would have made mandatory patching and protecting privileged credentials the foundation of the Cybersecurity Act of 2015, not threat information sharing.”
In addition, the industry is rapidly moving toward autonomous cybersecurity to thwart attacks. Smart machines based on machine learning and behavioral analysis activity analyze and identify attacks in real-time, without any threat intelligence or previous knowledge of such attacks. “In other words, the true future of cybersecurity lies in staying ahead of the game not focusing on prior threats,” concluded Helm.