• IPG

The U.S. isn’t getting ahead of the cyber threat, experts say

“Cybersecurity is improving constantly, but the complexity of our digital society may be outpacing our efforts to keep up,” Mandiant Threat Intelligence chief John Hultquist said

Cyber and tech investor Niloofar Razi Howe: “We are more vulnerable because of the dizzying pace we are adopting technology, engaging in tech transformation, and adding devices without prioritizing security.”

One particularly rich target has been a vast new array of Internet-connected devices, such as refrigerators, thermostats and cameras. These devices, commonly called the “Internet of things” or “IoT” are notorious for relying on weak or default passwords and being difficult to update with software patches — making them easy pickings for hackers.

“Many of these technologies have shortchanged their cybersecurity expenditures, creating ever-increasing liabilities for everyone,” said Sascha Meinrath, founding director of X-Lab, a think tank at Penn State focusing on the intersection of technologies and public policy.

“As the cyber-strategist Biggie Smalls would have said, ‘More IoT, More Problems,’ ” quipped Peter Singer, a fellow at the New America think tank. (Singer said the United States is equally vulnerable compared to five years ago).

Many experts blamed the United States’ ongoing vulnerability to hacking on the increased brazenness of U.S. adversaries, especially Russia.

Norma Krayem, a cyber policy expert at Van Scoyoc Associates: “Russia's use of cyber tools against Ukraine has clearly demonstrated to the world that it can fully disrupt key aspects of critical infrastructure.”

Dave Aitel, a cybersecurity researcher and Partner at Cordyceps Systems: “Our adversaries continue to advance their skills and no amount of cyber hygiene is enough to compensate for that basic fact.”

Betsy Cooper, director of the Aspen Institute’s Tech Policy Hub: “Adversaries have gotten stronger. Business and individuals are more dependent on the Internet than ever. And we haven't prioritized cybersecurity enough to counteract these trends.”

That sentiment was shared by several experts who said the United States is equally vulnerable compared to five years ago. They described a cat-and-mouse game in which U.S. companies are constantly improving defenses but never really getting ahead.

Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University’s Antonin Scalia Law School: “While defenders have certainly gotten better in the last five years, so have the attackers.”

John Pescatore, director of emerging security trends at the SANS Institute: “A lot of progress has been made, but unfortunately by both the bad guys and the good guys.”

Many experts who picked the equally vulnerable response said it’s simply impossible to determine whether the United States is more or less vulnerable to hacking now — either because the answer varies so much from industry to industry or because there’s not good enough data to make the call.

“It's better in some sectors and worse [in] others, but as a country, the net/net is that we're still in a comparable — and fairly awful — position,” said Jeremy Grant, managing director at the law firm Venable.

  • Steve Weber, a cyber-focused professor at the University of California at Berkeley: “You can't manage what you can't measure, and measurements of 'vulnerability' are incredibly messy, undisciplined, almost certainly biased, and partial at best.”

For those who said the United States is less vulnerable to hacking now, many based that assessment on the rising public awareness of cyberthreats — especially after ransomware attacks that have threatened the economy and national security in recent years.

“Awareness about the threat has improved dramatically,” said Michael Daniel, a former White House cyber coordinator who now leads the Cyber Threat Alliance.

“Thanks to high profile ransomware attacks awareness is greater than ever at the board and governmental level, and I believe if you are aware of risks, you are more likely to protect against them,” said Jeff Moss, founder and CEO of DEF CON Communications.

  • “Since complexity is the enemy of security, ipso facto, security is harder and the United States is more vulnerable.” — Mark Weatherford, a former top Department of Homeland Security cyber official who’s now a general partner at Aspen Chartered.

  • “The U.S. is more vulnerable than ever to cyberattacks due to its increased dependence on complex, interconnected software.” — Katie Moussouris, founder of Luta Security.

  • “The pace of progress has been uneven. There are still certain sectors and critical functions that remain woefully behind and even overall we are by no means where we need to be.” — Frank Cilluffo, director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security.

  • “The most sophisticated level of attackers are no longer exclusively nation-states. Private actors, who are sometimes contractors to governments, have serious compromise capabilities and can execute complex attacks.” — Robert Strayer, executive vice president of policy at the Information Technology Industry Council who was the State Department’s top cyber official during the Trump administration.

  • “Both the private sector and the federal government are in a far better position to resist cyberattacks than five years ago, but the sophistication and scope of our cyber adversaries has outstripped those gains.” — Glenn Gerstell, former NSA general counsel who’s now a senior adviser at the Center for Strategic and International Studies.

Just as vulnerable:

  • “Actually, the best answer to this question is ‘nobody can tell.’ In the absence of ANY metrics about cybersecurity, it is realistically impossible to answer this question.” — Paul Rosenzweig, founder of Red Branch Consulting.

  • “Ransomware is the richest attack monetization we have ever seen so attackers will continue to increase their efforts to compromise, even as we get more secure.” — Chris Wysopal, co-founder of Veracode.

Less vulnerable:

  • “Ransomware has helped to make cybersecurity a real political priority, but it will take a sustained effort over several years to make significant progress. Keeping our foot on the gas is not something we’ve done well in the past, but that must change. — Chris Painter, top State Department cyber official during the Obama administration who’s now president of the Global Forum on Cyber Expertise.

The bipartisan proposal would require companies to limit their data collection, and would also let users sue companies that improperly sell their data and opt out of targeted ads, Jacob Bogage and Cristiano Lima report. But the bill faces an uphill climb to become law, with critics saying it doesn’t do enough to protect consumers.

Senate Commerce Committee Chair Maria Cantwell (D-Wash.) hasn’t endorsed the bill, and it could stall without her support. Cantwell told The Post that “any robust and comprehensive privacy law must protect consumers’ personal data with a clear requirement that companies are accountable for the use of that data and must act in consumers’ best interests.”

Sen. Brian Schatz (D-Hawaii) told lawmakers that the effort was “falling short” in delivering for consumers. He urged them to “refuse to settle for a privacy framework that will only result in more policies to read, more cookies to consent to and no real change for consumers.”

0 views0 comments

Simple. Powerful. Cybersecurity.

IPG’s GearBoxTM is the first cybersecurity tool designed to secure and protect the Internet of Things (IoT).