This past February I participated in an amazing three day innovation and ideation lab pulled together by Farnam Jahanian, Assistant Director, Directorate for Computer and Information Science and Engineering, National Science Foundation (NSF), with a lot of help from an organizing committee drawn from some of the most intelligent technology people around.
The task at hand had its genesis almost a year before when the question was asked inside the White House: What can the government do to address cybersecurity issues?
Based on the apparent lack of forward thinking in the cybersecurity bills trickling through Congress it likely will agree that this question is well worth asking.
You may not agree with some, or even all, of the ideas generated by the 35 people with varied areas of expertise, but the ideas are well worth pondering. You can get the full report titled Interdisciplinary Pathways Towards a More Secure Internet here. A quick synopsis follows:
Make Critical Subsystems Field-Updatable. This addresses the lack of patching for a lot of systems, particularly embedded systems and industrial controls.
Enable Certificate Transparency and Security. Move forward on the work of certificate-transparency.org, a Google project for an open framework for monitoring and auditing SSL certificates in nearly real time.
Create a Framework for Managing Software Updates. This is needed for the Internet of Things that presents a looming problem.
Make HTTPS the Least Effort Scheme for Deploying Websites. Encryption everywhere.
Cybersecurity Research Agenda. Invest in areas that will increase cybersecurity.
Establish an Internet Rescue Squad. A national cybersecurity response team to coordinate responses to cyber breaches and attacks.
Create a Cyber NTSB. Investigate cybersecurity incidents and provide public reports on the circumstances and causes of each incident.
“Standard” Impact Statement. Develop models for characterizing the cost and impact, both of cybersecurity frameworks and standards. Before new standards are implemented their impact should be assessed in a process analogous to generation of an Environmental Impact Statement.
How Golden is Our Goose? Assess tradeoffs between more security and more costs of compliance.
Identity: A Problem That Does Not Need Solving. While improvements in authentication technology are needed and should be funded, attempts to de-anonymize the Internet should not be undertaken.
Encourage the Adoption of Routing Security. Name says it all.
Enhance the Security of Things by Identifying Enclaves. Tackle segments of industry instead of the world.
Create a List of Top Priorities. Surprisingly, this does not exist.
Lead by Example. US Federal Government should adopt best practices.
Re-establish Trust in NIST’s Cryptographic Standards Process. Title says it all.
Develop Citizen and Small Business How-To-Guides For Implementing Security. Develop a set of clear, interactive guides aimed at individual citizens and small and medium businesses to demonstrate best cybersecurity practices.
There is much to consider in this list, something I will be doing in future columns. Read the full report to get the entire story and recommended actions for each idea.
Please include your feedback and comments below, or contact the people listed at the end of the report. I will incorporate your thoughts into my future articles.