by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : March and April 2016
5 principles to ensure the Cybersecurity National Action Plan’s success BY CHASE CUNNINGHAM INDUSTRY INSIGHT THE OBAMA ADMINIS- TRATION’S Cybersecurity National Action Plan calls for an increase in fed- eral funding and a litany of policy changes and infor- mation-sharing initiatives. CNAP is a much-needed top- down commitment to enact change, and though money alone will not win the cyber battle, it certainly helps remove any barriers — technical or otherwise — for developing and implement- ing a sound cybersecurity strategy. There are, however, some important considerations as we move forward. 1. Keeping up with technology. Technological discoveries are unfolding with exponential velocity. Acknowledging the speed of innovation is critical as the public and private sectors collaborate to defend the country against foreign and domestic cyberthreats. No matter how well intended, policies will never mature fast enough to manage or corral innovation or the potential for threats that accompanies new systems. Only technology, combined with innovation, can keep pace with technology. 2. In with the new. One of the major components of CNAP is the allocation of $3.1 billion for the IT Mod- ernization Fund, which will be used to retire the legacy technology that is rife with vulnerabilities and too ex- pensive to operate securely in today’s threat landscape. However, before the old tech is retired, the new infrastructure, applications and systems must be tested, integrated, secured, mea- sured and deployed. Simply tossing fixes together in a haphazard manner will not work. Strong multifactor authentication will likely be the first step in this modernization process. The approach requires a combi- nation of biometrics, secure protocols and cloud technol- ogy. Using a weak second factor — such as a four-digit PIN or an out-of-band SMS text — will result in failure. Next, natural-language pro- cessing and machine-learn- ing techniques, combined with targeted innovation around data classification, should be adopted. 3. Biometrics, not num- bers. The White House was smart to advocate phasing out the use of Social Secu- rity numbers for identifying or authenticating citizens. That archaic identifica- tion system too easily links to personally identifiable information that is highly valuable to threat actors. With a few exceptions, everyone possesses a variety of biometrics assets (e.g ., fingerprints, retinas) that are better identifiers of who they are than a number ever could be. Switching to biometric identifiers would help solve a variety of social and criminal issues — from fraud to illegal immigra- tion — and the technology already exists and is proven. 4. No new agencies. Although CNAP asks for the establishment of additional agencies and commissions, there’s little need to spend another billion dollars setting up a handful of new organi- zations to oversee cyberse- curity; the National Security Agency and the National Institute of Standards and Technology already do that. It would be more effective and efficient for the federal government to collaborate with NSA and NIST to formalize reviews of new, deployable technologies that address the technical issues that are hindering our collective cyber posture. More agencies, departments and commissions will only dramatically slow what should be an agile and ac- tive cyber defense system. 5. Less money, more thinking. Cyber defense doesn’t need to be a money pit. There are thousands of talented cybersecurity professionals, researchers and innovators in the public and private sectors who love difficult challenges. Many would jump at the chance to have an impact on a national level. We can encourage that mass-scale commitment by enabling the exchange of ideas and funding the results. Top officials must make it worthwhile for small tech companies and expert security teams to in- novate. The tech visionaries could stop hunting for fund- ing from venture capitalists and instead gain invest- ments from the government to design and build security solutions that will benefit the greater good. • — Chase Cunningham is director of cyberthreat research at Armor. Top officials must make it worthwhile for small tech companies and expert security teams to innovate. GCN MARCH/APRIL 2016 • GCN.COM 29 0416gcn_029.indd 29 2/29/16 9:30 AM
January and February 2016