Mischel Kwon: Cybersecurity is a Group Effort

Domestically we have a lot of issues that we need to overcome, the first being the fact that most of our companies are global companies. They are not American-owned companies, even in critical infrastructure. There has been in the past a lot of concern about sharing information with companies that are not American companies. Somehow we have to come to terms with the fact that this is a global problem and we are going to be dealing with global entities. We have to figure out, again, where that line is of how much we can talk about and not affect our nation. I think that line is in the wrong place right now. Once we re-adjust that line, then we can tackle some of the other hard problems.

Many of these issues have been identified in the DHS study, the Enduring Security Framework. Now we have to just get down to the business of figuring out how to get past them. But this isn’t just a government problem; we have to remember that the private sector has not been forthcoming in airing the laundry of what’s happening to them either, for many reasons. This is a hard thing to do, particularly when we are talking about effecting the reputations of companies. How willing is a company to come out in public and air the problems they are having in the cyber world, when it could effect how their customer-base feels about them reputation-wise? This has been a problem since the very beginning. We have to find a way to talk about these things as a cyber community without effecting the reputations of companies. This is a much more complicated situation than just one entity not sharing with another.

TNNI: One of the things you touched on was the human element to cybersecurity. How should companies and the government both approach educational efforts to not only employees, but the public at large to try to build a culture that uses good cyber hygiene?

Kwon: There are two factors to this: awareness and education to create a better workforce.

IT security is in an evolutionary period. We have not been doing this for very long. If you look at any other industry, take the car industry for example, it took them a good 50-60 years before they even thought about safety in cars, right? Just recently, within our adult lives, they have really focused on safety – with airbags, anti-lock breaks, and even self stopping cars. That was really an evolution of an industry. We are doing the same thing in IT security. Just five years ago we were still concentrating very rudimentary security user awareness techniques, such as the use of passwords. Whereas now, we have to move to a much more threat based awareness, where we advise users to patch and turn off their computers at night. It is becoming a lot more burdensome for the actual user. There is something to say for trying to take as much of that burden off of the user and providing them with automated ways of cleaning their machines and having good computer hygiene. We do, however, need to spend more time doing this – not just teaching, but also creating automated ways to ensure that the spaces they do use are more secure.

We have to teach our kids, and we can’t separate the security from the computer. That is one of the biggest mistakes we have made over the past 10 years – isolating information assurance and cybersecurity away from the operation and maintenance of the computer. We need to put those teams back together so you are not just identifying a problem, but you are fixing it. That is included in user-awareness. So if we teach our children how to build webpages, we need to teach them how to build secure webpages. As we teach our kids to use social networking, we need to teach our kids how to use social networking in a safe way. We need to teach them not only computer literacy, but we also need to teach them privacy literacy. We need to teach them what information we should keep to ourselves and what information they should question the security of, particularly with regards to how they are transmitting it.

We must give them the security rules that they live by. We all have those little rules, right? For instance, you know that your social security number is sensitive, so you know not to email it. Simple rules we all make for ourselves as adults, we need to help our children make those rules for themselves and teach them how to protect their privacy. It is more than just IT. It is also teaching them how to be private people, as well as teaching them the ins and outs of maintaining their cyberself.

Related posts:

1. Mischel Kwon, Director of US Computer Emergency Response Team, Resigns
2. Diffused Cybersecurity Responsibilities
3. Gartner Group: Feds Must Take Operational Cybersecurity Role
4. McAfee Joins Cyber Education Effort
5. AFCC: Coordinated Effort Needed to Stop Cyber Crime

Pages: 1 2 3