Cybersecurity Needs Its Own CDC

How to understand your data
Aug. 28 2014 3:30 PM

Unreadiness Team

Let’s start treating cybersecurity like we treat public health.

(Continued from Page 1)

In February, a Senate report described a number of security breaches that pose a threat to American citizens. Hackers stole data on our weakest dams, including those that could kill someone if they failed. They used the Emergency Broadcast System to broadcast zombie attack warnings—which might be funny if it didn’t underscore how vulnerable that system is to intruders. Even the National Institute of Standards and Technology got hacked, and its database of known software vulnerabilities was offline for days.

All of these agencies have their own internal auditors and inspectors general investigating their systems. In October 2012, the Department of Energy’s inspector general reviewed the Western Area Power Administration, which has oversight for 15 central and western states. The audit found that “nearly all” of the 105 computers tested needed to be patched. One of the servers was still using a default name and password, which “could have allowed an attacker with an Internet connection to obtain unauthorized access to an internal database supporting the electricity scheduling system.” Just a few months ago, hackers infiltrated the DOE and stole data on 100,000 people. The IG blamed that theft on outdated software. It turns out that an upgrade had been purchased; it was just never installed.

The DOE is just one agency. There are audits that reveal similarly troubling findings for other groups, including the IRS, the Nuclear Regulatory Commission, and the Department of Education.

Advertisement

My point is that government administrators in cybersecurity aren’t as effective if they haven’t been in the trenches fighting hackers. Maybe those DOE patches weren’t made because they seemed like those run-of-the-mill Windows updates on our home computers that we like to ignore. Leaders without technical experience and knowledge aren’t equipped to ask their staff important questions or make good proactive decisions. There’s just too much changing every day for a non-expert to be at the helm. As hackers poke holes in our existing tools, they reveal new vulnerabilities in our operating systems, our Internet browsers, our databases and servers. Rarely does any digital tool operate completely independently, which means that when one company releases an update, it may cause problems for the ancillary services it uses. An example: A browser might change its settings, causing a few lines of code on a banking website to behave differently. If left unchecked, that could potentially expose a user’s account information to hackers.  

Consumers are buying and using technology at an unprecedented rate, and they don’t fully understand how the new digital equipment and tools they’re using can be compromised. At some point, there were government employees assigned to write, edit, approve, and post the 48 PDFs on US-CERT’s website. If someone thought it was important enough to create those documents, shouldn’t it be just as important to make sure that content is current? Maintaining a bunch of PDFs isn’t US-CERT’s main function, of course, but part of its charge is to keep the public informed—and if US-CERT can’t help consumers learn how to fend off cyberattacks, some other agency should take the helm and wage a comprehensive publicity campaign.

It’s time to treat our digital ecosystem the way we do public health. The solution is an agency staffed by cybersecurity experts who understand the delicate balance between national security and personal privacy. They must create protocol that’s proactive and have the authority to enact it. There should be a unified process in place for threats to critical infrastructure, one for which all private contractors receive ongoing training. Currently, there is no single organization that’s aware of all the cyber-related research and development work being funded by the government. An agency should be responsible for coordinating that research, making sure it’s not redundant across agencies and can actually be used.

Some of these ideas have already been articulated as part of the White House’s Comprehensive National Cybersecurity Initiative. It’s a well-crafted government report, with a lot of acronyms and official names. But the layers of offices and task forces and teams involved are a tangled mess compared with how hackers operate. In their world, they operate alone or in clusters. They’re nimble and fast. And they can cause havoc in an instant.

Amy Webb writes a column about data for Slate. She's the head of Webbmedia Group, a digital strategy agency, the author of Data, A Love Story and the co-founder of Spark Camp.

TODAY IN SLATE

Politics

Talking White

Black people’s disdain for “proper English” and academic achievement is a myth.

Hong Kong’s Protesters Are Ridiculously Polite. That’s What Scares Beijing So Much.

The One Fact About Ebola That Should Calm You: It Spreads Slowly

Operation Backbone

How White Boy Rick, a legendary Detroit cocaine dealer, helped the FBI uncover brazen police corruption.

A Jaw-Dropping Political Ad Aimed at Young Women, Apparently

The XX Factor
Oct. 1 2014 4:05 PM Today in GOP Outreach to Women: You Broads Like Wedding Dresses, Right?
Music

How Even an Old Hipster Can Age Gracefully

On their new albums, Leonard Cohen, Robert Plant, and Loudon Wainwright III show three ways.

How Tattoo Parlors Became the Barber Shops of Hipster Neighborhoods

This Gargantuan Wind Farm in Wyoming Would Be the Hoover Dam of the 21st Century

Moneybox
Oct. 1 2014 8:34 AM This Gargantuan Wind Farm in Wyoming Would Be the Hoover Dam of the 21st Century To undertake a massively ambitious energy project, you don’t need the government anymore.
  News & Politics
Politics
Oct. 1 2014 7:26 PM Talking White Black people’s disdain for “proper English” and academic achievement is a myth.
  Business
Moneybox
Oct. 2 2014 8:07 AM The Dark Side of Techtopia
  Life
Quora
Oct. 2 2014 8:27 AM How Do Teachers Kill the Joy of Reading for Students?
  Double X
The XX Factor
Oct. 1 2014 5:11 PM Celebrity Feminist Identification Has Reached Peak Meaninglessness
  Slate Plus
Behind the Scenes
Oct. 1 2014 3:24 PM Revelry (and Business) at Mohonk Photos and highlights from Slate’s annual retreat.
  Arts
Brow Beat
Oct. 1 2014 9:39 PM Tom Cruise Dies Over and Over Again in This Edge of Tomorrow Supercut
  Technology
Future Tense
Oct. 1 2014 6:59 PM EU’s Next Digital Commissioner Thinks Keeping Nude Celeb Photos in the Cloud Is “Stupid”
  Health & Science
Bad Astronomy
Oct. 2 2014 7:30 AM What Put the Man in the Moon in the Moon?
  Sports
Sports Nut
Oct. 1 2014 5:19 PM Bunt-a-Palooza! How bad was the Kansas City Royals’ bunt-all-the-time strategy in the American League wild-card game?