President Obama’s State of the Union Address featured a new legislative focus on cyber security issues:
No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.
Bill Solms, President & CEO, Wave Systems, believes we need bold reform to strengthen U.S cybersecurity. Here are some of the other comments Help Net Security received:
Marc Gaffan, CEO of Incapsula
We are excited at President Obama’s focus on securing cyberspace from hackers and creating harsher legal penalties for those engaging in malicious activity online. Recently, we have watched cyber criminals not only engage in more complex attacks, but also seen the proliferation of hacking guns for hire. Creating legislation that clearly states the illegality of selling botnets will combat the exponential growth of malicious bots trolling the Internet, which by our own research makes up 30 percent of all Web traffic.
We also see great potential in allowing courts to shut down bots engaged in DDoS attacks and other illegal activity. These types of attacks cost businesses an average of $500,000 in damages, and as we saw recently with the Sony hack, organizations under attack are largely helpless in protecting themselves once their network has been breached.
While we are encouraged to see the government address this burgeoning threat, it is still imperative for organizations to put protective measures in place. Securing a network against attacks not only protects against the threat of a site shutdown, it ensures that customer or employee data does not fall into the wrong hands.
Sean Sullivan, Security Advisor of F-Secure
Prediction: Section 215 and Section 206 of the USA PATRIOT Act and Section 6001 of the Intelligence Reform and Terrorism Prevention Act will be reauthorized before their June 1, 2015 expiration date.
Post-Snowden, it appeared as though the controversial provisions might lack the political support needed to avoid sunset. But now, we are confident that Washington D.C. will act to protect itself from ‘nation state cyber-terrorism’ and will renew them after all.
Don’t expect reform in 2015. The violation of your digital freedom will continue. Mark your calendars.
Uri Sarid, CTO of MuleSoft
Lesson 1: The age of security by obscurity is over. We now know for sure that hackers have the time, skill and incentive to find you—and your vulnerabilities.
Lesson 2: Complexity is the enemy. Modern IT systems are incredibly powerful, but they’re also dangerously complex and deeply interconnected. Every smartphone, tablet, web server and office application is a potential vulnerability. No one can fix them all, and a hacker only needs to find one.
Lesson 3: Simplicity is your best defense. That’s one reason so many businesses are using custom APIs for their IT. APIs reduce an organization’s “attackable surface” by exposing a select set of IT functions: updating or reading a sales record, for instance. Users (or hackers) never touch the underlying IT systems, just the API. Even if hackers do manage to access the API, they can’t do anything the API doesn’t allow.
Instead of locking down everything equally (an impossible task) businesses can focus on securing the API and the systems it touches. It’s not a foolproof strategy. You still have to protect the API correctly, but this is a practical and increasingly popular way to manage security in the face of complexity.
David Campbell, CSO of SendGrid
2015 is the year that encryption becomes mainstream. We can’t expect consumers to understand or take on the burden of implementing encryption, so the security industry and technology providers need to take this on.
We’re already seeing the impact of broken security standards, such as the global PKI which is only as strong as the weakest link. Breaches and privacy debacles related to poor crypto implementations will continue until we can agree on a new approach forward.
There have been improvements, including certificate pinning, SSL Perspectives, Convergence and DNSSEC/DANE, that have seen some traction, but until the community, the governments, and the standards bodies can achieve consensus, all of the work we are doing may be wasted effort. Without evolution of global encryption, we expose the enterprise and consumers to unnecessary risk.
Here’s the entire State of the Union 2015: