Michael Daniel, White House Cybersecurity Coordinator, says the inevitability of cyber attacks is the 'new normal.' (Nicole Blake Johnson)
Cybersecurity incidents are inevitable, so agencies must plan for them, according to White House cyber czar Michael Daniel, who is far from alone in that opinion.
Government and private sector companies are up against broader, more diverse and sophisticated cyber threats than they once were, he said, speaking on Jan. 29 at the 2014 Cybersecurity and Innovation Forum in Baltimore, Md.
“In living with this new normal, businesses and government alike should develop and test their cybersecurity incident response plans and continuously monitor the networks under the assumption they’ve been breached,” Daniel said.
The threat is becoming broader and more diverse as more devices are connected to the Internet, an emerging phenomenon usually called the “Internet of things.”
“If we thought that doing cybersecurity in a world of wired desktops was hard, now we’re going to do it in a world where your coffee maker, your car and your refrigerator are also a threat vector,” he said. “That makes the problem just that much more difficult.”
He equated cyber incidents and attacks to bad storms: they are inevitable and plans must be in place to address them and mitigate the damage or else they can do tremendous harm.
Many technology enthusiasts had hoped President Obama’s State of the Union speech Tuesday would have touched on improving cybersecurity, or other topics like information technology and surveillance reform. While the president steered clear of these topics, he did note that the U.S. will continue strengthening its defenses and combating new threats, including cyberattacks.
“We have made a lot of progress over the last few years, but it’s not nearly enough and we need to move faster on that,” Daniel said. “Our systems are still vulnerable to cyber intrusions in ways that we don’t like.”
Agencies will continue improving the security of their networks, but even with those improvements there will be cyber incidents, he said.
“We want to improve our ability to actually deter those upfront, respond to them when they happen and mitigate any of the effects when they do occur,” Daniel said. But technology can’t compensate for bad business practices. He said most of the problems organizations face are not solely about the technology but about the people who use the technology.
Daniel said in some instances he has to convince people the cyber threat is real. For others, it’s a matter of “talking people back off the ledge because they’ve seen one too many Bruce Willis movies about cyber Armageddon. We’re not talking (about) a Hollywood view of the threat.”
Across government and industry, challenges include encouraging the broadest implementation of best practices; facilitating information sharing that is simple, cost-effective and habitual; and making business practices more secure by default.