“There is simply no excuse for the Federal Government to be such a poor leader” in cybersecurity, reads a newly-released report from the President’s Council of Advisors on Science and Technology, warning the government to update its systems.
The Council, a group of scientists and technology professionals who advise the president on such matters, emphasize in this report the importance of non-static security measures and the incorporation of private industry in designing security technology fluid enough to keep up with cybercrime.
The report most aggressively chides the White House for using outdated operating systems like Windows XP, noting that recommendations in March 2012 repeated their calls for updates today and that “the Federal government rarely follows accepted best practices.” It recommends “phasing out” the old systems within two years, as modern operating systems are designed with security in mind are much harder to attack.
The report also warns against overregulation of the private security industry. Much of it discourages the government from using a checklist of cybersecurity measures coming from a regulatory department such as the Department of Homeland Security, warning the list would rapidly become “fossilized and bureaucratic.”
Instead, it recommends that offices such as the SEC require corporations and private actors to disclose what they are doing to prevent cyberattacks to the government and evaluate their measures after being notified of what they are rather than telling them specifically what to do. The report concludes that, as two private actors’ best practices in cybersecurity will rarely be the same, imposing such a standard would be “not just unproductive, but counterproductive.”
In contrast, requiring audits but leaving the methods of security open-ended creates a private sector “race to the top” to create the most dynamic and safe cybersecurity software, creating something of a marketplace for computer ideas both private industry and the government can benefit from. This is especially important, the report argues, because private sector advances in the number and types of devices using the Internet in the past two years have rapidly outpaced security advances, and many smaller devices on the Internet are not designed with the protection computers have.
The report does not only call for competition with the private sector, but cooperation. The government, it advises, should “act to facilitate the establishment of private-sector partnerships for the real-time exchange of threat data among potentially vulnerable private-sector entities.”
In particular, the report calls for Internet service providers to work together and share information they receive on any threats in order to make it easier for the entire industry to combat and shut down a threat as it develops in real time.
The Council has placed the full unclassified report online, which you can read in its entirety here.