On a day jam-packed with high-profile cybersecurity hearings and events in Washington, one expert witness strayed from the usual endorsements of government and corporate party lines to suggest that the cybersecurity strategies embraced by most organizations might actually harm security. Speaking at a hearing held today by the Senate Homeland Security and Government Affairs Committee, CrowdStrike Chief Risk Officer Steven Chabinsky (appearing in a personal capacity) said that the recent cybersecurity framework produced by the National Institute of Standards and Technology (NIST), while improving cybersecurity, "will not result in adequate security of our infrastructure and for our country."
Although praising the framework as a true public-private partnership, Chabinsky said that "improving our security posture requires that we reconsider our efforts rather than simply redouble them." Advocating that U.S. organizations align their cybersecurity efforts more with the strategies used in the physical world, Chabinsky said "we must ensure that our cybersecurity strategies focus on not preventing more intrusions but on more quickly detecting them and mitigating harm."
Specifically Chabinsky, previously a long-time FBI cyber intelligence leader, advocated a shift away from a "vulnerability mitigation" mindset, which he likened to protecting a building by constructing a twenty-foot brick wall around it (only to have the intruder buy a 30-foot ladder as a consequence), to one that focuses on instant detection, attribution, threat response, and recovery while in parallel locating and penalizing bad actors. "We take reasonable precautions to lock our doors and windows, but we do not spend an endless amount of resources in hopes of becoming impervious to crime."
The growing focus on vulnerability mitigation can lead to decreasing economic returns, or worse, negative returns. For example, using the analogy of the brick wall, stepped-up vulnerability mitigation might cause the intruder to use powerful explosives instead of buying a ladder. "Our current cyber strategy has had the unintended consequence of proliferating a greater quantity and quality of attack methods thereby escalating the problem and placing more of our infrastructure at greater risk," Chabinsky said.
Threat deterrence would improve if we blame the offenders rather than the victims for not having adequate vulnerability protection. "It is my hope for the future that the blame for, and the costs of, cybercrime will fall more squarely on the offenders than on the victims, that in doing so we will achieve greater threat deterrence, and that businesses and consumers will benefit from improved, sustained cybersecurity at lower costs," he concluded in his written testimony.