2019 National Cyber Summit

Dr. Ron Ross, Fellow, National Institute of Standards and Technology

Today, the cybersecurity threats to our government, businesses, critical infrastructure, industrial base, and people are as severe as threats of terrorism or the threats we experienced during the Cold War. Overcoming these threats will require a significant investment of resources and the involvement of government, industry, and the academic community.

Cybersecurity efforts today are largely focused on what is commonly referred to as cyber hygiene, which includes such activities as inventorying hardware and software assets; configuring firewalls and other commercial products; scanning for vulnerabilities; patching systems; and monitoring. While practicing good cyber hygiene is certainly necessary, it’s not sufficient. This is because these activities don’t affect the basic architecture and design of the systems that we depend on. Even if we were to achieve perfection in our cyber hygiene activities, we would still be leaving our most critical systems highly vulnerable due to our inability to manage and reduce the complexity of the technology.

Creating more trustworthy, secure systems requires a holistic view of the problem and the application of the concepts and principles of science and engineering to solve the problem. Implementing well-defined engineering-based security design principles at every level, from the physical to the virtual must be a top priority. The concepts and principles should be driven by mission and business objectives, stakeholder protection needs, and the security requirements of the individual organizations. While these solutions may not be appropriate in every situation, they should be available to those entities that are critical to the economic and national security interests of the United States including, for example, the electric grid, manufacturing facilities, financial institutions, transportation vehicles, medical devices, water treatment plants, and military systems.

Solving our cybersecurity problems will take a concerted effort on a level we haven’t seen since President Kennedy dared us to do the impossible and put a man on the moon over a half century ago. We can do it again, but the clock is ticking, the time is short, and the stakes could not be higher.