Daren Glenister

DELUSIONS OF ADEQUACY: WHY PRESIDENTIAL POLICY DIRECTIVE 41 FALLS SHORT

Delusions of Adequacy

President Obama’s recent policy directive on cybersecurity was eight years in the making. Unfortunately, its proposed actions are barely adequate to the massive task of defending against the onslaught of daily cyber attacks on U.S. companies and government agencies.

The new document, Presidential Policy Directive 41, is supposed to improve government and private-sector coordination in dealing with major cyberattacks. Among other things, the directive lays out which agencies will handle tasks related to a major cyber breach.

For example, the FBI gets tasked with conducting breach investigations, while DHS has the lead for providing “technical assistance” to breach victims “to protect their assets, mitigate vulnerabilities, and reduce impacts of cyber incidents.”

The White House’s Office of the Director of National Intelligence takes the lead for “intelligence support and related activities.” And of course there will be lots of “coordination” among these agencies through a newly set up Cyber Unified Coordination Group.

New Color Scheme for Cyberattacks

In addition to the directive, the administration released a five-level cyber incident severity schema, setting up a common framework for assessing the severity of cyber attacks, similar to the DHS’s national terrorism advisory system threat-level matrix. There is an attractive color pallet of white, green, yellow, orange, red, and black to categorize everything from an “inconsequential event” to a cyber event that “poses an imminent threat” to critical infrastructure, federal government stability, or to the lives of U.S. citizens.

Unfortunately, the U.S. government has zero credibility when it comes to establishing effective policies and procedures on cybersecurity. Just look at the number and scope of federal agency breaches over the last few years – the Office of Personnel Management, the Internal Revenue Service (twice), the State Department, the U.S. Postal Service, the Department of Commerce, and the Federal Deposit Insurance Corp, not to mention the recent Democratic National Committee email hack and Hillary Clinton’s questionable handling of government email while she was secretary of state.

While highly regulated industries must provide strong data security or face government fines or other regulatory action, no one is keeping the government itself honest; no one is threatening the government with fines or any other actions. Accountability forces the private sector to be proactive about data security, but the government can do anything it wants.

Securing Data Before It Is Breached

But the directive and schemata beg the question: What are you going to do to secure your data before it is breached?

This directive does nothing to help CIOs, whether in the government or in the private sector, prevent these breaches in the first place. The guidelines are too focused on what to do after an attack – there is no mention of any type of preventative measures improving user behavior.

Instead, public and private entities should be asking: What kind of sensitive data do we have, and who needs to access it? What is our plan for controlling who has access to data? What are more secure ways people can share this sensitive data other than email? Does our current security plan have provisions for data at rest and data in motion?

Most companies have strong protection of data at rest when it is stored on their servers. But when data is in motion, within the company or to outside individuals or vendors, protections are often weak. The weak link in your data security plan is when data is in motion and/or outside of your control.

Instead of expecting the federal government to do something, it is up to the private sector to take action to protect data at rest and in motion before the data is stolen by cyber criminals or nation-states.

By Daren Glenister

Daren Glenister

Daren is the Field Chief Technology Officer for Intralinks. Daren serves as a customer advocate, working with enterprise organizations to evangelize data collaboration solutions and translate customer business challenges into product requirements.

Glenister brings more than 20 years of industry experience and leadership in security, compliance, secure collaboration and enterprise software, having worked with many Fortune 1000 companies to turn business challenges into real-world solutions.

View Website
Are you being served by an empathetic Bot! And do you even care?

Are you being served by an empathetic Bot! And do you even care?

Are you being served by an empathetic Bot! Move over chatbots - it is time for the empathetic bot. Say what? Recall the American Airlines snafu with the passenger and her baby. Coming on the ...
IoT and the Evolution of the Workplace

IoT and the Evolution of the Workplace

IoT Evolution Just as the Industrial Revolution changed the relationship between humans and work, the rise of the Internet of Things promises to create a fundamental shift in the way companies and their employees operate ...
Gartner’s Hype Cycle for Emerging Technologies, 2017 Adds 5G, Edge Computing For First Time

Gartner’s Hype Cycle for Emerging Technologies, 2017 Adds 5G, Edge Computing For First Time

Gartner’s Hype Cycle for Emerging Technologies Gartner added eight new technologies to the Hype Cycle this year including 5G, Artificial General Intelligence, Deep Learning, Edge Computing, Serverless PaaS. Virtual Personal Assistants, Personal Analytics, Data Broker ...
Bryan Doerr

Cyber-Threats and the Need for Secure Industrial Control Systems

Secure Industrial Control Systems (ICS) Industrial Control Systems (ICS) tend to be “out of sight, out of mind.” These systems are essential to life in any advanced society because they manage critical infrastructure such as ...
Cloud Services Are Vulnerable Without End-To-End Encryption

Cloud Services Are Vulnerable Without End-To-End Encryption

End-To-End Encryption The growth of cloud services has been one of the most disruptive phenomena of the Internet era.  However, even the most popular cloud services (including Yahoo, Gmail, Microsoft Outlook 365, and Dropbox) are ...
The Lighter Side Of The Cloud - Passwords
Cloud Marketing Professional
The Lighter Side Of The Cloud - Energy Battle
The Lighter Side Of The Cloud - iPatch
The Lighter Side Of The Cloud - Turmoil
The Lighter Side Of The Cloud - Whatever Happened To Alone Time?
The Lighter Side Of The Cloud - Checking It Twice
The Lighter Side Of The Cloud - Big Broadband
Star Wars IoT CES

CLOUDBUZZ NEWS

EU antitrust official sees more scrutiny for Facebook, others

EU antitrust official sees more scrutiny for Facebook, others

ROME (Reuters) - Facebook and other tech giants may attract more regulatory scrutiny in future because of their market power, a senior EU antitrust official said on Tuesday. Tommaso Valletti, chief economist at the European ...
Silicon breakthrough could make key microwave technology much cheaper and better

Silicon breakthrough could make key microwave technology much cheaper and better

THURSDAY, MAY 24, 2018 - Researchers using powerful supercomputers have found a way to generate microwaves with inexpensive silicon, a breakthrough that could dramatically cut costs and improve devices such as sensors in self-driving vehicles ...
72-hour rule: Can you identify and report a data breach within 3 days?

72-hour rule: Can you identify and report a data breach within 3 days?

In a series of blog posts, the ‘Coach’ offers recommendations on how to get businesses into shape so they can thrive in the new data era. The 72-hour rule included in the European Union’s General Data Protection ...