Multiple countries are now discussing the need to establish a comprehensive cyber protection program given the continued increase in the threat of cyber attacks and cyber warfare. The attack on Estonia and the more recent attack on Georgia are being viewed as the harbinger of what is to come. I was recently asked what might a comprehensive Cyber Protection Program (CPP) look like. So I thought I would put down my top ten areas that I think would be critical to include in a CPP.
1. Mandatory requirement to have up-to-date protection software on any device connecting to the Internet that includes:
- a. Anti-Virus
- b. Anti-Spyware
- c. Anti-Malwared.
- d. Anti-Adware
This software will automatically upload attack data to a central reporting center.
2. Mandatory isolating capability on every system with high processing capabilities and a firewall on every device connecting to the Internet with the following functionality.
- a. Cannot be disabled other than for a few seconds
- b. Has pre-configuration for mandatory protection
- c. Automatically uploads attack data to a central reporting center
- d. Automatic disconnection when massive outbound DDoS traffic from compromised computer systems is detected
3. Legislation mandating software vendors comply with the following:
a. Report to authorities within 24 hours of discovery malware software vulnerabilitiesb. Minimum security testing requirements that must be met prior to release of any software program.
4. Criminal laws specifically addressing the unique characteristics of cyber attacks, malicious code and system compromise including language that addresses the threat of DDos attacks.
5. Criminal laws specifically addressing the development and sale of cyber weapons.
6. Criminal and civil laws that address organizations who fail to immediately report cyber attacks or data breaches that include those who destroy evidence of cyber attacks, systems compromise and data theft.
7. Establishment of a quasi government/business entity that coordinates defensive and protective capabilities of the information infrastructure. This would also include a cyber attack and threat alerting system.
8. Establishing an Intelligence Center that is charged with cyber intelligence collection, analysis, trend reporting as well as collaboration across the other intelligence agencies.
9. A federal cyber attack investigation unit that is the center of excellence and develops tools and techniques as well as works with all other agencies and law enforcement to dissect cyber attacks and malicious code and assist with investigations.
10. Implement within the federal cyber attack investigation unit a division that provides sufficient audit and control measures to ensure the laws are being followed. The private sector has already proven self governance is unreliable to ensure adherence to the protection necessary for cyber defense.
Now I know there will be many comments about "big brother" and "big government," but given what has taken place thus far, I am not sure we have any other choice. It is deeply concerning that 85 percent of organizations have admitted they have had systems and data breaches. A significantly smaller number have actually reported them in accordance with the 40 data breach notification laws that are currently in place.
An improperly protected computer or other device connected to the Internet is a cyber weapon waiting to be loaded and used.