As there is now exactly 31 days until the start of 2020, I am going to start, on a periodic basis, making my assumptions for what could potentially happen in the next year when it comes to Cybersecurity. I won’t be writing a specific blog on all of them, but rather, when I think it is important enough to publish something in order to keep you informed.
I am actually planning for our 6th Cybersecurity newsletter to be all about what happened in 2019, and what is to come in 2020.
So, a threat vector that I foresee that could gain greater grounds are that of Insider Attacks. As I have mentioned before, we don’t hear too much about them in the news as much, simply because we are inundated in the news headlines with all of the digital threat vectors that are occurring. But Insider Attacks are happening, and even right now as we speak.
The only problem with this, is that they are very difficult to track down until the damage is done and it is too late. In most instances, this is usually carried out by an employee, or a contractor, or even a so called trusted third party who knows all about the inner workings of your company.
For example, you may have an employee that has been with you for years and years, and he or she has always seemed happy in what they do.
But they are the ones that could very well be launching the beginnings of an Insider Attack. That is why they are so difficult to track, because a business owner has to have a keen eye on any suspicious or odd behavior that is taking place. Of course, they can’t always do that, because they are so busy with running the other parts of the business.
Therefore, it is imperative that you rely upon on other employees to be literally your eyes and ears, and to maintain some sort of 24 X 7 X 365 hotline where they can report any types of erroneous behavior and make you aware of them.
This kind of approach to Cybersecurity does not just hold for Insider Attacks, it even holds true for the digital kinds of threats as well. The bottom line is that you cannot be everywhere all the time, thus you need to have other people to be on the lookout as well.
This is where it takes a deep sense of trust and confidence on part of your employees to even report any vulnerabilities that they see from within the IT and Network Infrastructure of your business, so that it can be mitigated immediately. Obviously, its not easy to do this, as the employee who reports anything will always live in fear of retaliation or the loss of their job.
In an effort to foster this kind of environment, where your employees can report anything out of the blue without such fears, the Cybersecurity and Infrastructure Security Agency (also known as “CISA”) is in the planning stages of drafting out a new governmental Cybersecurity directive which has been termed the “BOD-20-01”. More details of this can be seen here at this link:
The primary thrust of this new directive is to encourage Federal Government employees to have “seen something” to “say something” to those responsible that can mitigate it quickly, with a minimal amount of downtime. But what is unique about this sort of “Vulnerability Disclosure Policy” (aka “VDP”) is that the American public at large can be involved as well.
So, if there is a vulnerability that has been disclosed in a certain software application, and if you have a potential solution for it, you are highly encouraged that to be submitted for review. But what is different about this is that while the Federal Government will be required to maintain the library of the vulnerabilities that have been disclosed, there is no mandate for a certain timeline in which has to be fixed by.
Rather, they are leaving this to the American public (namely those in the Cybersecurity Industry) to figure out the solution. In other words, you can imagine this as being a super forum, where anybody can offer a solution, and will be publicly available across all mediums on the Internet.
Here are some of the new features of this potential, new directive:
*Every Federal Agency must maintain and publicly disclose a VDP;
*After a VDP has been published and the resolution has been found, it must be updated on a real time basis with any new developments that may occur that are related to it;
*Although no official timeline has been mandated for a vulnerability to be fixed, it is highly “suggested” that the resolution be found within a 90-day timespan;
*There is a 2-year time limit when all vulnerabilities that have been discovered must be formally reported into a VDP template;
*Any Federal Government employee, whether they are a direct hire or just a third-party contractor, has the liberty to report any Cybersecurity vulnerabilities and weaknesses in a manner where they will not fear any sort of retribution or job loss;
*Any VDPs that have been submitted and their solutions can only be used for defensive purposes, not for any offensive purposes. In other words, these documents have been created and designed for the good of the American Cybersecurity, and should not be used as a leveraging point in which to launch a Cyberattack;
But there are some disadvantages to this process as well, which are as follows:
*Anybody who submits a solution and is deemed to be effective, will not be monetarily compensated for their efforts. In other words, this is not your typical “Bug Bounty” program, where a software vendor (such as those of Google, Microsoft, Apple, Oracle, etc.). offers monetary compensation for any solutions provided that mitigate any vulnerabilities in their respective product lines;
*This VDP program only exists from within the confines of the United States Federal Government, it is not designed to be used on a national level.
My Thoughts On This
I honestly applaud these efforts. I think that this is definitely the right step forward in bringing together the American public as well as the government in a harmonious fashion in order to combat Cyberattacks. Perhaps once this program gets good enough footing, perhaps it can then be deployed into a national framework, which I think will be very beneficial for all.
But, the one thing I don’t like about it so far is the lack of monetary compensation. Let’s face it, to some degree or another, we are all motivated by money. I think by not having this mechanism in place, there are a lot of people out there with great expertise that simply won’t offer a solution because of this.
While this compensation may not have to be necessarily be a million dollars, something tangible would be enough motivation to bring these kinds of people forward.
Remember in a previous blog, I had written that perhaps the first best line of defense is to trust your gut??? Well, here is the second-best line of defense: If you see something, say something!!!