- Cybersecurity advice to the next US President from Von Welch.
- Don't expect a uniform approach to secure the cyberworld.
- Consumer-citizens are an integral link in the national cybersecurity strategy.
The general election is looming in the US. Who will be the next President of the United States? The answer to that question will have a wide range of effects, including on the national role of science.
Science Node has solicited opinions from leading thinkers across the scientific domains, and we will host their advice to the next POTUS over the remaining days left in the campaign.
We begin the advice to the next POTUS series with a timely word from Von Welch, director for the Cybersecurity Center of Excellence (CCoE), a US National Science Foundation (NSF) initiative to create a high quality, safe cyber working environment for scientists.
Just last week, the US experienced the largest cyber attack in its history. What happened?
Last week's attack was what was known as a distributed denial of service (DDoS). So much internet traffic was sent to a service that it was overwhelmed and couldn't respond to legitimate clients.
The site attacked, Dyn, is what is known as a domain name service provider. Its job is to turn human-readable addresses, for instance, sciencenode.org, into addresses computers understand (220.127.116.11 in this case). It’s basically an ‘Internet phone book.’
What is interesting about this case is how all that traffic was generated. It didn't come from computers, laptops, or even cell phones — it came from cameras. Tens of millions of internet-attached cameras which had weak default passwords were hacked and used to generate all the traffic.
[Read Dyn's summary analysis of the outage here. Ed.]
In the interest of protecting our online world, what would you have the next POTUS know about cybersecurity?
First, it’s important for the next president to understand that science is very collaborative and unpredictable. That means research can take many unforeseen directions and involve colleagues from across the country and even around the globe. For this reason, cybersecurity needs to be crafted so that it is an enabler and not a hindrance to these dynamic collaborations.
Secondly, it must be recognized that there is no ‘one size fits all’ for data security in science. Clinical research has strict privacy and confidentiality requirements as defined by law. Sometimes confidentiality is required by ethical considerations (e.g., for researchers working with endangered species data).
"Just as an Indy race car isn’t appropriate for everyone’s day-to-day needs or even street legal, we need different classes of IT appropriate for different situations and with different levels of testing." ~Von Welch
A lot of other science data is completely open, but to ensure the results are accurate and the science can be reproduced, this data still needs to be protected against accidental change or malicious tampering.
Scientists are very concerned about bias, and cybersecurity engineers are concerned about insider threats. There is a lot of similarity in these concerns but very different language, and this often causes the two communities to talk past each other. Cybersecurity needs to learn to understand scientific processes and how their tools and techniques work to support those processes.
Returning to last week’s cyber attack, what advice do you have to the President about securing the Internet of Things (IoT)?
As more and more devices are becoming internet-attached, unfortunately companies are having to relearn the computer security lessons our computer and cell phone manufacturers learned years ago.
We can expect these sorts of events and attacks to continue and even increase as these IoT devices (cameras, thermostats, light bulbs, cars, medical devices) become more common and the manufacturers learn these lessons. In last week’s case the camera manufacturer ended up recalling the cameras in question.
As a consumer, if you buy a new device and if it has a default password, take a moment to change that password, storing it in your password manager so you have it when you need it again. This will help make sure your home doesn't become part of the next attack!
The next president can further cybersecurity efforts by pushing the standard for the safety and security of our IT infrastructure — be that infrastructure a computer, part of our car, medical equipment, or any other device.
When we buy a car, we do so with confidence knowing the National Highway Traffic Safety Administration has tested it and standardized the reporting so we can compare different vehicles on safety. Similarly, if you buy a lamp or other electrical device, you know that Underwriters Laboratories has tested it for basic safety functionality.
There are some early government efforts in this space today such as the Cyber Independent Testing Lab (CITL) and the Software Assurance Marketplace (SWAMP), but we need to advance these early means of testing, standardizing and ultimately requiring them for general consumer devices.
A key challenge here will be to make things safe for the average citizen, while still allowing for entrepreneur research and development and open-source development that is critical for driving the innovation we are accustomed to (and is key for the scientific community).
Just as an Indy race car isn’t appropriate for everyone’s day-to-day needs or even street legal, we need different classes of IT appropriate for different situations and with different levels of testing.