An interesting TWEET this morning from Director Easterly pointing at an article over on 99PercentInvisible.org. That article starts out as a look at automotive safety and the importance of collecting data on auto accidents to improve the safety of automobiles, then it morphs into an article about how gun safety issues are actively ignored. Kind of an odd article for the CISA Director to be pointing at, right? But read her TWEET:
“READ THIS & consider today’s tech ecosystem. As much of critical infra is underpinned by networked technologies, ensuring products & software are #SecureByDesign & “cybersafe at ALL speeds” is imperative for national security & the safety of every user.”
The article points out the importance of the accident reporting Fatality Analysis Reporting System. Cybersecurity has its CVE database that records cyber vulnerabilities, but it seems that few researcher are scouring that database for information to make IT and OT technology more secure. Part of the reason may be that the database is incomplete, even agencies like CISA rarely provide updates to CVE’s and frequently do not provide information to populate the database once a CVE number is reserved.
Even so, vulnerability reports are not the same as accident reports. They do not point at what is killing systems in actual practice. For that kind of information, we would need to have a reporting system that provides data on actual cyberattacks and attempted attacks. But wait, CISA was finally given authority to begin to collect just such data, and in a year or two (or three, or four) we will be seeing such a database being populated with useful data, right?
That remains to be seen. Go back and read the article again. It makes the point that what made the accident data valuable is that lots of folks were able to look at it and analyze it; car manufacturers, designers, government agencies, lawyers, and activists. Each of those had a part to play in bringing about the changes to automobiles and their supporting infrastructure that so drastically improved vehicle safety. Will there be that level of access to the data in CISA’s cyberattack database? Probably not, security you know.
Now go back and re-read the article one last time, it was not the database that improved automobile safety. It certainly helped, but it was a government agency (the National Highway Transportation Safety Administration) that was given the power to set minimum standards for safety performance for all automobiles that paved the way. Yes, in many cases manufacturers have gone beyond the minimum standards, but it was arguably those standards that paved the way for car companies to begin to brag about safety innovation.
Perhaps it is time for us to pressure Congress to provide some new government agency with the authority to set cybersecurity standards, standards not guidelines, standards not frameworks, standards that say to be able to sell a computer or piece of automated machinery, or piece of communications gear in the United States it must meet these minimum cybersecurity requirements.
Is that what you were saying Ms Easterly? If so, I am right
there with you.
No comments:
Post a Comment