Cybersecurity: What the U.S. can teach Europe
European countries should take a cue from the U.S. and move from being reactive to proactive when it comes to cybersecurity policies, writes Titania's Edwin Bentley.
Having attended two reputable information security conferences this year, one on each side of the Atlantic, a few observations emerged on the differences and similarities of opinion on cybersecurity issues in the U.S. and Europe.
Although similar questions were raised at both conferences, the response manner was notably different. Europe took a reactive stance by signaling problems and bringing them to the attention of government agencies and legislators. The U.S., however, had a top-down approach, with industry searching for viable solutions in response to already adopted government directives.
The first event was Infosecurity Europe. The 2014 edition was hosted in London and attended by more than 11,000 information security professionals. With a 20-year tradition, the event is considered a reference point for the cybersecurity industry to find out about the latest trends and tools and keep up-to-date with European laws and compliance policies.
This year, the discussion focused on big data, the accelerated increase in organized cybercrime, the need to stay ahead of threats and an honest admission from Europol that cybercrime is best mitigated or disrupted because law enforcement lacks the resources to prosecute all crime. Staying ahead of threats was high on the agenda. Finally, there were comments on security issues in the cloud, which just like the bring-your-own-device trend, needs to be accommodated in its own right from a protection point of view.
Similar points were made at FOSE. (Editor's note: FOSE is owned and produced by FCW's parent company, 1105 Media.) As an industry event, FOSE is recognized as an official source for voicing the latest concerns in government IT. Among the issues discussed at the conference, cybercrime and cyber terrorism figured high on the agenda for defense and policy.
Continuous Diagnostics and Mitigation
In terms of security tools and trends, automation and continuous monitoring were held in high regard at the U.S. conference. The conversation on the FOSE floor focused on the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program. It comes on the heels of the National Institute of Standards and Technology's Cybersecurity Framework and is part of achieving the last step of that directive: monitoring security on an ongoing basis with the use of automation tools.
Released as a best-practice guidance document, the framework was embraced by the federal sector. After the latest high-profile breaches in the retail industry, a wide range of other companies have started to look at the framework as a template for assessing security practices.
In order to understand why CDM is seen as the best solution by IT professionals, below are a few well-debated problems it answers:
- Top of the agenda for information security experts is how best to integrate security with business processes. Reducing user disruption and enabling business innovation will be more easily addressed with the introduction of automated security.
- Although CDM does not guarantee that its users will stay ahead of threats, it does offer a near-real-time state of security with risk-based assessments reported and analyzed at network speed to ensure ongoing awareness and protection.
- A challenge for chief information security officers and CIOs everywhere is the compliance versus security conundrum. CDM implies moving away from layer upon layer of compliance in favor of perpetual alertness and security.
- The other issue in compliance is log aggregation and reporting. Continuous monitoring would produce automated event logs that can be filed for audits or analyzed for patterns in forensic investigations.
Continuous monitoring does not promise to answer every cybersecurity problem, but it offers a practical way forward. The voluntary adoption within the U.S. business community reflects that its advantages have been recognized.
Cyber directives in Europe and U.K.
Meanwhile, that shift in security perception has yet to happen in Europe. The latest European Union cyber directive -- Network and Information Security (NIS) -- has been taken with a pinch of salt by the industry, and some organizations fear that the stick of compliance will come down hard on their budgets while doing very little for the state of their security.
In a similar way to the NIST framework, the U.K. government released a Cyber Essentials Scheme as a best-practice guide for organizations. Operating in a less intrusive manner with smaller, more practical steps, the scheme has been received with cautious but definite approval by the business spectrum.
Although a promising start, neither the Cyber Essentials Scheme nor the NIS directive alone is sufficient to bring forward the visionary changes the industry needs. The European efforts are moving in the right direction, but compared to the older, more experienced industry in the U.S., they need further development. The Cyber Essentials Scheme might be too small, while NIS could be seen as too complicated and faces an uncertain fate amid changes to the European Parliament.
If the cybersecurity industry is to address the issues raised at Infosecurity Europe 2014 such as staying ahead of threats, mitigating cybercrime, transforming security into a business enabler and dissipating the predicament of compliance versus security, then Europe needs to continue to move in the right direction and could be inspired by the top-down approach to security in the U.S.