Software
Cybersecurity expert: ‘Do the security basics, and do them well’
A.J. Grotto, cybersecurity expert and former cybersecurity chief to two presidents, delves into new federal regulations, how businesses and consumers should respond and ways to stay more secure in a changing digital landscape.
October 4, 2022 by Daniel Brown — Editor, Networld Media Group
 |
Provided by Abernathy MacGregor. |
On Sept. 14, the White House published new cybersecurity standards, a follow-up to the executive order signed by President Joe Biden in May calling for cybersecurity improvements. The public is familiar with some of the more high-profile attacks in recent years, such as the Solar Winds attack. A.J. Grotto is uniquely placed to speak to cybersecurity, tech trends and regulation, having served as senior director of cybersecurity policy in the Obama and Trump administrations and currently serving as William J. Perry International Security Fellow at the Cyber Policy Center and a Research Fellow at the Hoover Institution, both at Stanford University.
Q: Government is often portrayed as being behind the times and slow to react to the rapid evolution of technology (one cringes at the memory of the Facebook hearings). Why is it that government has this reputation, and are things getting better? What can be done to bring the Hill up to speed and make it more tech savvy? On a more personal level, what was it like to work in this setting?
A: The federal government actually has lots of expertise when it comes to technology. It's just that it is distributed unevenly across the federal enterprise. Also — and really importantly — information about digital risks is hard for the government to acquire because that information is concentrated in the private sector's hands. It was a struggle during my time in government to get accurate information about risks, and I think that's still the case for lawmakers and regulators alike. The reason is that industry is often reluctant to volunteer this information to the government — they consider it proprietary — and the government has limited ability to overcome industry's reluctance, given the strong antigovernment/deregulatory sentiment that has prevailed in the United States for decades.
We will never get tech policy perfect because there is an unavoidable tension between government proactively addressing risks while still allowing the kind of risk-taking that drives entrepreneurship.
But we can do better. It requires a lot more transparency from vendors of digital technologies about the security and other performance attributes of their products — and government using that information to buy and promote products that are secure by design.
There are also ideological factors in play: if a lawmaker has total confidence in the ability of the free market to generate the "right" outcomes when it comes to security risks, the lawmaker has no incentive to understand the technology from a regulatory perspective. It results in a giant political cop-out of responsibility for minding digital risks. I think this orientation towards technology is changing, however.
Q: In brief, what's the context in cybersecurity leading up to this new series of regulations from the Biden administration? How dangerous was the situation for this level of action by the federal government?
A: The Administration's guidance is a good example for your previous question — government playing catch up because of difficulties with acquiring information on risks and holding back due to anti-regulatory sentiments. Making good decisions about security risks requires having information about those risks and an understanding of the business drivers that shape how vendors develop and market their products.
Incentives matter. If customers of digital technologies — including the government — don't demand good security from vendors, vendors won't offer it.
Q: Can you summarize what's going on with this new executive order and regulation for our readers? Why was it released now, who is affected by it, how sweeping is it and how can companies get themselves in compliance?
A: The order is an attempt by the government to use its purchasing power to drive vendors towards developing products that are more cyber-secure. Federal cyber leaders are fed up with the halting progress of the past decade when it comes to security and are driving the government towards being a leader (or at least, not a laggard) in demanding better security from its vendors.
Q: Some critics have already voiced concerns about the "self-certify" feature in the guidance. Can you tell us more about that, and how do you feel about this feature? Do you think the executive order and regulations go far enough?
A: Self-certification is less than ideal — I'm reminded of the wisdom behind the old Russian saying, "trust, but verify."
That said, in this case it has some teeth. If a vendor self-certifies and security problems emerge later, the vendor could be at risk of criminal prosecution under the False Claims Act for defrauding the government. And if those claims adversely affect customers in the private sector, the vendor could also face an enforcement action by the Federal Trade Commission for engaging in an unfair or deceptive trade practice.
Q: That opens a related question. Just how big is digital signage (including DOOH and interactive displays) in government services, and just how far out of compliance are most of these suppliers?
A: Digital signage is fairly prevalent, especially at government facilities and places like national parks. Vendors of digital signage will have to comply with the new requirements. I don't think it will be easy for some of them because security is new for them, but for those that figure it out, it could net some competitive advantage — especially since I expect the private sector to seek similar requirements for their digital signage needs.
Q: What are some major ways vendors can get in compliance and future proof their operations for this and potentially further regulations?
A: Vendors and owner/operators of digital signage need to treat digital signage as the IT assets that they are. Vendors should build security into their products from the start and owner/operators should demand it. They should also understand the building blocks of code that go into the products — that sounds obvious, but it's actually a common problem in IoT and other devices, which are built with code from open source and other libraries and repositories of code. (Not knowing which software components a product has means that the owner/operator won't know when a vulnerability affecting those components creates security risk for them.) They also need to plan for the lifecycle of their products — doing things like making sure that software problems are easily patched and avoiding hard-coded passwords. Really, it's about the security basics.
Q: Do you think this is starting a trend of the U.S. government catching up to other countries, or might this be rolled back in future administrations?
A: It won't get rolled back. And I think the U.S. government is actually ahead of most other governments, in terms of focus on government systems. Where we lag is regulating the broader economy when it comes to digital risks — but that is changing.
Q: There's a lot of buzz about emerging tech in the digital signage and A/V world, from interactivity (QR, NFC, mobile integration) to IoT, AI, the list goes on. Holograms are extremely hot right now; DST recently reported on the first patent for a working holographic conference system. What emerging technologies most excite you? Which ones deserve further attention in the coming year?
A: Holograms are so cool! Augmented and virtual reality technologies are exciting. And a bit scary. The potential for fraud and abuse is enormous.
Q: It's frankly hard for businesses and consumers to keep up with the pace of technology, from rumors of strong AI to breakthroughs in cybernetic augmentation. If you could share one piece of advice in the coming days to stay more secure, what would it be?
A: Do the security basics, and do them well. Watch out for vendors that want to lock you in to using their products — they will shift more risk to you. And be especially wary of vendors that want to upsell basic security solutions to their own products — it's a protection racket.
Andrew Grotto is the William J. Perry International Security Fellow at Stanford University and the founding director of the Program on Geopolitics, Technology and Governance at the Stanford Cyber Policy Center. He serves as the faculty lead for the Cyber Policy and Security specialization in Stanford's Ford Dorsey Master's in International Policy degree program and teaches the core cyber policy course for the specialization. He is also a visiting fellow at the Hoover Institution. He served as senior director for cyber policy on the National Security Council during the Obama and Trump administrations from late 2015 through May of 2017.
About Daniel Brown
Daniel Brown is the editor of Digital Signage Today, a contributing editor for Automation & Self-Service, and an accomplished writer and multimedia content producer with extensive experience covering technology and business. His work has appeared in a range of business and technology publications, including interviews with eminent business leaders, inventors and technologists. He has written extensively on AI and the integration of technology and business strategy with empathy and the human touch. Brown is the author of two novels and a podcaster. His previous experience includes IT work at an Ivy League research institution, education and business consulting, and retail sales and management.
Related Media
Subscribe
Get the latest news and resources from Digital Signage Today.
