The pressure for companies to adapt to rapidly changing technology comes at a price, because cybersecurity is often sacrificed, leaving businesses and employees vulnerable to hackers.
The private sector should work with the federal government to improve digital networks from spoofing, denial-of-service and a myriad of other attacks on companies and the network infrastructure in the U.S., the recent report of the President's Commission on Enhancing National Cybersecurity said. Fifteen other critical recommendations to improve cybersecurity across the U.S. were made by academic and industry leaders.
"As this report demonstrates, cybersecurity is going to be the biggest challenge for President-elect Trump in the coming years," said Joseph Carson, head of global strategic alliances at Thycotic, a Washington D.C.-based provider of privileged account management solutions.
Trading innovation and ease of use for privacy and weaker cybersecurity has led to more attacks. The recent hacks which have compromised web cameras, smart TVs and Internet of Things (IoT) devices demonstrate that consumers are dependent heavily on technology.
"Our critical infrastructure is no longer separated from today's connected world," he said.
The report reinforces the fact that people are crucial to the solution and there remains an urgent need for greater security awareness, education and engagement for all aspects of cybersecurity, Carson said. Developing new software or technologies is crucial.
"This report provides the groundwork for the current trials and tribulations we are facing," he said. "The recommendations lead us in a good direction, however, implementing and applying them are going to need a huge workforce with expertise in cybersecurity."
The current, traditional approach of prevention or defense will never be 100% foolproof because attackers are motivated to gain access into any network, said Kasey Cross, director of product management at LightCyber, a Los Altos, Calif.-based provider of behavioral attack detection solutions.
"No matter how high the gate or how thick the wall, attackers will find their way in, normally by gaining access to an employee's computer or user account," she said. "The new mandate is finding the attacker early before theft and damage can occur."
The report seems to "imply to some degree that cyber defense cannot be fully successful in defeating attackers" and an agency will need to respond and recover from an incident, which is a good first step, Cross said.
The report recommends a multi-billion dollar budget and a much higher level of staffing and will be effective if groups do not revert to the tried and true traditional approaches which have failed so far to detect network intruders and stop data breaches.
"Agencies must expect that an attacker will get into their network and be ready to detect them quickly," she said. "This takes a different focus, new tools and technologies and different procedures than a strategy fully centered on prevention."
The commission's report stresses the important of building and bolstering the information security workforce in order to support the current and future needs for security practitioners, said Nathan Wenzler, principal security architect at AsTech Consulting, a San Francisco-based security consulting company.
"I am hopeful that these recommendations are taken to heart and acted upon, he said.
Organizations still struggle to find experienced talent to help manage the shortcomings and implement the efforts that the majority of security programs are attempting to accomplish.
Additional investments must be made for training and education in order for the recommendations and action items from the report to become beneficial.
"It's a refreshing and welcome shift in the tone of these kinds of recommendations to see such a large emphasis on policy, standards and frameworks, metrics, training, and many other of the more human-centric aspects of information security," Wenzler said. "Historically, as the commission's report also points out, there has been a tendency to lean toward technological solutions to every information security problem."
Relying solely on technology to provide a solution leaves a gap and overlooks the human aspect of how people interact and use technology, which can bring out security incidents.
"Even if the best technical protections are in place, look at the continued success of phishing attacks as one example," he said. "Putting more focus on the social challenges that surround protecting our data, infrastructure and related systems is long overdue and I, for one, am glad that it makes up such a large portion of the commission's recommendations."
Combatting hackers has been challenging and playing catch up has resulted in failing to get the job accomplished, said Chris Roberts, chief security architect at Acalvio, a Santa Clara, Calif.-based provider of advanced threat detection and defense solutions.
"The report certainly got some of the issues correct," he said. "We've been fighting for two decades and we are not good at reacting quickly."
Moving the ownership of securing systems away from end users is a positive move, Roberts said.
"Working out exactly how to do that and how to actually effect change is going to be the key," he said. "Just saying to the manufacturers to be 'better stewards of data' is going to be absolutely useless."
All the federal agencies must learn to compromise and work together to defeat hackers.
"When nobody trusts the FBI with anything more harmful than a plastic bag, when the CIA and the NSA won't share things with the other intelligence agencies and when each agency acts as its own enclave, we will never win," Roberts said. "Let's go ahead and break the walls down."