Cyber security failing in execution, says ex-US cyber czar

Cyber security suffers from a lack of execution, former White House cyber security co-ordinator Howard Schmidt has said.

“The cyber security strategies we have are all excellent pieces of work, but we are still failing in execution,” he told the ISSE 2014 security conference in Brussels.

 “While we talk about APTs, I agree many are ‘persistent’ but few are ‘advanced’ because most exploit known vulnerabilities for which there is a patch, but it has just not been applied,” said Schmidt.

This is underlined by the fact that many of the recent high-profile data breaches at US retailers can be traced back to something that could have been prevented.

Another common reason security fails, he said, is that users of computer systems routinely ignore security warnings because of their desire to get things done.

“Users will click on attachments that contain malware despite warnings, but once the computer is infected and the attackers have a foothold, it is relatively simple to gain complete control,” he said.

But Schmidt believes software developers should do more to ensure users are not faced with security decisions they are not qualified to make.

“Failure to design adequate security controls could in some circumstances open up gateways into critical data systems,” said Schmidt.

In an increasingly connected world, he said, what developers are doing throughout any supply chain could have an impact on all other members of that supply chain.

Schmidt called for greater attention to be paid to develop threat scenarios for all software developers, particularly in the critical sectors of energy, telecommunications and financial services.

“Software developers have the capability to do the things we need to do to make the leap forward, we cannot afford to carry on doing what we are doing now and expect a different outcome,” he said.

Schmidt called for the creation of a safer “ecosystem” where things like strong authentication, encryption and secure email help users do what they need to do without risk.

But, he said, all stakeholders have a responsibility to look at how they use IT in their day-to-day lives and to put security into every IT-related activity.

"There is the temptation to say security threats are overwhelming and there is nothing that can be done, but if we each secure our piece of cyberspace, we will all benefit," said Schmidt.

He said the capability to do what is necessary exists in many organisations, they just have to focus on the execution of those capabilities.

The impact of failing to do so may not be felt immediately, he said, but months and even years down the line, there may be a high price to be paid.