WASHINGTON — It will take a very long time and a gargantuan effort before the technology Americans rely on is safe from hackers, according to a report from a congressional panel that has spent five years in the cybersecurity trenches.
The strategy document released Dec. 7 from the House Energy and Commerce Committee’s investigations panel suggests companies completely overhaul the way they find and fix vulnerabilities in everything from the power grid to smart thermostats, cameras and cars.
It even contemplates fundamentally changing the way consumers get Internet-connected products. Maybe they should lease instead of buying them, for example, so they don’t keep using outdated technology that becomes more vulnerable to hackers with each passing year.
The report also demonstrates, however, the dramatic limits of Congress’s ability to force major changes that will improve cybersecurity practices.
It was written by staff for the investigations panel of the committee’s outgoing Republican majority, which dove into the issue after the 2013 data breach at Target. Five years later, their laborious process of roundtables, formal requests for information and letter writing campaigns to companies has only nudged the Internet ecosystem toward mildly better cybersecurity. The report does not lay the groundwork for any kind of mandate for cybersecurity protections.
That’s a far cry from the early 2010s when Congress tried, but failed, to mandate national cybersecurity protections through sweeping legislation. The most substantial piece of cybersecurity legislation that’s passed since then was a voluntary program that gave companies legal protection for sharing cyber threat information with the government, which only a handful of organizations have signed up for three years later.
Still, the report highlights six main cybersecurity priorities for the committee to work on in the next Congress under the committee’s new Democratic majority. Those include making it easier for independent researchers to alert companies to software bugs they find and urging companies to be more transparent about the software they use.
“This report recognizes that there is no one ‘solution’ to cybersecurity, but instead discrete yet interdependent policies that together create a holistic and effective strategy for dealing with the realities of modern cyber threats and opportunities,” the report states.
Here are four big takeaways:
Start planning for retirement early
Companies should begin planning from the moment they introduce a new product for when the product’s underlying technology will be too outdated to be supported, the report urges. Data shows that the number of hackable vulnerabilities in any product’s software increases over time, but as products get older and fewer people use them, companies are less likely to actively monitor those vulnerabilities or to force customers to patch them.
As a result, the Internet ecosystem abounds with legacy technology that’s ripe for hacking. The WannaCry malware campaign, which wreaked global havoc in 2017, for example, was launched using a vulnerability in a decades-old tech protocol Microsoft had already released a patch for.
Currently, however, there’s no incentive for consumers and organizations to stop using outdated tech that companies aren’t supporting anymore. The strategy speculates about several ways to shift incentives so consumers don’t keep using old and insecure technology.
For example, companies that sell products that have Internet connections but aren’t fundamentally tech products – such as cars with fancy entertainment and navigation systems – could figure out ways to decouple the software components from the non-software components. That way, a car owner could replace the Internet-connected bells and whistles without having to replace the product itself.
We’ve seen this movie before
Most of the report’s major priorities have been pointed out before in reports by industry, academics or federal agencies.
A Commerce Department report from May, for example, which focused on combating armies of zombie computers known as botnets also stressed the importance of securing technology for its entire life cycle.
The Energy and Commerce report also stresses the importance of the public and private sector working together on cybersecurity. That was a main takeaway from an all-star commission established by the Obama administration after the Office of Personnel Management breach, which reported its findings shortly after the 2016 election.
The common elements show that Congress, the executive branch and cybersecurity experts are on the same page about a lot of what needs to be done. They also underscore, however, that the past few years have seen many recommendations on cybersecurity, but much less implementation.
No regulation in sight
One thing the report doesn’t advocate or even mention is any effort to mandate cybersecurity protections through regulation. That puts it in good company with government and industry reports, which have typically warned that broad cyber regulations would backfire by limiting companies’ flexibility to adapt quickly and to secure themselves in the smartest ways.
The Obama-era cybersecurity commission warned that broad regulation may be necessary in the future, but said it’s not clearly necessary yet. Some consumer groups and Democratic lawmakers have been much more open to the idea of cyber regulations and other mandates.
The government is vital to cybersecurity
The private sector owns the vast majority of the Internet, but the government must play a leading role in cybersecurity, the report warns.
In particular, the report heaps praise on a government-financed effort to collect, organize and rate the severity of all known computer bugs, known as the Common Vulnerabilities and Exposures database, or CVE.
The committee criticized the Department of Homeland Security, which funds the CVE database, and MITRE, the federally funded research center that manages it, in August, citing reports that researchers were waiting weeks or months for new computer bugs to be catalogued. Despite that mismanagement, the report describes the database as “the cornerstone on top of which modern cybersecurity is constructed.”
The Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Virginia, on Wednesday, Aug. 22, 2018. The center serves as the hub for the federal government’s cyber situational awareness, incident response, and management center for any malicious cyber activity. (AP Photo/Cliff Owen)
Send questions/comments to the editors.