Obama’s cyber policy OK, but needs to go further, says expert
Emmanuel Benzaquen: Sharing information about cyber-attacks is important, but preventing them is critical
Given the fact that he and Congress don’t see eye-to-eye on much, President Obama is likely to get just one chance at best to institute new cyber-security policies, so advocating and instituting the right policy is essential, according to Emmanuel Benzaquen, CEO of Israeli cyber-security firm Checkmarx.
Proposed legislation such as the CISPA (the Cyber Intelligence Sharing and Protection Act) is “a step in the right direction.” But it’s not enough, said Benzaquen.
CISPA, which would allow Internet service providers to share information with the government in case of need – such as when there is an imminent threat of a terrorist attack, or in order to investigate crimes like pedophilia – will “streamline the process of disclosing a breach and sharing pertinent information with other corporations and organizations that may be vulnerable is long overdue in a world where malicious code used in hacks is often recycled and used in multiple attacks.”
In his State of the Union address Tuesday, President Barack Obama said that increased cyber-security was essential if society was to survive, given the role of the Internet in business, education, and many other areas. “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. So tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. That should be a bipartisan effort. If we don’t act, we’ll leave our nation and our economy vulnerable,” Obama said, referring to CISPA.
But the investment of time and effort to pass CISPA may not be well-spent. Opposed by many privacy advocates, critics consider the measure to be not a cyber-security bill, but a cyber-spying one – allowing the government much greater access to the very personal data of computer and Internet users, access which could be abused by government officials to attack political enemies, to extort money, or just to “lord it” over innocent civilians. First introduced in 2011, CISPA was passed by the House of Representatives in 2011 but rejected by the Senate, and passed again in 2013 but died in Senate committee.
Hundreds of petitions have been filed against CISPA on a national and local level, and the bill has been adjusted several times over privacy concerns (for example, measures tightening regulations on intellectual property were eliminated from the second version of the House bill). The House has reintroduced the bill a third time, but Obama has demanded more changes to accommodate privacy concerns. Among the groups opposed are several from opposite ends of the political spectrum, including the ACLU and the American Conservative Union, as well as dozens of others in between.
But sharing information isn’t necessarily going to prevent malicious hacking anyway, said Benzaquen; if Obama wants to make the Internet safer, he should be looking in different directions. “The focus must be placed on securing software before a hacker attempts to infiltrate and exploit it. Of the millions of applications on the market today, over 80% contain high-severity vulnerabilities — an alarming number considering that applications serve as one of the easiest ways to hack into organizations and steal data.”
In that, Benzaquen says, his company may be of assistance. Checkmarx’s platform enables organizations to perform “application hardening,” introducing security into their software development. The system scans source-code, quickly identifying security vulnerabilities and regulatory compliance issues, and showing developers and security auditors where and how to fix them. The company’s 400+ customers include 4 of the world’s top 10 software vendors and many Fortune 500 and government organizations, including Coca Cola, Salesforce and the US Army.
According to a recent study conducted by IT computer security consultancy and training firm 7Safe, only 11% of security spending is geared towards application hardening. Applications are only marginally protected by application firewalls, the firm said. What’s needed is a system like the one Checkmarx offers, which lets programmers scan their code against a checklist of vulnerabilities using its Static Application Security Testing (SAST) tool.
The Checkmarx Source Code Analysis (SCA) system highlights the security issues in code, and gives them an opportunity to correct them before they are released, Benzaquen said. “At a time when applications and their data are increasingly targeted by hackers, application security testing is crucial to eliminate code vulnerabilities, since many applications are rushed to market before they are properly screened. Checkmarx scans software source-code, quickly identifying security vulnerabilities and regulatory compliance issues, and immediately shows developers and security auditors where and how to fix them.
“Unless there is a tough regulatory standard of security set in place for applications and software written for and used by corporations, organizations, and the general public, we will continue to see a rise in severe cyber-attacks,” Benzaquen added.
The Times of Israel Community.