Two major stories about cybersecurity are coming from Washington this week. One is bad; one is a step in a positive direction. Both are situations that have takeaways for the average workplace.
We’ll start with the bad. A self-described “prankster” from the UK decided to spoof Jared Kushner, the president’s son-in-law and senior advisor, as well as former chief of staff Reince Priebus and others, in emails to other top staffers in the White House. Frankly, I’m concerned about the media’s use of the term prankster for this guy. Perhaps he meant no harm, but in the business world, this would be straight-up whaling or spear phishing with the hopes of luring in that high-profile fish (or chief executives). As Tim Erlin, VP of product management and strategy at Tripwire, told me in an email comment:https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
While these particular incidents were undertaken to be funny, the implications of how easily the individuals involved were entrapped should be clear. The difference between this prankster and a serious criminal is only in the disclosure of the results. A serious criminal wouldn’t have shared the outcome with the press. Email spearphishing is a big challenge for cybersecurity, and shouldn’t be taken lightly.
One of the people who received a spoofed email is Tom Bossert, a staffer who works as Homeland Security advisor and is responsible, in part, for cybersecurity. So here’s my question to you: Are you certain your security team would be able to identify a phishing scam if sent to them directly or be able to tell the difference between a real versus spoofed email sent to leadership? In his comments to me, Erlin added that the White House needs to take steps to train its staff to better recognize spearphishing attempts. He’s right, of course, but the first guy in line to take that training should be Bossert, who gave out his personal email to the spammer.
For the better news, a bi-partisan group of lawmakers have introduced a bill called the Internet of Things (IoT) Cybersecurity Improvement Act of 2017. The bill is geared to enact security standards for the IoT devices used by government agencies. If passed, I would expect it to be effective beyond the government, since it would require IoT software and hardware developers to create more secure systems. It’s a step in the right direction, but as Rod Schultz, chief product officer for Rubicon Labs, said in an email comment, the enforcement of this type of legislation will create many new challenges. He added:
Reduced functionality does not equate to reduced capability for digital destruction. It’s far too easy to release digital products that have security vulnerabilities, because there is no time to test and fix; the incentive to release products quickly is driven by time to market and profit requirements. The security failures of many of these compromised IoT devices can rapidly escalate in scale and reach, having a major impact on critical infrastructure. If IoT security is not addressed appropriately by vendors, it should not come as a surprise that legislation is proposed to fill that void.
All in all, this week in Washington, it appears that Congress is taking cybersecurity more seriously. Now it’s time for the White House to step up.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba