Two Very Different Cybersecurity Stories from Washington

Sue Marquette Poremba

Two major stories about cybersecurity are coming from Washington this week. One is bad; one is a step in a positive direction. Both are situations that have takeaways for the average workplace.

We’ll start with the bad. A self-described “prankster” from the UK decided to spoof Jared Kushner, the president’s son-in-law and senior advisor, as well as former chief of staff Reince Priebus and others, in emails to other top staffers in the White House. Frankly, I’m concerned about the media’s use of the term prankster for this guy. Perhaps he meant no harm, but in the business world, this would be straight-up whaling or spear phishing with the hopes of luring in that high-profile fish (or chief executives). As Tim Erlin, VP of product management and strategy at Tripwire, told me in an email comment:

While these particular incidents were undertaken to be funny, the implications of how easily the individuals involved were entrapped should be clear. The difference between this prankster and a serious criminal is only in the disclosure of the results. A serious criminal wouldn’t have shared the outcome with the press. Email spearphishing is a big challenge for cybersecurity, and shouldn’t be taken lightly.

One of the people who received a spoofed email is Tom Bossert, a staffer who works as Homeland Security advisor and is responsible, in part, for cybersecurity. So here’s my question to you: Are you certain your security team would be able to identify a phishing scam if sent to them directly or be able to tell the difference between a real versus spoofed email sent to leadership? In his comments to me, Erlin added that the White House needs to take steps to train its staff to better recognize spearphishing attempts. He’s right, of course, but the first guy in line to take that training should be Bossert, who gave out his personal email to the spammer.

For the better news, a bi-partisan group of lawmakers have introduced a bill called the Internet of Things (IoT) Cybersecurity Improvement Act of 2017. The bill is geared to enact security standards for the IoT devices used by government agencies. If passed, I would expect it to be effective beyond the government, since it would require IoT software and hardware developers to create more secure systems. It’s a step in the right direction, but as Rod Schultz, chief product officer for Rubicon Labs, said in an email comment, the enforcement of this type of legislation will create many new challenges. He added:

Reduced functionality does not equate to reduced capability for digital destruction. It’s far too easy to release digital products that have security vulnerabilities, because there is no time to test and fix; the incentive to release products quickly is driven by time to market and profit requirements. The security failures of many of these compromised IoT devices can rapidly escalate in scale and reach, having a major impact on critical infrastructure. If IoT security is not addressed appropriately by vendors, it should not come as a surprise that legislation is proposed to fill that void.

All in all, this week in Washington, it appears that Congress is taking cybersecurity more seriously. Now it’s time for the White House to step up.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Aug 5, 2017 5:49 AM Terry Tortoise Terry Tortoise  says:
This is good news that people are saying 'get your IoT security act together or we won't buy from you'. US Presidents have been ignoring the call for similar action in general internet access since 1992, repeated in 2005 and onwards and still no action. 'Re-arranging the deckchairs of the Titanic springs to mind. If you don't believe me, read: https://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf It is a damning indictment of US negligence over cyber security. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.