Patching vulnerabilities in a world of machine learning and connected devices.
Rep. Jim Langevin, D-R.I., ranking member of the Subcommittee on Emerging Threats and Capabilities, identified a leading problem facing national cybersecurity today: As technology continues to improve, the networks that need to be protected are only becoming more complicated.
Speaking at the Institute for Critical Infrastructure Technology Forum on June 7 in Washington, D.C., Langevin explained that traditionally, patching vulnerabilities typically involves modifying software with some code changes. Yet, when the vulnerability is a trained, machine-learning behavior, how does it get patched?
“That’s the problem,” he told the forum audience. Langevin understands the complexity of the topic as co-founder and co-chair of the Congressional Cybersecurity Caucus. Industry and policy leaders need to find a way to encourage innovation and security while keeping pace with the innovation of technology.
According to Langevin, approaching these challenges consists of three major components:
Ensuring the security of new devices: The security of internet of things should be dealt with the same techniques proven successful with smartphones and desktop computers, meaning extending practices like automatic patching and encryption to all devices. In this case, the government should work with the private industry to develop guidelines for upgrading the patching of connected devices and standards for enabling them. The guidelines, combined with informing consumers, can help tech providers meet security patches.
An increase in shared situational awareness: A shared knowledge of attacks across the public and private sector can improve vulnerability, and build a more complete picture of the entire threat environment. Congress took steps to improve this through the Cybersecurity Act of 2015, which requires the director of national intelligence and the departments of Homeland Security, Defense and Justice to create procedures to share cybersecurity threat information with private entities. “So if we can collect, aggregate and also disseminate intelligence from these types of companies … I believe we could more quickly respond to cyberattacks,” Langevin said.
Continuing to build an appropriate response: Detecting and protecting against cyber threats requires both private industry and government to respond fittingly when an attack does occur, especially to nation-state actors. “I believe stop saying how a responsible country should behave, and start behaving that way,” Langevin said. This includes holding other countries more accountable for malicious cyber behavior or structured state-sponsored attacks, and continuing to set the standard for cybersecurity tolerance and rules.
Langevin believes establishing a policy framework around these three areas can continue to advance the nation in the cyberspace, in spite of the increasing threats faced today.