The government’s current approach to increasing cyber resilience “will not produce adequate security,” Steven Chabinsky, chief risk officer for CrowdStrike, said during a testimony before the Senate Homeland Security and Governmental Affairs Committee this week.
“Having improved security is not the same thing as having adequate security,” he said.
Chabinsky said the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework should be “required reading” for industry, but he was skeptical that the overall approach of detecting intrusions will yield optimal security. Instead of cleaning up after intrusions–which he called a “grossly misplaced” policy–Chabinsky believes a better approach is deterring hackers from even attempting to gain entry into networks.
“It’s threat deterrence, not vulnerability mitigation, that affects security in the physical world every day,” he said.
Chabinsky–a former cyber lawyer for the Federal Bureau of Investigation (FBI)–compared cybersecurity to the way alarms and guards in the physical world deter bad guys. Ultimately, the intruder could still manage to break into a building, but he realizes that security measures will reduce his likelihood of success.
“In the physical world, guards, alarms and cameras essentially declare to the bad guy that it’s no longer about us, it’s about you,” he said.
Chabinsky said going after perpetrators, as opposed to the expensive process of ridding the network of malware, will create a deterrent effect. Comparing cyber again to the physical world, he said an alarm calls the police, not a locksmith, and “as a result most would-be actors are deterred.” Although he was testifying in a personal capacity, Chabinsky’s statements match CrowdStrike’s slogan that “you don’t have a malware problem, you have an adversary problem.”
While he was critical of the government’s overall approach, Chabinsky said the Deter Cyber Theft Act was the right path for the United States to take. The proposed act would require the Director of National Intelligence to compile and publish a report on foreign adversaries that steal American intellectual property and the Intelligence Community’s responses to the attacks. A bipartisan group, including Sens. Carl Levin (D-Mich.), John McCain (R-Ariz.), Jay Rockefeller (D-W.Va.) and Tom Coburn (R-Okla.), introduced the act in May 2013.