“Cyber-security is very important in protecting our fragile eco-system” said Lentz. “It should be made a number one priority and is the responsibility of all of us, of everyone”.
The industry, Lentz confirmed, is becoming more content-centric. “We’re under a paradigm shift right now – we need to shift and move away from static defence and defence in depth. We need to start dealing with this eco-system and become agile and resilient. We need a rich information environment for all of us to construct business on”.
From a security standpoint, Lentz acknowledged the challenge of leveraging web 2.0 and cloud technologies, “It’s daunting”, he said, “But it’s a very real movement that we need to get on top of”.
“This shift in focus is needed in order for us to have a resilient cyber-ecosystem. Our economic salvation relies on this shift” insisted the Department of Defense’s Lentz. “Everyone needs to partner together, and by that I mean within the industry, internationally, and with the rest of the world, to make this happen”.
Following a similar theme to Douglas Merrill’s keynote on the first day of the conference (http://www.infosecurity-magazine.com/view/2867/black-hat-security-is-not-the-security-teams-problem-says-black-hat-keynote-speaker-douglas-merrill-/), Lentz suggested that as an industry, “we haven’t yet succeeded in making information security a language that can be easily understood”. It’s important, said Lentz, that we get this right so that the decision makers are well-informed and thus able to make intelligent decisions.
An identity cyber-czar
Identity, said Lentz, is at the heart of everything we do. “We need a cyber-czar to focus solely on identity”, he argued. “There are legitimate privacy concerns around many identification initiatives, but identity is pivotal to everything we do”.
Lentz provided a concrete list of guidance on what needs to be done, more generally, to strengthen the position of cyber-defence:
- Strengthen network underpinnings
- Assure software and systems
- Manage attack surfaces
- Reduce anonymity
- Automate security content
- Mission based architectures
- Improving cyber awareness
“The physical and information worlds need to converge – for both security and economic reasons. It’s a huge challenge for all of us all, but we need multi-factor identification”.
Lentz spoke optimistically of biometric technology as a means of convergence: “We’re ready to leverage biometrics, and deploy risk-based access control in a cloud environment. We need to be able to make instant decisions, instant damage assessments. That is absolutely essential”. Lentz admitted that this will require enormous investment.
A cyber-czar for education and training
“We don’t always ‘walk the talk’ when it comes to people” confessed Lentz. “It’s essential not to lose sight of the fact that we need to continue to concentrate on the people. While the strategic role is to remove large quantities of people from accessing the network, people are still incredibly important”.
“We need a cyber-czar to work solely on information security education and training because it’s not just about technology” he continued.
In support of this education initiative, the Department of Defense have announced a US Cyber Challenge. “We’re going to universities to encourage graduates into information security. We want to discover, train and recruit the best talent in the country”.
The initiative is giving scholarships for students to study cyber security, which Lentz calls “just the beginning”, and acknowledges that they need to infuse more resources into it “to really get the engine going”.
In conclusion, Lentz told the audience that “We need to change the culture, the debate, the focus on cyber-security. We need the same kind of excitement on cyber-security as is currently on the green movement”.