Recently, I represented Fortinet at a U.S. House Committee on Energy and Commerce hearing about strengthening cybersecurity in a digital era. I emphasized the importance of public-private partnerships to strengthen cyber resiliency in the United States, how organizations can implement secure-by-design recommendations, and work to close the cybersecurity workforce gap. Below, I recap some of the key points I made in my testimony.
Cybersecurity as a team sport
Today’s technology environment is vastly different than when I retired from federal service. We have seen accelerated movement to the cloud and a shift from largely wired networks to software-defined networks. We’ve also witnessed a proliferation of Internet-of-Things (IoT) devices and dramatic growth in the breadth and power of AI-enabled services.
Layer onto these technological changes the COVID-fueled imperative to enable remote work and off-site connectivity, and the result is that IT and communications are now laser-focused on enabling the connection of users, devices, data, and computing power regardless of where these are located and how they are provided.
Meeting these demands securely is more than any single user, company, or government agency can realistically expect to do alone. At its core, cybersecurity is a team sport. Any good coach tells their team to “talk to each other out there on the field.” Cybersecurity is no different.
Cybercriminals talk to each other, actively partnering to bring their specific skills to a criminal enterprise. To keep up, industry and government must work together to share cyberthreat intelligence and have interoperable cybersecurity tools and sensors. This partnership needs to be multidimensional and multidirectional with collaboration and a two-way flow of information between the public and private sectors and within each sector.
Transparency and trust
With so much of our lives dependent on or enabled by technology, it is important to be able to trust networks and have confidence in the security of the data flowing across them. Creating a culture of trust and greater transparency is crucial for organizations to make complex cybersecurity decisions and help users make more informed purchases.
Consumers need better visibility into key criteria of the technology they use, including where it was developed or manufactured, the manufacturer, and the security posture of the technology.
This focus on trust was evident at the macro communications network level with the ban on certain companies that were deemed a national security threat. As digital technology becomes more ubiquitous, we should be asking the same questions about other aspects of our broader communications networks. Is the router in my home secure? Is my television listening to my family dinner conversations? Consumers need to be able to trust the technology they are using to increase the resiliency of our nation’s cyber posture. Increased transparency will help fuel this trust.
Transparency and trust can be addressed through market forces. For example, although the number of IoT devices in use is growing dramatically, many of these devices lack even rudimentary security capabilities. It can be difficult for even sophisticated consumers to determine which devices have adequate security.
The proposed FCC Cyber Trust Mark program for IoT devices is intended to address this issue in a manner analogous to the Federal Energy Star labeling program that helps consumers evaluate the energy efficiency of appliances. Fortinet applauds this initiative and believes it could serve as a model for enabling more informed decision-making in other parts of the cybersecurity marketplace.
Secure by design
The U.S. National Cyber Strategy released last year recognized that we need to increase our collective cyber resilience. It identified the IT sector as a key element for success because virtually every organization relies on commercial, off-the-shelf IT and security products. The strategy identified the need to ensure these products were “secure by design,” with security included from the initial design phase. It also stated that these products and services should be delivered in configurations that are “secure by default” rather than expecting users, such as small businesses and individual citizens, to figure out how to enable the appropriate security settings and maintain them.
Fortinet is proud to be one of the companies leading the collaboration between the federal government and industry to develop voluntary goals and approaches that will build our collective cyber resilience by ensuring that IT and communications products are secure by design and by default. The secure-by-design concepts are relatively straightforward. However, secure by default is less intuitive, so I offer the following example. In many breach investigations conducted by Fortinet’s incident response team, the victim’s cybersecurity tools detected anomalous activity and generated alerts months before the full scale of the intrusion was realized and an investigation began. Unfortunately, in many of these cases, their users did not configure the security tools to save a copy of the suspect files, which slowed detection and response.
The human element
Partnerships should extend to supporting consumers as well. It is not realistic to expect consumers to successfully “go it alone” in understanding cybersecurity. The person using their home computer, the small business owner buying a Wi-Fi access point, and the school administrator purchasing equipment for students all need support.
Addressing the human element is part of Fortinet’s cybersecurity mission. We are working to help build the cyber workforce of the future and ensure that all members of society have cyber awareness and fundamental competence in cybersecurity. Fortinet has dramatically expanded its award-winning free training on cyberthreats and on good cybersecurity practices because educating users at every level is critical to our collective security.
To succeed, efforts with users must begin at a young age and involve partnerships across government, industry, and academia. Fortinet has made significant commitments to this cause through the Fortinet Training Institute.
In 2021, we committed to training over 1 million new users over the span of five years to help close the sizeable cyber skills gap; and we are on track, having achieved over 43% of this goal by the end of 2023. In 2022, we committed to offering free cyber awareness training to all K-12 faculty and staff in the U.S. This program has reached over 350,000 users in more than 30 states. We also expanded our support of the K-12 program to include free curriculum content for teachers to use in their lesson plans for K-12 students.
Collaboration is key
Fortinet is proud to be part of numerous collaborative programs with the U.S. government, ranging from the NIST National Cybersecurity Center of Excellence to CISA’s Joint Cyber Defense Collaborative. Our broad approach to cybersecurity reflects Fortinet’s commitment to innovation and a theme we believe is essential: the need for partnership.