Get more Mail & Guardian
Subscribe or Login

The White House opens a new era of cybersecurity

The United States has been reeling from several major security breaches. Most recently a ransomware attack prevented operations at the Colonial fuel pipeline.

 Last year, hackers believed to be directed by Russian intelligence services infiltrated SolarWinds, a popular IT management software vendor used widely by the US public sector and many private sector companies. Affected companies included Microsoft, Intel and Cisco. The US treasury, Justice and Energy departments were also affected. And earlier this year, Chinese-linked attackers targeted hundreds of thousands of Microsoft Exchange mail servers worldwide.

These incidents represent the tip of the iceberg, and they occur everywhere, not just against the US. Fortunately the security world isn’t complacent. The cybersecurity industry has developed some excellent countermeasures such as multi-factor authentication (MFA), endpoint detection and response (EDR) and models such as zero-trust security.

But whoever said: “Build it and they will come,” was wrong, at least concerning cybersecurity.

Let me give an example. You probably use multi-factor authentication often, through your bank. It will send you an SMS with a unique code or ask you to accept a prompt on your phone. You’ll notice MFA in many places, such as your Gmail account. It’s very effective, but it’s not used nearly as widely as it ought to be.

If I told you that your home would be safer with a security gate in front of your locked door, you’d see the value of that. Yet we tend to become very picky in the digital world and justify why we don’t need a seemingly obvious security feature. We see that gate as an obstruction to us, not the characters we want to keep out.

I understand the reluctance. Cybersecurity can be complicated, and complicated can lead to high costs and low effectiveness. There are other considerations, such as ageing computer systems or how security measures could annoy users and dampen productivity. So organisations play it safe, and the free market doesn’t push certain security features aggressively enough. If it isn’t broken, why fix it? Except, it’s very broken in terms of cybersecurity.

Two common but opposing mindsets adopted by organisations are to deal with a breach when it happens and try to survive versus proactively planning for compromise and adopting best practices, and deploying the right security solutions. Most companies opt for the former, hoping they won’t be targeted — a terrible strategy. 

Cybercriminals are equal opportunists, attacking everything from governments to little companies. We have to be more proactive.

In response to recent breaches, US President Joe Biden signed an executive order that determines best security practice for software companies wishing to do business with US federal departments and agencies. It mandates the use of MFA, endpoint detection and response and encourages zero-trust security, an approach that treats all data interactions with suspicious scrutiny. The order also removes barriers to sharing breach information, enabling the left and right hands to know what each is doing. It establishes a Cyber Safety Review Board to review significant incidents, similar to how the National Transportation Safety Board investigates aircraft crashes, leading to safer aviation.

Compared with previous orders and standards, this one is quite aggressive and prescriptive. It will have an effect. The US government is a large technology customer with considerable procurement power, and the security improvements that arise from the executive order will benefit other security customers. 

I hope other countries, including South Africa, are taking notice. We’ve been progressive with legislation such as the Protection of Personal Information Act. As our country rapidly adopts digital systems, clear guidance from the top will help our public and private sectors to make themselves and their users more secure.

Why should we take the lead and not wait for the US order to create change? The South African government uses many local companies that design custom software that might not have a reason to worry about what happens in North America. If we released a similar benchmark, it would help secure the public sector, the largest spender on information and communications technology, and influence the local tech sector to be more security conscious. 

Several state organs have a say on security, but a message from the top can provide clear benchmarks and expectations that others can strategise and implement.

Breaches in the US make headlines. But cybercrime strikes everywhere. Hopefully, the White House’s executive order will add clarity and direction to get the job done, helping secure our digital futures. If we do the same, South Africa will take another step into becoming a leading digital society.

Subscribe to the M&G

Thanks for enjoying the Mail & Guardian, we’re proud of our 36 year history, throughout which we have delivered to readers the most important, unbiased stories in South Africa. Good journalism costs, though, and right from our very first edition we’ve relied on reader subscriptions to protect our independence.

Digital subscribers get access to all of our award-winning journalism, including premium features, as well as exclusive events, newsletters, webinars and the cryptic crossword. Click here to find out how to join them.

Stephen Kreusch
Stephen Kreusch is cybersecurity director at Performanta

Related stories

WELCOME TO YOUR M&G

If you’re reading this, you clearly have great taste

If you haven’t already, you can subscribe to the Mail & Guardian for less than the cost of a cup of coffee a week, and get more great reads.

Already a subscriber? Sign in here

Advertising

Subscribers only

Life Esidimeni inquest postponed until August 30

The lawyer for the bereaved families argued that Dr Makgabo Manamela’s requests for postponements have a negative impact on the families of the deceased who seek closure

RECAP: Mbeki tells ANC that land without compensation goes against...

‘This would be a very serious disincentive to investment,’ says Thabo Mbeki in a document arguing that the ANC should not proceed with the Constitutional amendment of section 25

More top stories

Rivals agree on new measures to end Cape Town taxi...

But key route remains closed and affected areas halt issuing of operating licences

Magashule claims his suspension of Ramaphosa was lawful

In his application for leave to appeal the high court judgment, Magashule argues that the court erred in holding that Ramaphosa’s suspension was not lawful without giving any explanation for that conclusion

Life Esidimeni inquest postponed until August 30

The lawyer for the bereaved families argued that Dr Makgabo Manamela’s requests for postponements have a negative impact on the families of the deceased who seek closure

Wayde van Niekerk misses 400m final to compound SA pain

The world record holder was a medal hope but has ultimately been outrun by injury
Advertising

press releases

Loading latest Press Releases…
×