By: Dave Weinstein | Director of Cybersecurity, NJOHSP
Last week I had the pleasure of dropping in on the Cranford Police Department Youth Academy to speak with a room full of 9 to 13 year-olds about cybersecurity. To kick-off the conversation, I posed a simple question to the enthusiastic young “cadets”: "What does cybersecurity mean to you?" Almost without hesitation, half of the hands in the room went up. After everyone had weighed-in, I realized that not a single response was the same.
I'm often struck by how cybersecurity means so many different things to so many different people. For the software engineer, it's about secure application development; for the communications specialist, it's about encryption; for the lawyer, it's about identity theft; and for one 11 year-old "cadet,” it's about "protecting yourself from spies."
In actuality, cybersecurity is a wide-ranging field and we seemingly encounter it in one form or another almost every day. But after spending some time with the next generation of online users last week, I was reminded of cybersecurity’s broader context – one that informs our thinking here at the Office of Homeland Security and Preparedness.
As we all know (and perhaps sometimes take for granted), the Internet yields enormous benefits to society. To name a few, it enriches our social lives, streamlines business operations, fuels entrepreneurship and innovation, and expands our intellectual reach by orders of magnitude. In New Jersey and elsewhere across the developed world, the population disparity between our citizens and our online users is an ever-shrinking integer. At the same time, the number of networked devices occupying our towns, cities, households already exceeds our citizen population – and the gap is rapidly growing.
For a nascent domain as unregulated by laws and norms as cyberspace, its degree of malicious exploitation is still astoundingly low. By all accounts, the vast majority of online users are good stewards of the digital commons while a minority of globally distributed users maliciously exploit cyberspace. The very characteristics of cyberspace that make the Internet so great – it’s open architecture, anonymity, and interconnectivity – also accommodates the malicious pursuit of ideological, political, or financial agendas.
So, reflecting on my afternoon with the young cadets in Cranford, I asked myself, “What does cybersecurity mean to me?” The answer is simple. Cybersecurity for me is about maintaining cyberspace’s net benefit to society and reducing its malicious exploitation.
Fundamentally, there are two ways of doing this. First, you can reduce the number of malicious cyber actors by deterrence or prosecution. What I call “taking players off the field” is largely a law enforcement and military responsibility. But let’s face it, catching a cyber criminal is not like chasing down a bank robber or pulling over a speeding vehicle. Most hackers do not get caught, which often bolsters their resolve. Second, therefore, you can mitigate the malicious cyber activity of the remaining actors – those players still on the field. This is often a shared responsibility between homeland security and IT professionals across the public and private sectors. Over time, effective mitigation changes a hacker’s cost/benefit calculation as they commit more time and money to their operations. Keeping with the sports analogy, even if we can’t get them off the field, we can limit their contributions to the game.
Over the last year, we have focused a lot of our cybersecurity efforts here in New Jersey on the second part – preventing malicious cyber actors from exploiting our local cyberspace – and it starts with basic vulnerability management.
Following Governor Christie’s signing of Executive Order 178, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) began issuing cyber alerts to our members. These alerts contain straightforward information on software vulnerabilities that subject New Jersey’s citizens, businesses, and governments to even the most rudimentary cyber-attack tactics and tools. The alerts are available on our website, our Twitter feed, and our Facebook page. NJCCIC members can also opt-in for email communications right from our homepage.
The current state of cyberspace is such that its positives vastly outweigh its negatives. Our mission is to preserve that balance today and for generations to come. It starts with getting back to basics and signing-up for NJCCIC Cyber Alerts. Keeping your systems up-to-date with the latest security patches can go a long way to raising New Jersey’s barriers to entry for cyber-crime.