Read the full report here at The Washington Post.
Start planning for retirement early
Companies should begin planning from the moment they introduce a new product for when the product’s underlying technology will be too outdated to be supported, the report urges. Data shows that the number of hackable vulnerabilities in any product’s software increases over time, but as products get older and fewer people use them, companies are less likely to actively monitor those vulnerabilities or to force customers to patch them.
As a result, the Internet ecosystem abounds with legacy technology that’s ripe for hacking. The WannaCry malware campaign, which wreaked global havoc in 2017, for example, was launched using a vulnerability in a decades-old tech protocol Microsoft had already released a patch for.
Currently, however, there’s no incentive for consumers and organizations to stop using outdated tech that companies aren’t supporting anymore. The strategy speculates about several ways to shift incentives so consumers don’t keep using old and insecure technology.
For example, companies that sell products that have Internet connections but aren’t fundamentally tech products — such as cars with fancy entertainment and navigation systems — could figure out ways to decouple the software components from the non-software components. That way, a car owner could replace the Internet-connected bells and whistles without having to replace the product itself.
We’ve seen this movie before
Most of the report’s major priorities have been pointed out before in reports by industry, academics or federal agencies.
A Commerce Department report from May, for example, which focused on combating armies of zombie computers known as botnets also stressed the importance of securing technology for its entire life cycle.
The Energy and Commerce report also stresses the importance of the public and private sector working together on cybersecurity. That was a main takeaway from an all-star commission established by the Obama administration after the Office of Personnel Management breach, which reported its findings shortly after the 2016 election.
The common elements show that Congress, the executive branch and cybersecurity experts are on the same page about a lot of what needs to be done. They also underscore, however, that the past few years have seen many recommendations on cybersecurity, but much less implementation.
No regulation in sight
One thing the report doesn’t advocate or even mention is any effort to mandate cybersecurity protections through regulation. That puts it in good company with government and industry reports, which have typically warned that broad cyber regulations would backfire by limiting companies’ flexibility to adapt quickly and to secure themselves in the smartest ways.
The Obama-era cybersecurity commission warned that broad regulation may be necessary in the future, but said it’s not clearly necessary yet. Some consumer groups and Democratic lawmakers have been much more open to the idea of cyber regulations and other mandates.
The government is vital to cybersecurity
The private sector owns the vast majority of the Internet, but the government must play a leading role in cybersecurity, the report warns.
In particular, the report heaps praise on a government-financed effort to collect, organize and rate the severity of all known computer bugs, known as the Common Vulnerabilities and Exposures database, or CVE.
The committee criticized the Department of Homeland Security, which funds the CVE database, and MITRE, the federally funded research center that manages it, in August, citing reports that researchers were waiting weeks or months for new computer bugs to be catalogued. Despite that mismanagement, the report describes the database as “the cornerstone on top of which modern cybersecurity is constructed.”