The New Norm for Cybersecurity

March 2023 National Cybersecurity Strategy

March, 2023

The New Norm for Cybersecurity

It was announced today that the Biden Administration wants to change the approach this country takes towards Cybersecurity. The older approach has been a “buyer beware” mentality. The newer approach is to incentivize the makers of Internet related software and devices to build-in better security standards, i.e. to ‘raise the bar.’

Key Take Aways:

• IT professionals and Cybersecurity professionals are not the same.
• Securing public networks (Hotels, MDUs, Student Housing, Planned Living Communities, Entertainment Facilities) is different than securing an enterprise.
• Cybersecurity is a top-down approach to mitigating liability and falls under Governance, Risk and Compliance (GRC) Management.
• Cybersecurity uses probabilities (Impact and Likelihood) to calculate risk thresholds and determine courses of action.

Let me introduce myself, I'm Scott Madlener, Operations Manager and one of the founders of Fibernet Capital. I love to talk about cybersecurity, and I don’t get to do it enough. Before joining FNC, I was providing cybersecurity consulting to Election Districts across the country. If you ask, I can tell some fun cocktail party stories. In addition to my experience running managed services companies since 1995, I’m building FNC with a culture of security. These are my roles within FNC, the reason I’m employed, and topics I take to heart.

Today’s announcement from the White House is directed toward software manufactures (cloud and device). Of special interest to FNC are the devices; everything from the WiFi Access Points that we control to the hundreds of uncontrolled personal and IoT devices inside the properties we manage. Two key terms jump out from the last sentence: “Uncontrolled” and “Inside.” Under most cybersecurity frameworks, the first recommended process is an active inventory of the hardware connected to the network. This task is difficult at best given the unknown and transient nature of the end users behind our networks. Additionally, FNC must assume that bad guys are both inside and outside the network. These two words, “Uncontrolled” and “Inside” mandate a completely different approach to cybersecurity than historically practiced.

The National Cybersecurity Strategy announced today recognizes "that even the most advanced software security programs cannot prevent all vulnerabilities;" however, the manufactures of commercial and consumer grade solutions have the best leverage for implementing better security practices. The newer thinking of this executive directive fits with FNC’s need to ‘raise the bar’ as related to the availability, integrity, and confidentiality of the networks we manage. Along with installing top-down policies within our organization, some tactics that FNC employs include a liberal use of isolation techniques, structural supports that don’t depend on user cooperation, and ongoing threat assessments guided by the privileged government information I receive.

I recently discussed two examples of security breaches which most people would overlook. The first relates to Bluetooth connected speakers that most of us own. The norm for Bluetooth is a pairing sequence that requires proximity and access to both devices in question. For some reason, there are speakers that don't require any pairing. I have personally hijacked the playlist of more than one evening with friends. This lack of basic security has never been acceptable but today, these manufactures are specifically being told to improve or be penalized.

Another example involves a commercial grade, IoT thermostat being sold to hotels. A touted feature of this device is an embedded WiFi radio that is supposed to allow guests and their devices a route to the Internet. In order for this feature to work, it means either the building automation is connected to the guest network or guests are connecting to the building automation network. In either case, significant security exploits could occur. "Features" like this example are liabilities in disguise that simply need to be eliminated.

During the last 20 years, I have tried to demystify technology. Most people don't know how this stuff works and don't want to know. For many people technology is like magic. An example I've used to illustrate the need to hold manufactures more accountable is one of a desk light. In the 1940's, if a person plugged in a light and got shocked, most likely they'd blame themselves for making a mistake (like clicking a link in an email). And most likely they would just be happy to have an electric light. Today, if I plugged in a light and got shocked, I would be pretty upset with the manufacture for making a crappy light that shocks me. In cybersecurity terms, this more modern thinking is called 'raising the maturity level' of an environment. By the way, FNC employs features that significantly reduce the risk to users who click hostile links, an Internet grounding wire if you will.

The White House:

FACT SHEET: National Cyber Security Strategy 

National Cyber Security Policy

About FiberNetCapital

FNC is a managed service infrastructure company that operates a Network as a Service (NaaS) business. FNC’s NaaS business model is built to:

• Deploy a robust infrastructure to optimize the end-user network services
• Finance the infrastructure and network applications
• Manage and support the infrastructure and network applications 

The complexity and speed at which technology is advancing requires new financial thinking that mitigates capital risk while still allowing for proper technology investment. FNC shifts infrequent, independent capital investments to standard monthly operating expenses via an operating lease. FNC’s holistic approach provides a base ROI and builds on that return over the life of the contractual period. Property owners mitigate their capital expenditures, technology obsolescence and operating risk while creating a superior digital ecosystem within their properties. FNC recuperates their investment with a recurring, monthly fee tied to a 10-year operating lease and service agreement. 

FNC’s NaaS begins by deploying a Fiber-to-the-Edge, Software-Driven, Multi-Purpose Infrastructure. This “Smart-Fiber" Infrastructure supports all the end-user network services as well as additional applications and systems that FNC will continue to introduce. In this way, FNC creates a dynamic asset and manages this infrastructure for current and future demands.