I’ll be attending IBM’s World of Watson 2016 in Las Vegas next week. I’m looking forward to hearing whether government and industry are collaborating any better as a result of the passage of The Cybersecurity Act of 2015. The Cyber Act by itself doesn’t really imply (or require) that citizen data (or any other kind of private data) be made accessible across institutions. However, what it does encourage is the sharing of threat or breach data. Given how hard cybersecurity threat comprehension happens to be from a single company viewpoint, I’m eager to learn how we’ll be able to use next generation cognitive type tools for cyber threat analysis across firms or within logical groupings of firms.
Some people think that the Federal Government is supposed to lead the fight. But, there’s really no one team that can lead – each type of cyber-crime needs a different leader. For example, educating the public and workers can be led by companies that know how to disseminate information widely. Forensics and post-breach analysis might best be performed by those who know how to conduct investigations while prevention and focusing on pre-breach tasks can be led by law enforcement groups. Cyber-crime is complex and unless we break down the complexity into manageable chunks it will seem like a daunting task.
The government’s role should to help in educating, galvanizing the best and brightest, and establishing the ecosystem to help deploy cyber-crime-fighters. The government cannot and should not be seen as having the resources but it must lead in creating, managing, and helping deploy the body of knowledge necessary to fight cyber-crime. The private sector needs to build the ecosystems of implementers and crime fighters that follow the knowledge built by the community and galvanized by the government.
One great example of how the government can effectively play the role I described above is elaborated in HHS OIG’s recommendations. It’s been almost a year since the U.S. Department of Health and Human Services (HHS) Office of Inspector General’s (OIG) released its 2016 Work Plan. That document summarized OIG’s efforts to improve the overall effectiveness of more than 100 programs administered by HHS. In addition to scrutinizing Centers for Medicare & Medicaid Services (CMS) reimbursement for fraud and cost-cutting opportunities, OIG put medtech cybersecurity under the microscope. Specifically, the government watchdog agency intended to determine whether FDA was doing enough to secure networked medical devices at hospitals — to protect both patient data and safety. OIG also expected device manufacturers to be more accountable by providing a security disclosure statement for each of their products, built upon information gleaned from threat assessment, threat modeling, and vulnerability assessment tasks.
At #IBMWoW I’m looking to learn if that proposed new focus ended up in any actionable insights this year. Also, I’m going to be looking for how digital health software and medical device vendors’ product roadmaps have been affected. Whatever the health and med tech industry has learned this year will easily apply to other sectors and industries too.
Follow me on Twitter (@shahidnshah) so we can learn together. I’ll be using the hashtag #IBMwow. Stay tuned!