Developing ‘duck and cover’ in the age of cybersecurity

In the 1950s, the threat was nuclear, and even the school children were prepared.

The U.S. Civil Defense Administration enlisted the help of animators to create “Duck and Cover,” a short film featuring Bert the turtle to teach children how to protect themselves in case of a nuclear explosion.

“If you duck and cover, you will feel much safer,” the voiceover advises as Bert jumps for safety inside his shell.

David Cotton, a Strategic Security Advisor at Pratum and retired Brigadier General in the U.S. Air Force, thinks of this national campaign when it comes to cybersecurity, Cotton told attendees at the Secure Iowa Conference in Ankeny Oct. 9.

“Are we ready for that today, in the society we have today, in the world of cyber?” Cotton posed to attendees.

The U.S. had 864 cybersecurity breaches this year as of Sept. 5, exposing 34 million records in multiple industries. Iowa was one of three states named in the the July indictment announced by the Justice Department against 12 Russian intelligence officers, who allegedly targeted a cyberattack against Democratic Party targets and state election systems, including government agencies and vendors.

“Forty-four percent of the breaches are patches that should have happened two to four years ago, things that we’ve known about and it hasn’t taken place,” Cotton said. “Multi-factor authentication is so easy today, and I always hear, ‘Leadership doesn’t want to do it.’ They’re the first ones who should.”

So far, Cotton doesn’t see the same kind of cultural campaign push the U.S. government developed back in the Cold War, adapted for cybersecurity. There are significant changes to the status quo, though.

The 2018 Department of Defense Cyber Strategy highlights an effort to “defend forward,” Cotton said, anticipating a confrontation with cyber attackers before they reach sensitive networks. The strategy also aims to streamline information-sharing on emerging threats between the government and contractors/vendors.

A non-profit Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) has also been set up through the National Council of ISACs, Cotton said;  EI-ISAC senior program specialist Kateri Gill had earlier shared information on ISAC resources with conference attendees, which include a 24-7 cybersecurity operations center, an onsite Computer Emergency Response Team for small government partners, and free cyber alerts and education resources.

President Donald Trump also released an executive order in May 2017 to strengthen federal networks and infrastructure, outlining risk management policy and crisis reaction policy to situations such as a prolonged power outage.

“This is a big challenge for all of us, for cyber citizens to be aware on all lines,” Cotton said. “I was somewhat disappointed in not seeing something as robust as the duck-and-cover, but I … feel that that government is on the right track.

“We as citizens have some tools available to us, and it’s how to maximize those tools and actually implement them so we have a response plan that works – not only in our work life but our home life, because those are all intertwined today,” Cotton added.