Feds’ Security Practices Lacking

Monday, December 2, 2013 @ 03:12 PM gHale

The federal government is failing to lead when it comes to cyber security best practices, said an advisory council to President Obama, and it recommended a real-time threat intelligence-sharing among private-sector entities.

In a new, unclassified report to the Obama administration, the President’s Council Of Advisors On Science and Technology (PCA ST) said the federal government must set the tone by fixing its own security processes, and it should offer incentives for compliance to ensure private-sector organizations embrace better security practices.

RELATED STORIES
Data Breaches Go Undisclosed
Security: A Strategic Voice
NIST Seeks Smart Grid Comments
Preliminary Cybersecurity Framework Released

The report follows a classified report on the same topic the PCA ST handed President Obama in February.

“A key conclusion is that, given the increasingly dynamic nature of cyber security threats, it is important to adopt protective processes that continuously couple information about evolving threats to defensive reactions and responses; static protective mechanisms are no longer adequate,” PCA ST co-chairs John Holdren and Eric Lander wrote in a letter to President Obama with the new report. Holdren is assistant to the President for Science and Technology and director of the office of science and technology policy, while Lander is president of Broad Institute of Harvard and MIT.

Members of the council include leaders from academia at Harvard, Princeton, Yale, and other major universities, as well as Eric Schmidt, executive chairman of Google, and Craig Mundie, senior adviser to the chief executive at Microsoft. The council issued six findings on the state of cyber security in the U.S., each with recommendations for remedying shortcomings.

The first finding simply said, “The Federal Government rarely follows accepted best practices. It needs to lead by example and accelerate its efforts to make routine cyber attacks more difficult by implementing best practices for its own systems.”

The council recommends the feds retire within two years “unsupported and insecure operating systems,” including Windows XP, and move to new versions of Windows, Linux, and Mac OS, as well as push for “universal adoption of the Trusted Platform Module (TPM) microchip for all systems, including smartphones and tablets.” It also calls for the feds to adopt the most secure browsers, make available voluntary national identity technology, but make it mandatory for federal users.

In a nod to the new post-Snowden climate of government mistrust, one of the recommendations is the feds facilitate, but not necessarily have access to, real-time threat intelligence-sharing among private-sector entities. The finding said this information must end up shared more widely in the private sector to thwart attacks, and “in appropriate circumstances and with publicly understood interfaces — between private-sector entities and Government.”

The feds should facilitate these real-time intelligence sharing partnerships in the private industry, the council said, but that doesn’t mean the feds will be privy to them. “Data flows among these private-sector entities should not and would not be accessible by the Government. The Government might participate in establishing protocols, or providing technology, for how the data end up utilized by the private sector for cyber defense. The protocols or technology utilized should have sufficient transparency to mitigate legitimate concerns about inappropriate Government access to private data,” according to the council’s recommendation.

And Internet Service Providers (ISPs) should take a more aggressive role in deflecting threats in their networks, the council said. “Internet Service Providers are well-positioned to contribute to rapid improvements in cyber security through real-time action,” it said. The feds must outline best practices for ISPs here, and the National Institute of Standards and Technology (NIST) should work with ISPs on voluntary standards for how ISPs alert their customers when their systems suffer infection and provide them the resources they need to clean them up.

The council also recommended regulated industries should adhere to cyber security best practices via “auditable” processes rather than lists, and that the Securities and Exchange Commission (SEC) should require that publicly held companies disclose security risks “that go beyond current materiality tests.”

Industry-driven rather than government-mandated processes for improving security are best, the council said. “For the private sector, Government’s role should be to encourage continuously improving, consensus-based standards and transparent reporting of whether those standards are being met by individual private-sector entities,” the report said.

Finally, the report called for future systems and networks to be able to stand up to attacks. “Future architectures will need to start with the premise that each part of a system must be designed to operate in a hostile environment. Research is needed to foster systems with dynamic, real-time defenses to complement hardening approaches,” the council recommends.

Click here to read the “Report to the President: Immediate Opportunities for Strengthening the Nation’s Cybersecurity.”



Leave a Reply

You must be logged in to post a comment.