Federal cybersecurity can be described in a variety of ways — airbags installed in a car, a concrete foundation beneath a new home, a safety deposit box at the bank — but it’s the subject that everyone should hold as their top priority.
Speaking during a Dec. 12 Bloomberg Government webcast called “Enabling the Federal Cybersecurity Advantage,” National Institute of Standards and Technology Fellow Dr. Ron Ross said cybersecurity is the “top topic of every board room, every federal agency.”
“The question is not just talking about it, it’s really having a fundamental understanding about what we’re really talking about, what our vulnerabilities really are,” Ross said.
And at a time when the world is becoming more interconnected through rapidly evolving technology, Ross said, there needs to be collaboration around cybersecurity.
“They are computers being pushed to the edge and they’re all being connected and so a lot of the vulnerabilities that come from the sheer enormity, the complexity of what we’re building, those vulnerabilities are increasing at an alarming rate,” Ross said. “The only way you can really get a handle on those is to use best practices and security engineering, building security in to the products and systems from the start. So in that sense it’s going to be a shared responsibility. A government can do the standards, the guidelines, they can be a cheerleader for doing the right thing. But ultimately industry builds the products and the systems that we use as consumers. And I believe the academic community also has a very important role in this problem. They’re educating the next generation of computer scientists and computer engineers, mathematicians, all the young folks that are going to be going to work for industry and understanding how to build a more secure system.”
To help with that collaboration and accepting responsibility, Ross referred to NIST’s publication of the final version of Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems — NIST Special Publication 800-160 — a flexible guide for stakeholders to apply to their cybersecurity systems.
Industry’s job is to produce the greatest capability at the lowest cost, Ross said, but there is a price to pay with that.
“This is going to be the dialogue we’re hoping to start with 800-160,” Ross said. “What’s the obligation of industry to do the right thing with regard to trustworthiness or products that they’re building? There is a balance point. The fear is regulation stifles innovation and that’s a legitimate concern. On the other hand, there are industries that are regulated routinely where the public good is at stake.”
Trent Teyema, section chief at the FBI, overseas operational readiness for the Cyber Division, said during the webcast the hope is to secure 80 percent to 90 percent of the internet as the Internet of Things rolls out, that way if there’s an “attack of internet-enabled toasters,” either the FBI can help stop the attack before it happens, or reduce the impact of the attack on the network.
But even while the FBI and other agencies work to “stop the pain,” Teyema said, it’s still the responsibility of owners to secure the front end of a device after it’s removed from its box and plugged in.
“A lot of the adversaries we’re tracking, they’re scanning the net for these devices on computer systems and when they find them they collect them and figure out how they can leverage them, whether it’s baby monitors, cameras, whatever device is internet-enabled now,” Teyema said.
Consumers can do a lot to protect themselves “above the waterline” Ross said, but adversaries will always have the upper hand below the waterline thanks to the complexity of systems.
The hope with 800-160, Ross said, is to simplify some of that complexity for federal customers, industry and even the academic community.
Just like airbags or seat belts aren’t add-ons for a new car, this guidance would help build in safety and security.
The strategic principles of 800-160 instruct stakeholders to:
Incorporate security at the design phase.
Advance security updates and vulnerability management.
Build on proven security practices.
Prioritize security measures according to potential impact.
Promote transparency across the IoT.
Connect carefully and deliberately.
Publication 800-160 can also provide a trustworthiness for a system that includes personally identifiable information and could be at risk of data hacks, because an attack can happen without a system going down, such as the 2015 Office of Personnel Management breach.
Focusing only on detection and response will leave you vulnerable, Ross said.
“It’s like having a house,” Ross said. “If you don’t lay a foundation in, the concrete and all the things that hold the house up, no matter what you do on the upper floors it’s not going to make a whole lot of difference. That’s why protection always going to be a necessary first step.”
When building that foundation it’s also important to assess the value of what you’re trying to protect, Ross said, because not all assets are created equal.
Just like opening a safety deposit box at the bank for things that are most valuable to you, 800-160 tries to separate assets into which ones require the highest level of defense, “and move out from there,” Ross said.
“You need to stop and reset to figure out what’s most important,” Teyema said. “Protect that and work your way out.”