Normally, I wouldn’t recommend reading a 307-page report. Washington — that stew of government, think-tanks, self-proclaimed experts and a myriad of other self-dealing hangers-on — produces multi-hundred-page reports nobody reads every day. Members of Congress don’t even read their own legislation. Thank heavens for whoever innovated the executive summary.
But this weighty report, plodding though its title might sound, is coming from a guy anyone concerned with cybersecurity should listen to. Namely, Ron Ross, the Sammies-award-winning computer security scientist from NIST.
I’m talking about Special Publication 800-160. The title — are you sitting down? — “Systems Security Engineering, Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.”
Ross is co-author, along with Michael McEvilley of Mitre Corporation and Janet Carrier-Oren of PriceWaterhouseCoopers. In development for nearly a decade, 800-160’s second draft dates from May, with comments having closed in July.
Why read this one? I’ll answer with a question. How many times have you heard some form of this assertion: “We can’t add in (or bolt on) security after the fact. It has to be built-in from the beginning.” A million times? It crowns the shibboleths, the ancestral truths, of the cybersecurity tribe. This special publication outlines how to do it. Here’s the NIST press-release version.
Building-in cybersecurity from the beginning occurs rarely, even though the 650-odd necessary controls are outlined in the long-established NIST SP 800-53. At an AFCEA D.C. chapter symposium the other day, Ross told the story of an Army official who, 30-days from the planned launch of a major new system of record, had to slam on the brakes. He discovered that none of the 650 controls had been programmed into the system.
As Ross said at AFCEA, in spite of all the activity surrounding cyber, “we’re still having serious breaches and devastating attacks.” And with what he called the “total convergence” of the physical and cyber domains, the challenge grows.
The essence of 800-160 is how to ensure cybersecurity is “baked in” from the beginning, just like metal makers melt nickel and other alloys into molten iron to make steel. It focuses on cyber-physical systems such as firing control systems on weapons platforms or industrial controls. Cybersecurity doesn’t date as far back as metallurgy, but 800-160 includes a quote about the need for programmed-in security from the Ware Report. Don’t remember that one? The first version came out in 1970 (when Ross was 19).
If 800-160 establishes, or re-establishes anything, it’s that security is an engineering discipline. It requires knowledge, care and adherence to standards. Today, people get excited over every new app, no matter how badly engineered. Every time you check your iPhone, another dozen apps need updating. Systems that control everything from dams to satellites need, to quote 800-160, “engineering activities [that] are performed systematically and consistently to achieve a set of outcomes within every stage of the system life cycle, including concept, development, production, utilization, support and retirement.”
I’d say program managers and chief information officers should at least read 800-160. Although intended mainly for systems development and engineering people and filled with cross references to IEEE standards, you’ll find mostly plain English perfectly understandable to non-engineers. At the least, the people who will ultimately live with the consequences of systems should understand the basic approaches they should be demanding of people building them, in-house and contractors.