From: Foreign Policy/Killer Apps
Posted By John Reed
the White House expected to release its cyber security executive order as early as tonight, Killer Apps spoke with some private sector cyber security experts on what they would like to see. Almost all agreed that the Obama administration –and Congress — need to do something to help protect the nation’s banks, transport companies, energy firms, defense contractors, and other companies on which millions of people rely, from a crippling cyber attack.
“It’s a public security and a public safety issue, and it needs some level of government oversight because you cannot let market forces completely go in areas where public safety is involved,” said Ashar Aziz, chief technology officer of FireEye. While Aziz and other IT security executives Killer Apps spoke with recently agreed that the government needs to do something to ensure that critical infrastructure providers are adequately protected against cyber attacks, they caution that an executive order or legislation should not dictate technical security measures (such as specific pieces of software) that could quickly become obsolete.
“The regulations don’t need to be specified in terms of technology, they need to be specified in terms of posture,” said Aziz. “You need to look at where the [evolving] threats are, how the threats operate, and what is needed to counter such threats. . . . All we need to say is, the critical networks need to have safeguards to protect against unknown threats, independent of technology. Use whatever the best commercially available products on the market are.”
Some suggest that the government could follow the model used by the credit card industry’s security organization, Payment Card Industry Security Standards Council, whose members develop security standards and audit companies that process credit card payments. If a company fails an audit, the council has the power to ban that firm from processing credit cards.
“It specifies 12 different things that companies need to do in order to secure credit card data,” such as encrypting credit card data and using firewalls. “An auditor will walk in and look and see how well you followed that 12-step criteria,” said Rob Rachwald, manager of IT security strategy at Imperva. “If you’re found out of compliance, different penalties could apply. They may be financial penalties. Worst case –and this doesn’t happen very often but it does happen — your ability to transact credit cards is pulled.
Roger Thornton, chief technical officer at AlienVault, agrees with the approach.
“What you want to specify is, ‘the end result I [the government] want you to achieve. You’re all smart and you’ll all find different ways to achieve it’,” said Thornton of what any cyber legislation should say. That end result would involve limiting how many break-ins each firm suffers or how many IT security vulnerabilities the firm has.
The execs also agreed that provisions allowing for rapid information sharing on cyber threats, and the best way to defend against them, between the government and private businesses needs to be in any executive order or legislation.
“We really need good threat intelligence sharing, these attack frequently come in campaigns and these campaigns target multiple organizations,” said Aziz. “We need a real-time view of a threat landscape. I believe it’s possible to provide that in a way that does not violate or compromise the consumer’s or the public’s information privacy.”
The Cyber Security Act of 2012, which failed to pass the Senate last fall, contained provisions aimed at encouraging businesses to share information with the government about cyber attacks they had suffered by freeing them of liability for improperly sharing citizens’ private information.
“We all recognize that cybersecurity is a [government] problem because a lot of these attacks are coming from overseas,” said Rachwald. “What would happen for example, if the government ponied up a community resource center” aimed at sharing information about cyber attacks against U.S. firms and the best responses to those attacks.
Rachwald agreed that the government should order companies to constantly scan their networks for actual intrusions, not just potential vulnerabilities — under the premise that all networks will be penetrated, no matter how good their security.
Leave a Reply