Department of Commerce Presents: A Security Plan for the Rest of Us
When the Obama administration announced the recent cybersecurity plan for the US government, which includes critical infrastructure as a concern of national security, there was an abundance of praise, albeit necessarily cautious. (We’ve been down this road before, to no avail.)
It’s obvious that in the wake of recent attacks, we’re finding ourselves under-prepared and misguided, and any effort to add structure and accountability to our information security posture is welcomed.
But wait – this is a cybersecurity plan for the government, and critical infrastructure. What about a plan for businesses that deal with Internet technology outside of the scope of critical infrastructure?
Well, that thought must have also crossed the Department of Commerce’s mind, as they put together a green paper on Cybersecurity, Innovation and the Internet Economy.
The idea, according to Commerce Secretary Gary Locke and his Internet Policy Task Force, is to form a joint relationship between federal agencies and the private sector, in order to foster the development of voluntary standards – a “code of conduct,” if you will.
The government won’t be controlling anything; they’ll simply be helping the industry put together their own game plan for following widely accepted standards and best practice.
This initiative has the potential to impact security in three big ways, by:
- making security easier to achieve through standards and automated configuration and monitoring
- providing incentives for businesses to invest in security and maintain compliance
- increasing awareness for education and training through support programs and scholarships
Security – Don’t Hate, Automate
Security is already hard enough, and human involvement only makes it harder, not better. It’s one thing for this plan to promote best practice, and the use of well-studied standards, but it’s another for this to actually make it to real-world implementations.
Even if implementations represent best practice, misconfiguration often renders security ineffective, and assuming you get the configuration right, lax security policies often lead to improper use, which finds security measures either falling apart or not doing much securing at all.
The Department of Commerce has a few things in mind to make this better, and they aim to do so by promoting the adoption of particular keystone standards and practice, accelerating promotion of automation in security, and improving and modernizing security assurance.
Essentially, we need to identify what is a best practice using currently available standards, and build a framework that allows us to follow this “code of conduct” in an automated way that provides a continuous flow of security, and can pinpoint failures in our security policies in real time.
This is especially important in light of emerging technologies, like cloud computing, where things are moving away from a centralized interface and into the virtual frontier.
There are already initiatives in place to promote the automation of things like secure configuration, as well as the automatic monitoring of vulnerability management. For example, protocols like Security Content Automation Protocol (SCAP) and Continuous Monitoring can help businesses stay compliant, for less.
That’s exactly what we need, and exactly what businesses want to hear – a solution that takes care of security so they don’t have to, allows them to maintain compliance, and does so in the most cost-effective manner possible.
Giving Businesses a Reason to Care About Security
For many businesses, security is a pain; it’s the one thing that costs, but doesn’t generate profitable revenue. Your boss probably revels in ideas that make money, and here you come with all the gloom that goes along with convincing him that you need to spend X on Y to prevent Z. He doesn’t like X, he doesn’t understand Y, and he’s not convinced that Z is a problem, because it never has been before.
As such, security infrastructure is often an ad hoc, hodge-podge of this, that, and the other, with no goal in mind, and certainly no efficient way to achieving it even if there was. It hasn’t even been tradition for business to care, until compliance came along and forced them to.
What’s welcoming about this plan is that it provides incentives for businesses to care about security, and adhere to compliance regulations, by saying, for example, “Okay, so you got attacked, but we know you tried hard to be compliant; you followed best practice and used standards. It happens. These days, it happens a lot. We’re going to cut you some slack.”
Less liability for being hacked saves businesses money, and unlike some businesses we’ve seen as of late, they might think twice before delaying their announcement of having been attacked; this way, they can save money, and face. The best way to ensure that compliance is maintained is to reward businesses for maintaining it, and ease up on the penalties if they still fall victim to attacks.
The Department of Commerce’s plan is to use security disclosure as an incentive, and because there are laws in place that require the reporting of data breaches, businesses may take this as an incentive to avoid being breached in the first place, to avoid the embarrassment and potential damages of disclosure.
In addition, this plan pushes for the sharing of information regarding cyber incidents; not only could this encourage the adoption of consensus best practices, but also strengthen defense against future incidents, by studying attack trends.
Being More Aware of the Need for Education and Training
Last, but not least, the Department of Commerce hit the nail on the head when they decided that education and training were due for a much-needed push in awareness.
To ensure that we’re keeping up with rapidly evolving cybersecurity threats, training must be current, and it must contain advanced, technical elements that arm security professionals with the same tools and techniques that hackers use, so they’ll understand exactly how they get in, and prevent them from doing so.
Thankfully, there are programs that are responsible coordinating cybersecurity efforts, such as the government’s National Initiative for Cybersecurity Education (NICE), and this plan calls for a better understanding of how to custom tailor and target future education and training efforts, by taking a look at what we’re already doing through programs like NICE.
Aside from identifying the best way to move forward with education and training, we especially need to boost the development of metrics and methods for evaluating the return on investment for education and training, which is key to finding the support we need.
Ideally, this plan will enable security personnel to better “sell” the idea of security to upper management, by clearly showing the costs associated with cybersecurity threats versus the cost of cybersecurity education and training, and how the latter can reduce the cost of the former, and ultimately protect a business’ bottom line.
While it may not be a matter of national security, or considered critical infrastructure, the general industry surrounding the Internet is something our economy depends on, and is completely necessary for innovation.
With that in mind, there’s no doubt that we need to make security easier to get right, more appealing to businesses as an investment, and more readily accessible to the professionals through advanced education and training, as they will ultimately provide our defense.
Contributed by the EC-Council