“It’s clear that cybersecurity will not be achieved by a collection of static precautions that, if taken by government and industry organizations, will make them secure. Rather, it requires a set of processes that continuously couple information about an evolving threat to defensive reactions and responses,” the council announced, forming a central theme.
The council has delivered the 'Immediate Opportunities for Strengthening the Nation’s Cybersecurity' report to President Obama, outlining areas where executive action can accelerate progress toward protecting the nation’s information systems and assets.
PCAST makes several recommendations in the report, including real-time public-private information sharing to improve the capacity to respond to cyberthreat data effectively. This echoes President Obama’s February Executive Order on cybersecurity.
But the report also breaks some new ground, for instance advocating that the government take advantage of third-party resources. ISPs are well-positioned to contribute to rapid improvements in cybersecurity through real-time action. The National Institute of Standards and Technology (NIST) then could and should work with ISPs toward establishing standards for voluntary measures by which ISPs can alert users and direct them to appropriate resources when their machines or devices are known to be compromised. This, of course, puts an onus on providers that has never been there before, but it’s also an opportunity for broadband providers to differentiate themselves to consumers.
The report also emphasizes that long-term thinking is important: PCAST recommends that the nation invest in high-risk, high-return basic research with a 10- to 20-year time horizon that, if successful, could fundamentally transform the future cybersecurity landscape.
Future architectures will need to start with the premise that each part of a system must be designed to operate in a hostile environment. Working with research universities and industry laboratories, a goal should be the creation of systems with dynamic, real-time defenses to complement hardening approaches, including highassurance hardware, firmware and the complete software stack.
And, an independent organization should be tasked with the development of certifiable maturity levels with respect to threat-aware design processes for companies that design hardware and software.
PCAST also makes an assessment that the federal government rarely follows accepted best practices. Specifically, it’s falling down on the job when it comes to making even routine cyber-attacks more difficult.
The set of recommendations for this are the same as they would be for any enterprise: the government needs to first of all phase out unsupported and insecure operating systems, such as Windows XP, and should adopt automatically updating software, including cloud-hosted software, both for commercial of-the-shelf (COTS) and GOTS2 products. The universal adoption of the Trusted Platform Module (TPM, the industry-standard microchip designed to provide basic securityrelated functions, primarily involving encryption keys) and proofed identities for people, roles, devices and software are important too.
“While voluntary in the private sector, these should be mandatory for transactions and data exchanges among Federal users,” the report recommended.
PCAST also pointed out that there is opportunity in regulation: within already regulated industries, the regulator should require not a specific list of cybersecurity measures but rather an auditable process by which cybersecurity best practices are adopted and continually improved. Furthermore, the council recommended that the President should strongly encourage independent regulatory agencies to adopt measures that require selfreporting of continuous-improvement practices along these same lines.
“In particular, the Securities and Exchange Commission (SEC) should mandate, for publicly held companies, the disclosure, as investment risks, of cybersecurity risk factors that go beyond current materiality tests,” PCAST said.
But outside of regulated sectors, industry-driven, but third-party-audited, continuous-improvement processes are more likely to create an effective cybersecurity culture than are Government-mandated, static lists of security measures, PCAST added.
Cybersecurity has been a focus for the Obama Administration, and it's slowly making some headway, although PPCAST's report shows that there is much more work to do. In October NIST posted a draft review copy of a document that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” for managing cybersecurity risk within critical infrastructure services, in a manner similar to how financial, safety and operational risk is handled. The final , as mandated by the executive order, will be published in February 2014.