Vulnerabilities / Threats
11/26/2013
04:13 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Presidential Council Calls For Feds And ISPs To Step Up In Cybersecurity

New report to President Obama says feds 'rarely follow' security best practices

An advisory council to President Obama blasted the federal government for failing to lead in cybersecurity best practices and recommended, among other things, a more active role in security by Internet service providers.

In a new, unclassified report to the Obama administration, the President's Council Of Advisors On Science and Technology (PCA ST) said the federal government must set the tone by fixing its own security processes, and that it should offer incentives for compliance to ensure that private-sector organizations embrace better security practices.

The report follows a classified report on the same topic that the PCA ST handed President Obama in February. "A key conclusion is that, given the increasingly dynamic nature of cybersecurity threats, it is important to adopt protective processes that continuously couple information about evolving threats to defensive reactions and responses; static protective mechanisms are no longer adequate," PCA ST co-chairs John Holdren and Eric Lander wrote in a letter to President Obama with the new report. Holdren is assistant to the President for Science and Technology and director of the office of science and technology policy, while Lander is president of Broad Institute of Harvard and MIT.

Members of the council include leaders from academia at Harvard, Princeton, Yale, and other major universities, as well as Eric Schmidt, executive chairman of Google, and Craig Mundie, senior adviser to the CEO at Microsoft. The council issued six findings on the state of cybersecurity in the U.S., each with recommendations for remedying shortcomings.

The first finding was blunt: "The Federal Government rarely follows accepted best practices. It needs to lead by example and accelerate its efforts to make routine cyberattacks more difficult by implementing best practices for its own systems."

The council recommends that the feds retire within two years "unsupported and insecure operating systems," including Windows XP, and move to new versions of Windows, Linux, and Mac OS, as well as push for "universal adoption of the Trusted Platform Module (TPM) microchip for all systems, including smartphones and tablets." It also calls for the feds to adopt the most secure browsers, make available voluntary national identity technology, but make it mandatory for federal users.

"It's very much to the point," says Bill Solms, CEO of Wave Systems, of the new report. "These are immediate changes and things they can do to increase cybersecurity posture."

If the feds can encourage TPM adoption in the private sector and mandate it among federal agencies, that would have a "near-term impact" on security, Solms says. "But TPM must also be managed and turned on ... if you really want to get the benefits of it," he says of the Trusted Computing Group specification for securely generating cryptographic keys on a platform.

In a nod to the new post-Snowden climate of government mistrust, one of the recommendations is that the feds facilitate, but not necessarily have access to, real-time threat intelligence-sharing among private-sector entities. The finding says this information must be shared more widely in the private sector to thwart attacks, and "in appropriate circumstances and with publicly understood interfaces -- between private-sector entities and Government."

The feds should facilitate these real-time intel-sharing partnerships in the private industry, the council says, but that doesn't mean the feds will be privy to them: "Data flows among these private-sector entities should not and would not be accessible by the Government. The Government might participate in establishing protocols, or providing technology, for how the data are utilized by the private sector for cyberdefense. The protocols or technology utilized should have sufficient transparency to mitigate legitimate concerns about inappropriate Government access to private data," according to the council's recommendation.

And ISPs should take a more aggressive role in deflecting threats in their networks, the council said. "Internet Service Providers are well-positioned to contribute to rapid improvements in cybersecurity through real-time action," it said. The feds must outline best practices for ISPs here, and the National Institute of Standards and Technology should work with ISPs on voluntary standards for how ISPs alert their customers when their systems are infected and provide them the resources they need to clean them up.

Solms says when ISPs can see a widening botnet threat in their networks, they need to take more aggressive action than many do today. "It's for the greater good," he says.

[The White House spells out several proposed incentives on the table for those who adopt the Cyber Security Framework. See White House Proposes Cybersecurity Insurance, Other Incentives For Executive Order.]

The council also recommended that regulated industries should be required to adhere to cybersecurity best practices via "auditable" processes rather than lists, and that the Securities and Exchange Commission (SEC) should require that publicly held companies disclose security risks "that go beyond current materiality tests."

Industry-driven rather than government-mandated processes for improving security are best, the council says: "For the private sector, Government's role should be to encourage continuously improving, consensus-based standards and transparent reporting of whether those standards are being met by individual private-sector entities."

Finally, the report called for future systems and networks to be built to stand up to attacks. "Future architectures will need to start with the premise that each part of a system must be designed to operate in a hostile environment. Research is needed to foster systems with dynamic, real-time defenses to complement hardening approaches," the council recommends.

The full "Report to the President: Immediate Opportunities for Strengthening the Nation's Cybersecurity" is available here (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

CVE-2014-3694
Published: 2014-10-29
The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and ob...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.