Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/21/2009
11:50 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Gartner: Feds Must Play Stronger Cybersecurity Role

Cybersecurity strategy should focus on using public policy and the government's buying power to accelerate progress in eliminating vulnerabilities that enable attacks versus simply driving increased reporting of attacks, report says

Stamford, Conn., May 21, 2009 — U.S. national cybersecurity policy needs to take a more operational approach toward stimulating higher levels of security in cyberspace, rather than focusing on strategies to drive higher spending or higher visibility for security, according to Gartner, Inc.

Although there is a definite role for government to play in accelerating progress toward higher levels of cybersecurity, it will be more akin to trying to deal with global warming than dealing with telephone, banking, or automotive industry policies.

"The evolution and technological underpinnings of the Internet are very different from those of telecommunications or any other previous infrastructure," said John Pescatore, vice president and distinguished analyst at Gartner. "Different approaches are required to ensure reliable and secure services in cyberspace than on old telecom networks, and the development of public policy has to proceed very differently, as well. Government policy that attempts to force top-down solutions onto an inherently peer-to-peer problem will always fail, as has been demonstrated by U.S. government cybersecurity initiatives during the last 15 years."

Mr. Pescatore said a national cybersecurity strategy should not be aimed at having the government seek to control the level of security on the Internet or issue legislations to mandate solutions. Rather, cybersecurity strategy should focus primarily on using public policy and the government's buying power to accelerate progress in eliminating vulnerabilities that enable attacks versus simply driving increased reporting of attacks. A successful national cyberscurity strategy will look more like a hurricane preparedness strategy that mandates redesigning structures or building higher levees versus the deployment of more water gauges.

Gartner analysts said that several key elements should be the focus of U.S. government strategy for cybersecurity:

  • Stop studying, and start acting -- There have been plenty of existing efforts to define and measure the shortcomings of cybersecurity, so there is no need to reinvent the wheel.
  • Harmonize federal security standards with commercial equivalents -- Although there will always be a need for higher levels of security than commercial standards allow, harmonizing the base level will eliminate duplication and waste and enable the government to drive suppliers to higher levels of security more easily. Similar harmonization at the federal level of data privacy and disclosure rules is needed, as well.
  • Use purchasing power to drive security to be built-in -- Because the key to increasing cybersecurity lies in reducing vulnerabilities, all government software procurements should require application vulnerability testing as part of the acceptance criteria.
  • Evaluate existing regulations, and rejuvenate enforcement -- There are areas where federal legislation is needed to harmonize conflicting state laws, but the biggest bang for the federal buck will be in the actual enforcement of existing rules and regulations.
  • Keep offense and defense separate -- The primary goal of a cybersecurity strategy must be to make attacks ineffective through prevention rather than detect successful attacks by enabling surveillance. Combining the two functions will inevitably result in lower levels of security and possibly increased privacy violations.
  • Reward best practices -- Most of the publicity tends to go toward the government agencies with low Federal Information Security Management Act scores in annual audits, and currently there seems to be little or no effort to spread best practices across agencies.
  • Establish a federal chief information security office, not a federal cybersecurity czar -- The bottom line is that increasing the national cybersecurity is an operations issue. The problems are well-understood, solutions are known, and gaps have been identified. Organizations with high security in private industry and government almost invariably have a strong security office and a chief information security officer (CISO), and that should be the model that the U.S. government follows.

    "There is little doubt that the federal government has a major role to play in stimulating progress toward higher levels of cybersecurity," said Mr. Pescatore. "Proactive harmonization of security standards driven by the federal government will be much more effective than leaving states to define their own, widely varying levels of approaches for increasing the protection of citizen data and critical infrastructures."

    Additional information is available in the Gartner report "Toward a National Cybersecurity Strategy." The report is available on Gartner's Web site at http://www.gartner.com/DisplayDocument?ref=g_search&id=949412&subref=simplesearch.

    Mr. Pescatore will discuss the key issues facing the security industry during the Gartner Information Security Summit, taking place from June 28 through July 1 in Washington, D.C. The Summit hits the critical spot between strategic planning and tactical advice. Gartner analysts, industry experts and IT security practitioners will deliver unbiased, realistic analysis of the current state of information security, as well as an independent vision of how things will evolve over the long term. For complete event details, please visit the Gartner IT Security Summit Web site at http://www.gartner.com/it/page.jsp?id=749433. Members of the media can register by contacting Christy Pettey at [email protected]

    About Gartner Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is the indispensable partner to 60,000 clients in 10,000 distinct organizations. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 4,000 associates, including 1,200 research analysts and consultants in 80 countries. For more information, visit www.gartner.com.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-19619
    PUBLISHED: 2019-12-06
    domain/section/markdown/markdown.go in Documize before 3.5.1 mishandles untrusted Markdown content. This was addressed by adding the bluemonday HTML sanitizer to defend against XSS.
    CVE-2019-19616
    PUBLISHED: 2019-12-06
    An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment fun...
    CVE-2019-19617
    PUBLISHED: 2019-12-06
    phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php.
    CVE-2012-1114
    PUBLISHED: 2019-12-05
    A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
    CVE-2012-1115
    PUBLISHED: 2019-12-05
    A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.