Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/26/2013
04:13 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Presidential Council Calls For Feds And ISPs To Step Up In Cybersecurity

New report to President Obama says feds 'rarely follow' security best practices

An advisory council to President Obama blasted the federal government for failing to lead in cybersecurity best practices and recommended, among other things, a more active role in security by Internet service providers.

In a new, unclassified report to the Obama administration, the President's Council Of Advisors On Science and Technology (PCA ST) said the federal government must set the tone by fixing its own security processes, and that it should offer incentives for compliance to ensure that private-sector organizations embrace better security practices.

The report follows a classified report on the same topic that the PCA ST handed President Obama in February. "A key conclusion is that, given the increasingly dynamic nature of cybersecurity threats, it is important to adopt protective processes that continuously couple information about evolving threats to defensive reactions and responses; static protective mechanisms are no longer adequate," PCA ST co-chairs John Holdren and Eric Lander wrote in a letter to President Obama with the new report. Holdren is assistant to the President for Science and Technology and director of the office of science and technology policy, while Lander is president of Broad Institute of Harvard and MIT.

Members of the council include leaders from academia at Harvard, Princeton, Yale, and other major universities, as well as Eric Schmidt, executive chairman of Google, and Craig Mundie, senior adviser to the CEO at Microsoft. The council issued six findings on the state of cybersecurity in the U.S., each with recommendations for remedying shortcomings.

The first finding was blunt: "The Federal Government rarely follows accepted best practices. It needs to lead by example and accelerate its efforts to make routine cyberattacks more difficult by implementing best practices for its own systems."

The council recommends that the feds retire within two years "unsupported and insecure operating systems," including Windows XP, and move to new versions of Windows, Linux, and Mac OS, as well as push for "universal adoption of the Trusted Platform Module (TPM) microchip for all systems, including smartphones and tablets." It also calls for the feds to adopt the most secure browsers, make available voluntary national identity technology, but make it mandatory for federal users.

"It's very much to the point," says Bill Solms, CEO of Wave Systems, of the new report. "These are immediate changes and things they can do to increase cybersecurity posture."

If the feds can encourage TPM adoption in the private sector and mandate it among federal agencies, that would have a "near-term impact" on security, Solms says. "But TPM must also be managed and turned on ... if you really want to get the benefits of it," he says of the Trusted Computing Group specification for securely generating cryptographic keys on a platform.

In a nod to the new post-Snowden climate of government mistrust, one of the recommendations is that the feds facilitate, but not necessarily have access to, real-time threat intelligence-sharing among private-sector entities. The finding says this information must be shared more widely in the private sector to thwart attacks, and "in appropriate circumstances and with publicly understood interfaces -- between private-sector entities and Government."

The feds should facilitate these real-time intel-sharing partnerships in the private industry, the council says, but that doesn't mean the feds will be privy to them: "Data flows among these private-sector entities should not and would not be accessible by the Government. The Government might participate in establishing protocols, or providing technology, for how the data are utilized by the private sector for cyberdefense. The protocols or technology utilized should have sufficient transparency to mitigate legitimate concerns about inappropriate Government access to private data," according to the council's recommendation.

And ISPs should take a more aggressive role in deflecting threats in their networks, the council said. "Internet Service Providers are well-positioned to contribute to rapid improvements in cybersecurity through real-time action," it said. The feds must outline best practices for ISPs here, and the National Institute of Standards and Technology should work with ISPs on voluntary standards for how ISPs alert their customers when their systems are infected and provide them the resources they need to clean them up.

Solms says when ISPs can see a widening botnet threat in their networks, they need to take more aggressive action than many do today. "It's for the greater good," he says.

[The White House spells out several proposed incentives on the table for those who adopt the Cyber Security Framework. See White House Proposes Cybersecurity Insurance, Other Incentives For Executive Order.]

The council also recommended that regulated industries should be required to adhere to cybersecurity best practices via "auditable" processes rather than lists, and that the Securities and Exchange Commission (SEC) should require that publicly held companies disclose security risks "that go beyond current materiality tests."

Industry-driven rather than government-mandated processes for improving security are best, the council says: "For the private sector, Government's role should be to encourage continuously improving, consensus-based standards and transparent reporting of whether those standards are being met by individual private-sector entities."

Finally, the report called for future systems and networks to be built to stand up to attacks. "Future architectures will need to start with the premise that each part of a system must be designed to operate in a hostile environment. Research is needed to foster systems with dynamic, real-time defenses to complement hardening approaches," the council recommends.

The full "Report to the President: Immediate Opportunities for Strengthening the Nation's Cybersecurity" is available here (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8813
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
CVE-2020-9039
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
CVE-2020-8860
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
CVE-2020-8861
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
CVE-2020-8862
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...