Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/26/2013
04:13 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Presidential Council Calls For Feds And ISPs To Step Up In Cybersecurity

New report to President Obama says feds 'rarely follow' security best practices

An advisory council to President Obama blasted the federal government for failing to lead in cybersecurity best practices and recommended, among other things, a more active role in security by Internet service providers.

In a new, unclassified report to the Obama administration, the President's Council Of Advisors On Science and Technology (PCA ST) said the federal government must set the tone by fixing its own security processes, and that it should offer incentives for compliance to ensure that private-sector organizations embrace better security practices.

The report follows a classified report on the same topic that the PCA ST handed President Obama in February. "A key conclusion is that, given the increasingly dynamic nature of cybersecurity threats, it is important to adopt protective processes that continuously couple information about evolving threats to defensive reactions and responses; static protective mechanisms are no longer adequate," PCA ST co-chairs John Holdren and Eric Lander wrote in a letter to President Obama with the new report. Holdren is assistant to the President for Science and Technology and director of the office of science and technology policy, while Lander is president of Broad Institute of Harvard and MIT.

Members of the council include leaders from academia at Harvard, Princeton, Yale, and other major universities, as well as Eric Schmidt, executive chairman of Google, and Craig Mundie, senior adviser to the CEO at Microsoft. The council issued six findings on the state of cybersecurity in the U.S., each with recommendations for remedying shortcomings.

The first finding was blunt: "The Federal Government rarely follows accepted best practices. It needs to lead by example and accelerate its efforts to make routine cyberattacks more difficult by implementing best practices for its own systems."

The council recommends that the feds retire within two years "unsupported and insecure operating systems," including Windows XP, and move to new versions of Windows, Linux, and Mac OS, as well as push for "universal adoption of the Trusted Platform Module (TPM) microchip for all systems, including smartphones and tablets." It also calls for the feds to adopt the most secure browsers, make available voluntary national identity technology, but make it mandatory for federal users.

"It's very much to the point," says Bill Solms, CEO of Wave Systems, of the new report. "These are immediate changes and things they can do to increase cybersecurity posture."

If the feds can encourage TPM adoption in the private sector and mandate it among federal agencies, that would have a "near-term impact" on security, Solms says. "But TPM must also be managed and turned on ... if you really want to get the benefits of it," he says of the Trusted Computing Group specification for securely generating cryptographic keys on a platform.

In a nod to the new post-Snowden climate of government mistrust, one of the recommendations is that the feds facilitate, but not necessarily have access to, real-time threat intelligence-sharing among private-sector entities. The finding says this information must be shared more widely in the private sector to thwart attacks, and "in appropriate circumstances and with publicly understood interfaces -- between private-sector entities and Government."

The feds should facilitate these real-time intel-sharing partnerships in the private industry, the council says, but that doesn't mean the feds will be privy to them: "Data flows among these private-sector entities should not and would not be accessible by the Government. The Government might participate in establishing protocols, or providing technology, for how the data are utilized by the private sector for cyberdefense. The protocols or technology utilized should have sufficient transparency to mitigate legitimate concerns about inappropriate Government access to private data," according to the council's recommendation.

And ISPs should take a more aggressive role in deflecting threats in their networks, the council said. "Internet Service Providers are well-positioned to contribute to rapid improvements in cybersecurity through real-time action," it said. The feds must outline best practices for ISPs here, and the National Institute of Standards and Technology should work with ISPs on voluntary standards for how ISPs alert their customers when their systems are infected and provide them the resources they need to clean them up.

Solms says when ISPs can see a widening botnet threat in their networks, they need to take more aggressive action than many do today. "It's for the greater good," he says.

[The White House spells out several proposed incentives on the table for those who adopt the Cyber Security Framework. See White House Proposes Cybersecurity Insurance, Other Incentives For Executive Order.]

The council also recommended that regulated industries should be required to adhere to cybersecurity best practices via "auditable" processes rather than lists, and that the Securities and Exchange Commission (SEC) should require that publicly held companies disclose security risks "that go beyond current materiality tests."

Industry-driven rather than government-mandated processes for improving security are best, the council says: "For the private sector, Government's role should be to encourage continuously improving, consensus-based standards and transparent reporting of whether those standards are being met by individual private-sector entities."

Finally, the report called for future systems and networks to be built to stand up to attacks. "Future architectures will need to start with the premise that each part of a system must be designed to operate in a hostile environment. Research is needed to foster systems with dynamic, real-time defenses to complement hardening approaches," the council recommends.

The full "Report to the President: Immediate Opportunities for Strengthening the Nation's Cybersecurity" is available here (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14821
PUBLISHED: 2019-09-19
An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->l...
CVE-2019-15032
PUBLISHED: 2019-09-19
Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL. The attacker can obtain sensitive information such as the name of the user who created that directory and other internal server information.
CVE-2019-15033
PUBLISHED: 2019-09-19
Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring.
CVE-2019-16412
PUBLISHED: 2019-09-19
In goform/setSysTools on Tenda N301 wireless routers, attackers can trigger a device crash via a zero wanMTU value. (Prohibition of this zero value is only enforced within the GUI.)
CVE-2019-16510
PUBLISHED: 2019-09-19
libIEC61850 through 1.3.3 has a use-after-free in MmsServer_waitReady in mms/iso_mms/server/mms_server.c, as demonstrated by server_example_goose.