In a new, unclassified report to the Obama administration, the President's Council Of Advisors On Science and Technology (PCA ST) said the federal government must set the tone by fixing its own security processes, and that it should offer incentives for compliance to ensure that private-sector organizations embrace better security practices.
The report follows a classified report on the same topic that the PCA ST handed President Obama in February. "A key conclusion is that, given the increasingly dynamic nature of cybersecurity threats, it is important to adopt protective processes that continuously couple information about evolving threats to defensive reactions and responses; static protective mechanisms are no longer adequate," PCA ST co-chairs John Holdren and Eric Lander wrote in a letter to President Obama with the new report. Holdren is assistant to the President for Science and Technology and director of the office of science and technology policy, while Lander is president of Broad Institute of Harvard and MIT.
Members of the council include leaders from academia at Harvard, Princeton, Yale, and other major universities, as well as Eric Schmidt, executive chairman of Google, and Craig Mundie, senior adviser to the CEO at Microsoft. The council issued six findings on the state of cybersecurity in the U.S., each with recommendations for remedying shortcomings.
The first finding was blunt: "The Federal Government rarely follows accepted best practices. It needs to lead by example and accelerate its efforts to make routine cyberattacks more difficult by implementing best practices for its own systems."
The council recommends that the feds retire within two years "unsupported and insecure operating systems," including Windows XP, and move to new versions of Windows, Linux, and Mac OS, as well as push for "universal adoption of the Trusted Platform Module (TPM) microchip for all systems, including smartphones and tablets." It also calls for the feds to adopt the most secure browsers, make available voluntary national identity technology, but make it mandatory for federal users.
"It's very much to the point," says Bill Solms, CEO of Wave Systems, of the new report. "These are immediate changes and things they can do to increase cybersecurity posture."
If the feds can encourage TPM adoption in the private sector and mandate it among federal agencies, that would have a "near-term impact" on security, Solms says. "But TPM must also be managed and turned on ... if you really want to get the benefits of it," he says of the Trusted Computing Group specification for securely generating cryptographic keys on a platform.
In a nod to the new post-Snowden climate of government mistrust, one of the recommendations is that the feds facilitate, but not necessarily have access to, real-time threat intelligence-sharing among private-sector entities. The finding says this information must be shared more widely in the private sector to thwart attacks, and "in appropriate circumstances and with publicly understood interfaces -- between private-sector entities and Government."
The feds should facilitate these real-time intel-sharing partnerships in the private industry, the council says, but that doesn't mean the feds will be privy to them: "Data flows among these private-sector entities should not and would not be accessible by the Government. The Government might participate in establishing protocols, or providing technology, for how the data are utilized by the private sector for cyberdefense. The protocols or technology utilized should have sufficient transparency to mitigate legitimate concerns about inappropriate Government access to private data," according to the council's recommendation.
And ISPs should take a more aggressive role in deflecting threats in their networks, the council said. "Internet Service Providers are well-positioned to contribute to rapid improvements in cybersecurity through real-time action," it said. The feds must outline best practices for ISPs here, and the National Institute of Standards and Technology should work with ISPs on voluntary standards for how ISPs alert their customers when their systems are infected and provide them the resources they need to clean them up.
Solms says when ISPs can see a widening botnet threat in their networks, they need to take more aggressive action than many do today. "It's for the greater good," he says.
[The White House spells out several proposed incentives on the table for those who adopt the Cyber Security Framework. See White House Proposes Cybersecurity Insurance, Other Incentives For Executive Order.]
The council also recommended that regulated industries should be required to adhere to cybersecurity best practices via "auditable" processes rather than lists, and that the Securities and Exchange Commission (SEC) should require that publicly held companies disclose security risks "that go beyond current materiality tests."
Industry-driven rather than government-mandated processes for improving security are best, the council says: "For the private sector, Government's role should be to encourage continuously improving, consensus-based standards and transparent reporting of whether those standards are being met by individual private-sector entities."
Finally, the report called for future systems and networks to be built to stand up to attacks. "Future architectures will need to start with the premise that each part of a system must be designed to operate in a hostile environment. Research is needed to foster systems with dynamic, real-time defenses to complement hardening approaches," the council recommends.
The full "Report to the President: Immediate Opportunities for Strengthening the Nation's Cybersecurity" is available here (PDF).
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.