No sooner had I finished my latest “Are We Secure?” piece than I read an August 23, 2016 article on Fedscoop by Shaun Waterman with the title “New Approach Needed to IT, Says NIST’s Top Cyber Scientist,” which you can find at http://fedscoop.com/ron-ross-cybersecurity-comission-august-2016 The article describes a presentation by Ron Ross, a Senior Fellow at NIST (National Institute of Standards and Technology), to the Commission on National Cybersecurity.
Ross has a very impressive background, having contributed to many NIST Special Publications and FIPS standards, with particular emphasis on security and privacy controls. He has received quite a number awards and honors.
If you read the Waterman article, you may be surprised, as I was, that Ross’s recognition that we need to build security in from the start of the system lifecycle seems to be so recent. For someone so immersed in cybersecurity, you might have thought that Ross would have signed up for application security initiatives much earlier, particularly given his strong background. No matter, publicly stating that current security methods are just not doing the job and that we need to build safe and secure systems from the start are welcome whenever they occur and from whatever source, particularly highly authoritative folks such as Ron Ross. Ross stated that current approaches “fail to address the fundamental weaknesses in system architecture and design.” His suggestion is to “build more trustworthy secure components and systems by applying well-defined security design principles in a life cycle-based systems engineering approach,” since “the security we have in place isn’t working.” He asserts that “… highly assured and trustworthy solutions … should be available to those entities that are critical to the economic and national security interests of the U.S. [including] the electric grid, manufacturing facilities, financial institutions, transportation vehicles, water treatment plants, and weapons systems.” It so happens that all these issues are brought up in my book “Engineering Safe and Secure Software Systems” (Artech House, 2012) and many of these topics have been addressed in a number of my earlier BlogInfoSec columns.
Ross compares the needed effort to the 1960s moonshot in that the suggested approach “will require a significant investment of resources and the involvement of essential partnership[s] including government, industry, and the academic community.” Go, Ron!
Not that Ron Ross is the first security guru to pronounce that cybersecurity is broken. Some 18 months ago, Amit Yoran, as newly-minted president of RSA, in his keynote presentation at the April 2015 RSA Conference, stated that “the security industry is failing” and that we must change our approach … see http://fortune.com/2015/04/21/rsa-conference-amit-yoran-keynote/ He suggests the following “5 things to know”:
- Know your environment
- Know your users
- Know your adversaries
- Know your priorities
- Know your weaknesses
While the approaches promulgated by Ross and Yoran are quite different, they add up to the very forceful argument that we cannot continue with business as usual and expect cyberspace to become more secure. Ross does say that: “You cannot protect that which you do not understand” which is in line with Yoran’s recommendations.
Indeed, you need both aspects (at least) … increased situational awareness and building trustworthy (safe and secure) systems. I believe that there is another critically-important component, namely, the creation, adoption and enforcement of globally-accepted cybersecurity policy and standards. If building trustworthiness into systems is comparable to the moonshot, then developing international cybersecurity standards equates to the Manhattan Project and is just as important for our national security as are any other alliances..