PCAST Recommends Continuous Processes Over ‘Static Precautions’ to Address Cybersecurity
The President’s Council of Advisors on Science and Technology (PCAST) approved and released Thursday a report that said cybersecurity is better served by “a set of processes that continuously couple information about an evolving threat to defensive reactions and responses” rather than by instituting “a collection of static precautions.” PCAST had expected to present the report in October, but it was delayed because of the government shutdown. PCAST has previously examined cybersecurity issues through classified reports, but “there are many aspects of cybersecurity that we felt are very important to present to a larger community and are in no way classified,” said PCAST Vice Chair William Press, who co-wrote the report with Craig Mundie, a senior adviser to Microsoft CEO Steve Ballmer. A full version of the report was not available Thursday.
The PCAST report recommends the federal government “take a look at itself” in terms of its internal cybersecurity strategy, Press said at the PCAST meeting. “Sadly, the federal government today rarely follows accepted best practices,” he said. “The federal government needs to lead by example.” Government actions should include phasing out insecure operating systems, since current operating systems are “vastly more secure than operating systems whose technology is 15 or 20 years old in some cases,” Press said. The government should also institute mandatory proven identity when data is exchanged between federal users, and should “use the best” in automatically updating software technologies like cloud hosted software, he said.
Federal agencies that have regulatory authority over specific industries have an opportunity to promote and institute cybersecurity best practices, the PCAST report said. Regulatory agencies “should not require a specific list of cybersecurity measures” but should “record auditable processes where processes are adopted and … continually improved,” Press said. PCAST finds that “continuous improvement” is preferable to meeting a checklist, he said. The PCAST report in particular recommends the Securities and Exchange Commission take further steps to encourage cybersecurity because the agency “is charged with identifying for the benefit of investors what are the risks in publicly held companies,” Press said. Outside of regulated industries, the government should play a more limited role by encouraging the private sector to develop consensus-based standards and be transparent about whether specific companies are meeting those standards, Press said. The National Institute of Standards and Technology has been working on the development of such standards by collaborating with critical infrastructure industry stakeholders to develop the voluntary cybersecurity framework. NIST is currently revising a preliminary version of the framework it released in late October (CD Oct 23 p1).
The private sector should also internally develop a means of sharing cyberthreat information, the PCAST report said. If one company is facing a cyberattack, it is important for the company to be able to share that information with its customers and other companies, Press said. “In appropriate circumstances … there could be some sharing here between private sector entities and government,” he said. “But that, as anybody who reads newspapers recently understands, is a very tricky area.” The House passed the Cyber Intelligence Sharing and Protection Act (HR-624) in April, but development of a companion bill in the Senate on cyberthreat information sharing has been stymied by privacy concerns in the wake of leaks about controversial National Security Agency surveillance programs. The federal role in private sector-developed information sharing plans “should be to facilitate the establishment of private sector partnerships that make possible the exchange of threat data among potentially vulnerable private sector entities,” Press said. “For this to be effective, these data flows should not be and would not be accessible to the government, although the government might participate in establishing protocols in setting up the means for the private sector."
Internet service providers and their equivalents in large corporations can play a “unique role” in cybersecurity, PCAST said. The PCAST report recommended the federal government create policies on what is “desired behavior” or “minimum acceptable practices” for ISPs on cybersecurity. Press said NIST has been working with ISPs to establish “standards for voluntary measures by which ISPs could alert users and direct them to appropriate resources if their machines or devices are known to be compromised."
PCAST also recommended that industry and universities do more research to understand how to “build secure systems in these dynamic environments that do not always share assumptions of what are trusted components,” Press said. “Future architectures are going to have to start with the premise that they live in a hostile environment. It’s not just that your computer is an enclave and that the outside of it is a hostile environment.” In particular, PCAST wants more research on building high assurance computer systems. “We think that there’s a need for high-risk, high-return basic research in this area,” Press said. Such research would probably “pay off on a 10- or 20-year time horizon, but when it does pay off it can fundamentally transform the way we think about cybersecurity today."
The report was praised by other PCAST members. Michael McQuade, United Technologies senior vice president-science and technology, said the report noted how safety issues in critical infrastructure had long been addressed in terms of a continuous process rather than through meeting specific standards. “I think the connection to how safety has been looked at as a process as opposed to a set of checklists is exactly the right approach here,” he said.