With the White House expected to release its cyber security executive order as early as tonight, Killer Apps spoke with some private sector cyber security experts on what they would like to see. Almost all agreed that the Obama administration -- and Congress -- need to do something to help protect the nation's banks, transport companies, energy firms, defense contractors, and other companies on which millions of people rely, from a crippling cyber attack.
"It's a public security and a public safety issue, and it needs some level of government oversight because you cannot let market forces completely go in areas where public safety is involved," said Ashar Aziz, chief technology officer of FireEye. While Aziz and other IT security executives Killer Apps spoke with recently agreed that the government needs to do something to ensure that critical infrastructure providers are adequately protected against cyber attacks, they caution that an executive order or legislation should not dictate technical security measures (such as specific pieces of software) that could quickly become obsolete.
"The regulations don't need to be specified in terms of technology, they need to be specified in terms of posture," said Aziz. "You need to look at where the [evolving] threats are, how the threats operate, and what is needed to counter such threats. . . . All we need to say is, the critical networks need to have safeguards to protect against unknown threats, independent of technology. Use whatever the best commercially available products on the market are."
Some suggest that the government could follow the model used by the credit card industry's security organization, Payment Card Industry Security Standards Council, whose members develop security standards and audit companies that process credit card payments. If a company fails an audit, the council has the power to ban that firm from processing credit cards.
"It specifies 12 different things that companies need to do in order to secure credit card data," such as encrypting credit card data and using firewalls. "An auditor will walk in and look and see how well you followed that 12-step criteria," said Rob Rachwald, manager of IT security strategy at Imperva. "If you're found out of compliance, different penalties could apply. They may be financial penalties. Worst case -- and this doesn't happen very often but it does happen -- your ability to transact credit cards is pulled.
Roger Thornton, chief technical officer at AlienVault, agrees with the approach.
"What you want to specify is, ‘the end result I [the government] want you to achieve. You're all smart and you'll all find different ways to achieve it'," said Thornton of what any cyber legislation should say. That end result would involve limiting how many break-ins each firm suffers or how many IT security vulnerabilities the firm has.
The execs also agreed that provisions allowing for rapid information sharing on cyber threats, and the best way to defend against them, between the government and private businesses needs to be in any executive order or legislation.
"We really need good threat intelligence sharing, these attack frequently come in campaigns and these campaigns target multiple organizations," said Aziz. "We need a real-time view of a threat landscape. I believe it's possible to provide that in a way that does not violate or compromise the consumer's or the public's information privacy."
The Cyber Security Act of 2012, which failed to pass the Senate last fall, contained provisions aimed at encouraging businesses to share information with the government about cyber attacks they had suffered by freeing them of liability for improperly sharing citizens' private information.
"We all recognize that cybersecurity is a [government] problem because a lot of these attacks are coming from overseas," said Rachwald. "What would happen for example, if the government ponied up a community resource center" aimed at sharing information about cyber attacks against U.S. firms and the best responses to those attacks.
Rachwald agreed that the government should order companies to constantly scan their networks for actual intrusions, not just potential vulnerabilities -- under the premise that all networks will be penetrated, no matter how good their security.
Richard Bejtlich, chief
security officer with Mandiant told Killer Apps that simply ordering that firms
adhere to certain standards won't work. Businesses need to be audited for
"I would like to see some type of annual requirement, maybe starting with critical infrastructure, that says, at the very least on an annual basis, are you compromised?" he said. "You need to know, are the Russians inside your network, are the Chinese inside your network doing damage and have it be an annual test. All this vulnerability-based we've been doing for the last 10 or 15 years doesn't make any difference."
Companies would have to report publicly if they had been penetrated -- something that might prompt innovation in cyber defense since firms won't want to be known for having bad network security. "I see it as the same thing as a financial audit, are you a going concern, what kind of money are you making, what kind of money are you losing? As a shareholder, I want to know, is some of the intellectual property that drives this investment in someone else's hands."
Still, Bejtlich admits that this approach is "fairly intrusive, so the likelihood of that happening is low, instead, we're likely to see more standards."
Jeffrey Carr, CEO of Taia Global, echoed Bejtlich's sentiment, arguing that the SEC's current recommendation that companies disclose cyber attacks, should be made mandatory. President Obama's executive order should "encourage the SEC to make their cyber security guidelines into requirements," said Carr in an email to Killer Apps. "At the very least, to require registrants to reveal their degree of cyber risk."
Bringing the PCI audit
model and using it to find actual penetrations on networks instead of monitoring
for vulnerabilities may be workable, according to another cyber security expert.
The "idea of continuous monitoring linked to mitigation, if you can fit that into the credit card model, then that makes sense," said James Lewis of the Center for Strategic and International Studies. "The idea of monitoring for weird behavior is a good one, if massive files are being transferred out of your network at 3:00 in the morning, you know something's up."
When asked by Killer Apps about the business lobby's claim that critical infrastructure providers are doing a good job at cyber security and that no government action is needed, Lewis said, "Why are the banks squealing for help from NSA?"