The US has published a draft
list of critical security controls to protect key national
information systems from cyber attack.
The move is the first step towards creating a
comprehensive US national cyber security strategy as
recommended by a special advisory commission.
The
Center for Strategic and International Studies (CSIS), a
Washington-based think tank, set up the commission in August 2007
after a series of cyber attacks on critical information
systems.
The CSIS Commission on Cybersecurity is tasked with advising
President Barack Obama's government on
how
to protect federal information systems and critical infrastructure
from attack.
The draft controls, known as the Consensus Audit Guidelines, are
based on input from 10 federal agencies,
Mitre Corporation, Sans Institute, and two penetration testing
and forensics firms.
The Consensus Audit Guidelines (CAG) project was started in 2008
after data losses by leading US defence industry firms. The goal
was to draw up a risk-based standard to counter all known types of
cyber attack.
"This is the best example of risk-based security I have ever
seen," said
Alan
Paller, director of research at the Sans Institute.
According to Alan Paller, the team that drew up the guidelines
represents the most complete understanding of the threat to US
information systems.
The CAG is the first cybersecurity initiative driven by people
who have a full understanding of how cyber attacks are carried out,
he said.
The draft CAG document lists 20 actions or controls that will
enable government, defence industry, financial and retail
organisations block or mitigate cyber attacks.
The controls examine areas of vulnerability including
application software security, access control, wireless devices,
data leakage, data backup, and security skills assessment and
training.
Each control details the type of threat it stops or mitigates,
how the control can be automated and how organisations can test if
they have implemented the control effectively.
The draft guidelines are open for public review until 23 March
and are aimed at setting a baseline standard for US cyber
security.
A minimum standard will help government agencies, companies and
courts to determine what kind of investment in security is enough,
said Paller.
He said this was particularly important with an increasing
number of organisations being sued for cyber liability such as
Heartland Payment Systems and
RBS
WorldPay.
"Even if it does not solve the legal problem, it will almost
certainly revolutionise federal cybersecurity practise and spill
over to the defence industry, banks and commercial organisations
almost immediately," he said.
The CSIS said broad adoption of the guidelines may also lead to
agreement on standards for security automation and government
procurement of proven IT security tools.
Jim Lewis,
director of the CSIS technology and public policy program, said
better use of standards is one of the most powerful ways the US
federal government can improve cybersecurity.