US publishes National Cybersecurity Strategy critical security controls

The US has published a draft list of critical security controls to protect key national information systems from cyber attack....

The US has published a draft list of critical security controls to protect key national information systems from cyber attack.

The move is the first step towards creating a comprehensive US national cyber security strategy as recommended by a special advisory commission.

The Center for Strategic and International Studies (CSIS), a Washington-based think tank, set up the commission in August 2007 after a series of cyber attacks on critical information systems.

The CSIS Commission on Cybersecurity is tasked with advising President Barack Obama's government on how to protect federal information systems and critical infrastructure from attack.

The draft controls, known as the Consensus Audit Guidelines, are based on input from 10 federal agencies, Mitre Corporation, Sans Institute, and two penetration testing and forensics firms.

The Consensus Audit Guidelines (CAG) project was started in 2008 after data losses by leading US defence industry firms. The goal was to draw up a risk-based standard to counter all known types of cyber attack.

"This is the best example of risk-based security I have ever seen," said Alan Paller, director of research at the Sans Institute.

According to Alan Paller, the team that drew up the guidelines represents the most complete understanding of the threat to US information systems.

The CAG is the first cybersecurity initiative driven by people who have a full understanding of how cyber attacks are carried out, he said.

The draft CAG document lists 20 actions or controls that will enable government, defence industry, financial and retail organisations block or mitigate cyber attacks.

The controls examine areas of vulnerability including application software security, access control, wireless devices, data leakage, data backup, and security skills assessment and training.

Each control details the type of threat it stops or mitigates, how the control can be automated and how organisations can test if they have implemented the control effectively.

The draft guidelines are open for public review until 23 March and are aimed at setting a baseline standard for US cyber security.

A minimum standard will help government agencies, companies and courts to determine what kind of investment in security is enough, said Paller.

He said this was particularly important with an increasing number of organisations being sued for cyber liability such as Heartland Payment Systems and RBS WorldPay.

"Even if it does not solve the legal problem, it will almost certainly revolutionise federal cybersecurity practise and spill over to the defence industry, banks and commercial organisations almost immediately," he said.

The CSIS said broad adoption of the guidelines may also lead to agreement on standards for security automation and government procurement of proven IT security tools.

Jim Lewis, director of the CSIS technology and public policy program, said better use of standards is one of the most powerful ways the US federal government can improve cybersecurity.

Read more on IT governance