The U.S. National Security Agency is developing a set of cybersecurity guidelines to apply to its own systems, and ultimately to any government or contractor network, according to sources familiar with the effort.
A 38-member team is drawing up the guidelines, which will be based on a list of 20 cybersecurity controls developed and released two years ago by an independent panel of government and nongovernment experts.
The original guidelines were designed to promote continuous network monitoring, but were largely sidestepped by the Defense Department and contractors. Still, they generated intense debate in military security circles, leading to the NSA’s current project.
“What you are seeing is while the 20 points were developed two years ago and a lot of things have languished publicly, there has been an effort to run these things,” said retired Air Force Maj. Gen. Dale Meyerrose, a former chief information officer for the Office of the Director of National Intelligence.
Meyerrose said that while he was familiar with the effort, he is not involved in it.
In parallel, the Pentagon is evaluating its Defense Industrial Base Cyber Pilot, a test program in which about a dozen volunteer contractors received Defense Department information about cybersecurity threats in exchange for information about attacks on their own corporate networks.
The pilot program was viewed as a potential model for improved cybersecurity in the contracting community, and experts said it has seen some success. But some also said participating companies have not been fully forthcoming about attacks, and much of the intelligence shared with the business by the Defense Department was not new to the defense companies.
Still, the pilot could determine whether NSA officials decide that voluntary programs are unworkable, and insist instead on mandatory compliance.
Meyerrose cited parallels between the pilot and the new guidelines.
“They are not unrelated, and I’m very confident that [NSA Director Army] Gen. [Keith] Alexander will draw off of that on things not to do and things to do,” he said.
The NSA team aims to first apply the 20-point list internally, and later encourage other agencies to follow.
Drawn up by a group led by John Gilligan, a former Air Force chief information officer , “Twenty Critical Security Controls for Effective Cyber Defense” was released in 2009 in part to move organizations from periodic paper reports, which failed to detect problems quickly enough, toward continuous security awareness.
Gilligan said he was surprised by the Pentagon’s delay in implementing the various points.
“I’ve asked myself, ‘Why is this taking so long?’ It seems so obvious,’” he said.
Gilligan said NSA has been involved in these efforts for years.
“NSA was a major player in the origins of the controls,” he said. “They probably won’t say that publicly, but the analysis threat patterns originally came from the NSA.”
NSA routinely tests defense network security and frequently penetrated networks Gilligan was responsible for protecting when he was with the Air Force.
“I said to the NSA, ‘You coming in every year and just pointing out that you can break in relatively easily is not helpful. You need to tell me how to prevent that,’” he said.
Three-quarters of the points in the document address continuous monitoring, while the remaining quarter deals with wider analysis of systems.
Some of the suggestions in the document have been used by government agencies. The State Department, for example, saw a 90 percent decline in attacks in the first year after converting to continuous monitoring, according to a Department of Homeland Security report. State’s effort was headed by John Streufert, who was slated to become the new director of the National Cyber Security Division at the DHS.
But many of the ideas listed in the critical controls document have yet to be implemented by DoD, or by defense contractors with access to classified information.
“We know that it’s effective,” said James Lewis, who was part of the group that developed the list of controls and is a cyber expert at the Center for Strategic and International Studies. “It will take another push to get people to move towards continuous monitoring.”
Extending coverage and creating guidelines does, however, raise the question of what, if any, kind of control the government should have over companies’ networks, a question that has not been fully addressed by the framework team yet.
“It is this age-old question of trying to figure out what role the military should have in cyberspace,” Meyerrose said. “There are two sets of opposing good intentions. The first is that the best assets of the United States government ought to be available to the American people, in commerce and other things. And there’s the other, where we don’t want the military intruding into other areas beyond the dot-military domain.”