When cybersecurity legislation failed a key procedural hurdle in the U.S. Senate this fall, experts said immediate widespread improvement of networks was unlikely.
But a new public-private partnership is attempting to step in, providing a framework based on 20 security concepts designed to eliminate the vast majority of vulnerabilities and increase the cost of attack.
The SANS Institute on Nov. 5 unveiled the Consortium for Cybersecurity Action, a group designed to bring together government and industry around the institute’s 20 “critical controls.” The new group is led by Tony Sager, who in June retired from the National Security Agency, where he was one of its top cyber experts.
The critical control concept, where a simple list of security ideas is created as a starting point for cybersecurity efforts, is not new. The NSA created a version for internal use several years ago. At the suggestion of several cyber experts, John Gilligan, former chief information officer for the U.S. Air Force, headed the effort to create a public version.
The public list has undergone various iterations; in January, Defense News reported that NSA was working on a version that could be applied across government and in industry. At the time, the agency would not comment on any involvement with the list.
NSA’s work, as well as efforts by outside experts, resulted in the newest version of the critical controls, released the same day as the announcement of the new consortium. The 20 concepts deemed critical by experts include taking an inventory of systems on a network and continuous monitoring.
Sager said one of his biggest tasks upon accepting the new position was figuring out how many people were actually using previous versions of the list.
“No one at SANS could tell you how many people had adopted them,” he said. “We started to take a look at it, and the answer was ... much more than they had expected.”
Those using the controls included 10 American states and a variety of government agencies, as well as defense contractors such as Northrop Grumman.
The controls avoid precise prescriptions and advanced strategies. Rather, the basic elements are designed as a starting point, Sager said.
“The data that I had at NSA, 80 to 90 percent of attacks are based on known vectors,” he said. “If you have a well-managed network, good visibility, good patching, good configurations and so forth, you actually raise the cost to every adversary. You knock out the easy ones, but you force the high-end ones to be much more careful, spend a lot more money, so forth.”
Richard Bejtlich, chief security officer at Mandiant, said he liked the document but was concerned about firms’ ability to measure success.
“Any time you talk about controls, you have to know how they’re being applied, even if you have very good controls like these,” he said. “You’ve got to have some way to say, ‘What we’ve created is working, we’ve seen the outcome, we’re measuring it.’ Or not.”
Bejtlich, whose company is part of the consortium, also said there can be major problems if companies attempt to institute the controls without fully understanding their existing systems.
“One of the most dangerous things that you could do is not know if you are compromised and then start implementing these controls,” he said. The adversary can then avoid all of the new security measures, he said.