recommended reading

Governments and companies band together to push cyber protections

Johan Swanepoel/

U.S. and foreign government officials, along with antivirus companies and banks, have formed a coalition to push for the adoption of certain electronic safeguards that could help them all avoid data breach lawsuits.

Led by a 34-year veteran of the National Security Agency, the Consortium for Cybersecurity Action is proposing a set of 20 proven security controls for automatically immunizing computer systems.

“This is about priority,” said Tony Sager, who in June retired from NSA, the key Pentagon agency involved in network surveillance and code breaking. The 20 steps are “the most important defenses that every firm should put in place that are of greatest value.” He now works for the SANS Institute, a computer research and training center that helped develop the controls. Sager briefed reporters on the proposal Monday.

The Homeland Security Department has plans to incorporate the top five safeguards into packages of continuous monitoring tools that Congress recently funded for distribution to agencies in 2013. With the fortifications in place, agencies should have a near real-time picture of unauthorized devices connected to their networks; unapproved software on those devices; security configurations on smartphones, servers and other hardware; assessments -- plus repairs -- of vulnerabilities; and antivirus defenses. 

“The government is laying the foundations,” said John Streufert, director of DHS’ national cybersecurity division. “We will also provide the specifications of those critical controls to any public or private organization who may want to use them,” he added, noting they are for “dealing with the worst problems first.”

In July, NSA Director Gen. Keith Alexander, Sager’s former boss, told lawmakers to consider incorporating the controls into cybersecurity legislation for the private sector. SANS has posted on its website a list of “the top 20 things that you ought to fix [on your network] if you’re in industry,” Alexander said during July 9 remarks at the American Enterprise Institute, a conservative think tank. “And those are kind of rules of the road.”

The 20 measures are intended to make the most out of limited cash at any organization, from small businesses to Wall Street firms.

Members of the coalition include the U.S. Defense and Homeland Security departments, the Australian and U.K. governments, American Express, Booz Allen Hamilton, Citibank, Goldman Sachs, McAfee, MITRE, Symantec and Tenable.

The financial institutions, which helped update the controls, “I believe are all on the path to adopting them,” said Sager, who served as the chief operating officer of NSA’s information assurance division before departing.

During the next few years, if an organization fails to follow the basic controls and a data breach occurs, expect to see victims file lawsuits for negligence, experts who are now in the coalition have said. Already, shoe shoppers have sued because hackers allegedly accessed more than 24 million customer accounts by breaking into unprotected servers, exposing passwords and the last four digits of credit card numbers.

The Center for Strategic and International Studies published a baseline for the controls in 2009, calling it a “consensus document” validated by private security experts, the Defense Department and civilian federal agencies. The controls promoted Monday are the fourth revision of that baseline.

(Image via Johan Swanepoel/

Threatwatch Alert

Network intrusion / Software vulnerability

Hundreds of Thousands of Job Seekers' Information May Have Been Compromised by Hackers

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.