recommended reading

Governments and companies band together to push cyber protections

Johan Swanepoel/

U.S. and foreign government officials, along with antivirus companies and banks, have formed a coalition to push for the adoption of certain electronic safeguards that could help them all avoid data breach lawsuits.

Led by a 34-year veteran of the National Security Agency, the Consortium for Cybersecurity Action is proposing a set of 20 proven security controls for automatically immunizing computer systems.

“This is about priority,” said Tony Sager, who in June retired from NSA, the key Pentagon agency involved in network surveillance and code breaking. The 20 steps are “the most important defenses that every firm should put in place that are of greatest value.” He now works for the SANS Institute, a computer research and training center that helped develop the controls. Sager briefed reporters on the proposal Monday.

The Homeland Security Department has plans to incorporate the top five safeguards into packages of continuous monitoring tools that Congress recently funded for distribution to agencies in 2013. With the fortifications in place, agencies should have a near real-time picture of unauthorized devices connected to their networks; unapproved software on those devices; security configurations on smartphones, servers and other hardware; assessments -- plus repairs -- of vulnerabilities; and antivirus defenses. 

“The government is laying the foundations,” said John Streufert, director of DHS’ national cybersecurity division. “We will also provide the specifications of those critical controls to any public or private organization who may want to use them,” he added, noting they are for “dealing with the worst problems first.”

In July, NSA Director Gen. Keith Alexander, Sager’s former boss, told lawmakers to consider incorporating the controls into cybersecurity legislation for the private sector. SANS has posted on its website a list of “the top 20 things that you ought to fix [on your network] if you’re in industry,” Alexander said during July 9 remarks at the American Enterprise Institute, a conservative think tank. “And those are kind of rules of the road.”

The 20 measures are intended to make the most out of limited cash at any organization, from small businesses to Wall Street firms.

Members of the coalition include the U.S. Defense and Homeland Security departments, the Australian and U.K. governments, American Express, Booz Allen Hamilton, Citibank, Goldman Sachs, McAfee, MITRE, Symantec and Tenable.

The financial institutions, which helped update the controls, “I believe are all on the path to adopting them,” said Sager, who served as the chief operating officer of NSA’s information assurance division before departing.

During the next few years, if an organization fails to follow the basic controls and a data breach occurs, expect to see victims file lawsuits for negligence, experts who are now in the coalition have said. Already, shoe shoppers have sued because hackers allegedly accessed more than 24 million customer accounts by breaking into unprotected servers, exposing passwords and the last four digits of credit card numbers.

The Center for Strategic and International Studies published a baseline for the controls in 2009, calling it a “consensus document” validated by private security experts, the Defense Department and civilian federal agencies. The controls promoted Monday are the fourth revision of that baseline.

(Image via Johan Swanepoel/

Threatwatch Alert

Network intrusion

Florida’s Concealed Carry Permit Holders Names Exposed

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.