U.S. and foreign government officials, along with antivirus companies and banks, have formed a coalition to push for the adoption of certain electronic safeguards that could help them all avoid data breach lawsuits.
Led by a 34-year veteran of the National Security Agency, the Consortium for Cybersecurity Action is proposing a set of 20 proven security controls for automatically immunizing computer systems.
“This is about priority,” said Tony Sager, who in June retired from NSA, the key Pentagon agency involved in network surveillance and code breaking. The 20 steps are “the most important defenses that every firm should put in place that are of greatest value.” He now works for the SANS Institute, a computer research and training center that helped develop the controls. Sager briefed reporters on the proposal Monday.
The Homeland Security Department has plans to incorporate the top five safeguards into packages of continuous monitoring tools that Congress recently funded for distribution to agencies in 2013. With the fortifications in place, agencies should have a near real-time picture of unauthorized devices connected to their networks; unapproved software on those devices; security configurations on smartphones, servers and other hardware; assessments -- plus repairs -- of vulnerabilities; and antivirus defenses.
“The government is laying the foundations,” said John Streufert, director of DHS’ national cybersecurity division. “We will also provide the specifications of those critical controls to any public or private organization who may want to use them,” he added, noting they are for “dealing with the worst problems first.”
In July, NSA Director Gen. Keith Alexander, Sager’s former boss, told lawmakers to consider incorporating the controls into cybersecurity legislation for the private sector. SANS has posted on its website a list of “the top 20 things that you ought to fix [on your network] if you’re in industry,” Alexander said during July 9 remarks at the American Enterprise Institute, a conservative think tank. “And those are kind of rules of the road.”
The 20 measures are intended to make the most out of limited cash at any organization, from small businesses to Wall Street firms.
Members of the coalition include the U.S. Defense and Homeland Security departments, the Australian and U.K. governments, American Express, Booz Allen Hamilton, Citibank, Goldman Sachs, McAfee, MITRE, Symantec and Tenable.
The financial institutions, which helped update the controls, “I believe are all on the path to adopting them,” said Sager, who served as the chief operating officer of NSA’s information assurance division before departing.
During the next few years, if an organization fails to follow the basic controls and a data breach occurs, expect to see victims file lawsuits for negligence, experts who are now in the coalition have said. Already, shoe shoppers have sued Zappos.com because hackers allegedly accessed more than 24 million customer accounts by breaking into unprotected servers, exposing passwords and the last four digits of credit card numbers.
The Center for Strategic and International Studies published a baseline for the controls in 2009, calling it a “consensus document” validated by private security experts, the Defense Department and civilian federal agencies. The controls promoted Monday are the fourth revision of that baseline.