California Says Companies Should Embrace NSA-developed Data Protections

The state of California has put companies on notice that they should be following a basic set of 20 information security controls developed by the U.S. government's top code breakers.

Many of the 657 data breaches California businesses and agencies reported during the past four years could have been prevented or at least more rapidly triaged had the protections been in place, according to a new state audit.

"The set of 20 controls constitutes a minimum level of security – a floor – that any organization that collects or maintains personal information should meet," California Attorney General Kamala Harris, a Democrat, said in the February breach analysis.

California was the first state to require that agencies and companies notify the attorney general of breaches affecting more than 500 state residents.

"The failure to implement all the controls that apply to an organization’s environment constitutes a lack of reasonable security," Harris said.

Apple and other Silicon Valley entities currently sparring with the FBI over a court order to weaken encryption protections on a terrorist’s iPhone might find it peculiar that state authorities want them to consult the National Security Agency for security advice.

The basic security steps include, among other things, taking an inventory of IT devices, making sure security settings are appropriate, updating software -- or "patching vulnerabilities."

NSA in 2008 started developing the original list of key controls for internal use only, according to federal historical materials. The Pentagon assigned NSA the task of prioritizing the myriad recommended security controls in the field -- because of its knack for hacking. At the time, a philosophy in many information security circles was that "offense informs defense.”

NSA decided the Defense Department could not protect the nation if society's communications, power and banks were not also protected. Because the spy agency had long partnered with the nonprofit Center for Internet Security and the SANS Institute training center, NSA agreed to share its attack information with the organizations and other outside experts so all sectors could benefit from the threat intelligence.

The controls are listed chronological order. For instance, the seventh control (installing email and Web browser protections) cannot be deployed until the first control is done (inventorying devices).

The precautions apply to businesses of all sizes. Harris noted that a set of tools for carrying out the first five controls has been customized for small organizations.

Tony Sager, who helped pick and rank the protections as the then-NSA vulnerability analysis and operations chief, said in a statement, "The controls are especially effective because they are built against actual attack data."

After retiring from NSA in 2012, he now holds leadership positions at both CIS and SANS and continues to refine the controls.

"They are continually updated by a global cybersecurity community of experts to ensure they contain the most important steps to take first to strengthen cyber defenses," Sager said.

A 2013 survey conducted by SANS suggests the controls have not yet entirely caught on in the government or the key sectors. Only 10 percent of the 699 security professionals polled felt they had done a complete job of following all of the techniques that apply to their organizations.