NIST looks to reengineer thinking about cyber

The National Institute of Standards and Technology is set to release an overhauled systems security engineering document it hopes will change the way software and computer designers think about cybersecurity.

An updated draft of NIST's 800-160 document will be released for public comment on May 4. According to its lead author, Dr. Ron Ross, the new 800-160 will kick off a difficult discussion over not only how federal agencies approach cybersecurity, but also how U.S. business and general population should think about it -- not just as an add-on, but as an foundational component of any technology that touches the Internet.

It's become too difficult to cover every possible point of entry into a system, Ross said at an April 27 event hosted by FCW; hackers constantly find ways around technical barriers. What is required, he said, is to build systems that have the capability to limit cyberattackers' ability to penetrate or move around – and to engineer those features into technology from the outset.

"If an airplane crashes, or a bridge collapses, the first people we bring in are engineers," he said. But with cyber, "we go out and collect more threat intelligence."

That's not an approach that will stop attackers who are constantly changing methods, or leveraging tried-and-true malware and other attacks to exploit flawed systems, Ross said.

The document, officially titled NIST Special Publication 800-160: Systems Security Engineering, has been overhauled from its two-year-old original draft. The new iteration takes a more holistic approach to cyber defense. It incorporates International Organization for Standardization systems engineering standards, including 30 different processes aimed at building security capabilities into products, services and systems.

The new 300-page draft, which Ross hopes to finalize by the end of 2016 with input from federal, state, local and commercial sources, begins by recommending that systems be designed with initial input from users. That input can bring more information to bear on precisely what kinds of access is needed by which users, delineates which parts of the system are most in need of protection and other fundamental security aspects, he said.

There will be a two-month comment period on the document, and possibly a second draft in the fall, before the final version is completed at the end of the year, Ross told FCW in an interview after his remarks.