recommended reading

Governments and companies band together to push cyber protections

Johan Swanepoel/

U.S. and foreign government officials, along with antivirus companies and banks, have formed a coalition to push for the adoption of certain electronic safeguards that could help them all avoid data breach lawsuits.

Led by a 34-year veteran of the National Security Agency, the Consortium for Cybersecurity Action is proposing a set of 20 proven security controls for automatically immunizing computer systems.

“This is about priority,” said Tony Sager, who in June retired from NSA, the key Pentagon agency involved in network surveillance and code breaking. The 20 steps are “the most important defenses that every firm should put in place that are of greatest value.” He now works for the SANS Institute, a computer research and training center that helped develop the controls. Sager briefed reporters on the proposal Monday.

The Homeland Security Department has plans to incorporate the top five safeguards into packages of continuous monitoring tools that Congress recently funded for distribution to agencies in 2013. With the fortifications in place, agencies should have a near real-time picture of unauthorized devices connected to their networks; unapproved software on those devices; security configurations on smartphones, servers and other hardware; assessments -- plus repairs -- of vulnerabilities; and antivirus defenses. 

“The government is laying the foundations,” said John Streufert, director of DHS’ national cybersecurity division. “We will also provide the specifications of those critical controls to any public or private organization who may want to use them,” he added, noting they are for “dealing with the worst problems first.”

In July, NSA Director Gen. Keith Alexander, Sager’s former boss, told lawmakers to consider incorporating the controls into cybersecurity legislation for the private sector. SANS has posted on its website a list of “the top 20 things that you ought to fix [on your network] if you’re in industry,” Alexander said during July 9 remarks at the American Enterprise Institute, a conservative think tank. “And those are kind of rules of the road.”

The 20 measures are intended to make the most out of limited cash at any organization, from small businesses to Wall Street firms.

Members of the coalition include the U.S. Defense and Homeland Security departments, the Australian and U.K. governments, American Express, Booz Allen Hamilton, Citibank, Goldman Sachs, McAfee, MITRE, Symantec and Tenable.

The financial institutions, which helped update the controls, “I believe are all on the path to adopting them,” said Sager, who served as the chief operating officer of NSA’s information assurance division before departing.

During the next few years, if an organization fails to follow the basic controls and a data breach occurs, expect to see victims file lawsuits for negligence, experts who are now in the coalition have said. Already, shoe shoppers have sued because hackers allegedly accessed more than 24 million customer accounts by breaking into unprotected servers, exposing passwords and the last four digits of credit card numbers.

The Center for Strategic and International Studies published a baseline for the controls in 2009, calling it a “consensus document” validated by private security experts, the Defense Department and civilian federal agencies. The controls promoted Monday are the fourth revision of that baseline.

(Image via Johan Swanepoel/

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.