Industry group calls for public-private cybersecurity standards

The federal government should establish minimum standards of cybersecurity for both public and private organizations, rather than focus primarily on requirements for protecting government computer networks, according to recommendations from an association of intelligence and security professionals.

A comprehensive cybersecurity plan, coordinated by the White House, should include a common set of standards defining the level of cyber defense that private sector organizations use for their computer systems and networks based upon the sensitivity of information, and providing guidelines for assessing cyber preparedness, concluded a report from the Arlington, Va.-based Intelligence and National Security Alliance. INSA formed a task force with representatives from 26 companies to provide recommendations for a national cybersecurity plan to Melissa Hathaway, senior director for cyberspace for the administration's national security and homeland security councils. Hathaway is nearing the end of a 60-day review of federal cybersecurity initiatives the Obama administration ordered.

Private sector organizations typically oversee their own network security, or follow industry standards for protecting information. Common standards for the public and private sectors would ensure a base level of security across all industries, said Frank Blanco, INSA's executive vice president. He added that the federal government could encourage compliance by soliciting input from industry on effective minimum standards.

"There's always the danger" that government recommendations will face pushback from industry, Blanco said. "But if industry and government are in a room together, talking about what the minimum standards should include and what that would mean for everyone involved, industry would be more receptive."

In the report, INSA pointed to the Capability Maturity Model as an example of a standard that grew out of a public-private partnership between the Air Force and Carnegie Mellon Institute. CMM was developed in the late 1980s as a tool for assessing best practices in software development, and has since evolved into a broader model for improving all types of processes across organizations.

The report identified two private sector cybersecurity efforts as offering the most potential for influencing the creation of minimum standards: the Consensus Audit Guidelines, which outline 20 security controls to prevent or quickly recover from known cyberattacks; and the Cyber Preparedness Levels, being developed by the MITRE Corp., which will provide metrics for establishing an effective cyber defense.

The biggest obstacle to private sector compliance with cybersecurity standards is cost, according to Blanco.

"There are any number of industries and companies that are spending the amount of money necessary to protect their assets from a cyberattack," he said. "Where it's more difficult is with the smaller companies that might not have the financial flexibility to protect themselves."

To regulate cybersecurity, INSA recommended that the federal government support a public-private relationship where private entities help set the terms and conditions for a secure framework for the Web. The report compared the role of industry in protecting cyberspace to the role of citizens in the local Neighborhood Watch, where they act in the "best interest of the public good" to enforce Internet security regulations.

Alan Paller, director of research at the SANS Institute, a Bethesda, Md.-based nonprofit cybersecurity research group, called such a strategy of empowering the private sector to regulate cyberspace "neither effective nor entirely in the national interest," and reflective of "faith-based security, where the private sector says, 'Talk to us, trust us, we will do what is needed to keep the nation secure.' "

"Any government official who thinks he or she should even listen to people selling that idea in 2009 has not been awake for the past 18 months," Paller said.