Just before Thanksgiving, the President’s Council of Advisors on Science and Technology (which has among its membership luminaries such as Eric Schmidt of Google and Shirley Ann Jackson, the President of Renssalaer Polytechnic Institute) issued a report on “Immediate Opportunities for Strengthening the Nation’s Cybersecurity.” Here’s the Executive Summary highlights (though the whole report is worth reading):
Overarching Finding: Cybersecurity will not be achieved by a collection of static precautions that, if taken by Government and industry organizations, will make them secure. Rather, it requires a set of processes that continuously couple information about an evolving threat to defensive reactions and responses.
Finding 1: The Federal Government rarely follows accepted best practices. It needs to lead by example and accelerate its efforts to make routine cyberattacks more difficult by implementing best practices for its own systems.
Finding 2: Many private-sector entities come under some form of Federal regulation for reasons not directly related to national security. In many such cases there is opportunity, fully consistent with the intent of the existing enabling legislation, for promoting and achieving best practices in cybersecurity.
Finding 3: Industry-driven, but third-party-audited, continuous-improvement processes are more likely to create an effective cybersecurity culture than are Government-mandated, static lists of security measures.
Finding 4: To improve the capacity to respond in real time, cyberthreat data need to be shared more extensively among private-sector entities and—in appropriate circumstances and with publicly understood interfaces—between private-sector entities and Government.
Finding 5: Internet Service Providers are well-positioned to contribute to rapid improvements in cybersecurity through real-time action.
Finding 6: Future architectures will need to start with the premise that each part of a system must be designed to operate in a hostile environment. Research is needed to foster systems with dynamic, real-time defenses to complement hardening approaches.
I find myself in wild agreement with almost all of this. Savvy observers will quickly note that almost none of it is anything we are actually doing today.