New Gov't Cyber Guidelines Lacking, Group Says
A new set of cybersecurity guidelines, released by the U.S. National Institute of Standards and Technology (NIST), falls short of the protection needed for government systems, a cybersecurity analysis and advocacy group said.
Fri, August 07, 2009
IDG News Service — A new set of cybersecurity guidelines, released by the U.S. National Institute of Standards and Technology (NIST), falls short of the protection needed for government systems, a cybersecurity analysis and advocacy group said.
The NIST guidelines for nonclassified data at civilian agencies, released July 31, leave many federal IT systems out of the highest security requirements, the Cyber Secure Institute said. Federal systems rated as low- or moderate-impact targets would have security controls not designed to stand up to skilled and well-funded hackers, the group said in a critique published this week.
"So called high-end threats are now the norm not the exception," CSI said in its report. "Federal and private sector IT professionals increasingly report that the attacks they confront on a regular basis are from highly skilled, highly motivated and well-resourced actors -- ranging from the Russian mob, to the Chinese military, to organized cyber-criminals."
The problem is that many sensitive federal systems would fall into the moderate-impact category, including systems containing information related to "extremely sensitive" investigations at federal law enforcement agencies, said Rob Housman, acting executive director at CSI. Electronic health data also would appear to fall into the moderate-impact category, he said.
"If an IRS [Internal Revenue Service] investigation isn't the sort of thing that you want to have a higher degree of protection against a sophisticated attacker, I don't know what is," said Housman, who served as assistant director for strategic planning in the White House Drug Czar's Office and who teaches counter-terrorism and homeland security classes at the University of Maryland. "In almost all my conversations with both public- and private-sector CIOs, CISOs and others, what they're telling that they see is ... sophisticated hackers."
The NIST recommendations require low- and moderate-impact systems to be secure only against unsophisticated threat, or "the proverbial teenager vanity hacker hacking away in the basement," the CSI report said.
But Ron Ross, a senior computer scientist and information security researcher at NIST, said CSI's critiques seem to be based on a misunderstanding of the NIST guidelines. First of all, the NIST guidelines are minimum standards, and individual agencies must do risk assessment and tailor the guidelines to their needs, he said.
Federal agencies are required to categorize their own systems, and high-impact systems would be those that have a "severe, catastrophic effect" if they are lost, Ross said. "Those baselines [in the NIST recommendations] are minimum starting points for agencies," he said. "The implication should not be there that that's a sufficient set of controls against some of the types of attacks that we're seeing."
