Rethinking Cybersecurity from the Inside Out

5

After four years of research and development, NIST has published a groundbreaking new security guideline that addresses the longstanding problem of how to engineer trustworthy, secure systems—systems that can provide continuity of capabilities, functions, services, and operations during a wide range of disruptions, threats, and other hazards. In fact, I think that Special Publication 800-160, Systems Security Engineering, is the most important publication that I have been associated with in my two decades of service with NIST.

I want to share what led me to this conclusion.

The Current Landscape

The United States, and every other industrialized nation, is experiencing explosive growth in information technology. These technological innovations have given us access to computing and communications capabilities unparalleled in the history of mankind.

These rapid advancements, and the dramatic growth in consumer demand for them, are occurring alongside a revolutionary convergence of cyber and physical systems, or cyber-physical systems (CPS). The worldwide distribution of these technologies has resulted in a highly complex information technology infrastructure of systems and networks that are difficult to understand and even more difficult to protect.

Today, we are spending more on cybersecurity than ever before. At the same time, we are witnessing an increasing number of successful cyberattacks by nation states, terrorists, hacktivists, and other bad actors who are stealing our intellectual property, national secrets, and private information. Unless we make some kind of radical change to the way we think about and fight these attacks, they are going to have an increasingly debilitating—and potentially disastrous—effect on the economic and national security interests of the United States.

The Basic Problem Is Simple

Our fundamental cybersecurity problem can be summed up in three words—too much complexity. There are simply too many bases—all the software, firmware, and hardware components that we rely on to run our critical infrastructure, business, and industrial systems—for us to cover as it is, and we’re adding to the number of bases all the time.

Increased complexity translates to increased attack surface—providing adversaries a limitless opportunity to exploit vulnerabilities resulting from inherent weaknesses and deficiencies in the components of the underlying systems that we have built and deployed. We can characterize this predicament as the N+1 vulnerabilities problem.

According to the Defense Science Board 2013 study done for the U.S. military, there are vulnerabilities that are known; those that are unknown; and those created by your adversaries after they have taken control of your system. Given this reality, there are vulnerabilities that we can find and fix, and a growing number of vulnerabilities that we cannot detect and therefore, remain unmitigated.

While we are making significant improvements in our reactive security measures, including intrusion detection and response capabilities, those measures fail to address the fundamental weaknesses in system architecture and design. These weaknesses can only be addressed with a holistic approach based on sound systems security engineering techniques and security design principles. This holistic approach will make our systems more penetration-resistant; capable of limiting the damage from disruptions, hazards, and threats; and sufficiently resilient so they can continue to support critical missions and business functions after they are compromised.

Engineering-Based Solutions

We have a high degree of confidence our bridges and airplanes are safe and structurally sound. We trust those technologies because we know that they were designed and built by applying the basic laws of physics, principles of mathematics, and concepts of engineering. If bridges were routinely collapsing and airplanes were frequently crashing, the first people we would call would be the scientists and engineers. They would do root-cause failure analysis, find out what went wrong, and fix the problem.

Cybersecurity efforts today are largely focused on what is commonly referred to as “cyber hygiene.” Cyber hygiene includes such activities as inventorying hardware and software assets; configuring firewalls and other commercial products; scanning for vulnerabilities; patching systems; and monitoring.

While practicing good cyber hygiene is certainly necessary, it’s not enough. This is because these activities don’t affect the basic architecture and design of the system. Even if we were to achieve perfection above the water line, we would still be leaving our most critical systems highly vulnerable due to our inability to manage and reduce the complexity of the technology.

The only way to address the N+1 vulnerabilities problem is to incorporate well-defined engineering-based security design principles at every level, from the physical to the virtual. These principles should be driven by mission and business objectives, stakeholder protection needs, and security requirements of the individual organization. While those solutions may not be appropriate in every situation, they should be available to those entities that are critical to the economic and national security interests of the United States including, for example, the electric grid, manufacturing facilities, financial institutions, transportation vehicles, medical devices, water treatment plants, and military systems.

A National Strategy Focused on Trustworthy Systems

Today, the cybersecurity threats to our government, businesses, critical infrastructure, industrial base, and people are as severe as threats of terrorism or the threats we experienced during the Cold War.

Overcoming these threats will require a significant investment of resources and the involvement of government, industry, and the academic community. It will take a concerted effort on a level we haven’t seen since President Kennedy dared us to do the impossible and put a man on the moon over a half century ago.

We can do it again, but the clock is ticking and the time is short. Creating more trustworthy, secure systems requires a holistic view of the problems, the application of concepts, principles, and best practices of science and engineering to solve those problems, and the leadership and will to do the right thing—even when such actions may not be popular.

I think that NIST Special Publication 800-160 is the first step we need to take toward securing the things that matter to us. It will be a grand challenge, but we Americans have a long history of achieving the impossible.

Share.

About Author

Ron Ross

Ron Ross is computer scientist and Fellow at the National Institute of Standards and Technology. He specializes in cybersecurity, risk management, and systems security engineering. Ron is a retired Army officer who, when not defending cyberspace, follows his passion for NASCAR and takes care of his adopted rescue dog, Sophie.

5 Comments

  1. I admire the great work of Dr Ross. As Michael Sheaver pointed out above, this requires a huge cultural change. There must be a way to take advantage of this by taking advantage of existing environments such as mature IT Service Management Frameworks in place already. I suggest this be a topic of collaboration with a focus on business value for the purpose of establishing reasonable and prudent approaches.

    With a focus on reasonableness and prudence while keeping an eye on business value this can move forward at a more natural pace or in DoD terms ‘battle rhythm’. The Global Forum for Advanced Cyber Resilience, gfacr.org is interested in seeing how an organization utilizing the foundational building blocks associated with our International participants in cyber resilient IT Service Management (ITSM) can take advantage of the work to become more resilient. Our focus is on this very large and internationally recognized homogeneous domain. We are in the process of creating public and private collaborative events associated with this topic. Contact us if you are interested

  2. I would like to meet and talk to Ron Ross. Having more frameworks to try and makes us do what we don but much better, is not the answer. Changing the assymetry of cyber warfare requires a new way of thinking altogether. Think Denial-of-Attacks as the ultimate defense.

  3. This is a great step forward and good work. I would have liked to see Appendix J completed as the Software Assurance aspects are very important to designing secure systems.

  4. Michael Sheaver on

    Quite honestly, this will require a huge cultural change, and one thing that I personally think is badly needed in order to help this is to implement a board certification program for software engineers, network engineers, DBAs, etc. We would never think of entrusting our health to a doctor who is not board certified and has gone through many years of training and apprenticeship. We would never consult a lawyer who is not board-certified. We would never trust an architect who is not board certified to build any structure on which our lives depend. The same goes for engineers, dentists, CPAs, etc.

    Until we get to the point where we, the consumers, are demanding that the software that drives our lives be designed, engineered, tested and certified by board certified professionals, I am afraid that the ideas outlined 800-160 will never be implemented in the way that they need to be.

    I am also afraid that will never get to the point where consumers are demanding board certification for all software engineers until a major series of catastrophic events occur where it significantly impacts the availability of these IoT systems, or it impacts their pocketbooks. Until then, don’t hold your breath and hope that these ideas will be implemented on a global scale.

  5. I was one of your Guest at NIST’s Forensics Conference

    I loved it very much I found NIST to quite Important Organization to our government as well as to entire
    Scientific community as all .
    This is why also a contributions of each of us as scientist has and must always be necessary , because treat that we are facing : Occurrence of Cyber crime., Must be prevent because Cyber crime can ” occurs when information technology is used to commit or conceal an offense. Computer crimes include:

    Unauthorized access by insiders and employee misuse of Internet access privileges , Theft of propriety information, financial fraud, sabotage of data or Networks Viruses, which are the leading cause of unauthorized users gaining access to systems and networks through the internet and system penetration from outside and denial of service. For me these are gold rules that we must consider , to be able minimizing a computer crimes .

Leave A Reply