U.S. government rarely uses best cybersecurity steps: advisers

WASHINGTON Fri Nov 22, 2013 1:43pm EST

Related Topics

WASHINGTON (Reuters) - The U.S. government itself seldom follows the best cybersecurity practices and must drop its old operating systems and unsecured browsers as it tries to push the private sector to tighten its practices, technology advisers told President Barack Obama.

"The federal government rarely follows accepted best practices," the President's Council of Advisors on Science and Technology said in a report released on Friday. "It needs to lead by example and accelerate its efforts to make routine cyberattacks more difficult by implementing best practices for its own systems."

PCAST is a group of top U.S. scientists and engineers who make policy recommendations to the administration. William Press, computer science professor at the University of Texas at Austin, and Craig Mundie, senior adviser to the CEO at Microsoft Corp, comprised the cybersecurity working group.

The Obama administration this year stepped up its push for critical industries to bolster their cyber defenses, and Obama in February issued an executive order aimed at countering the lack of progress on cybersecurity legislation in Congress.

As part of the order, a non-regulatory federal standard-setting board last month released a draft of voluntary standards that companies can adopt, which it compiled through industry workshops.

But while the government urges the private sector to adopt such minimum standards, technology advisers say it must raise its own standards.

The advisers said the government should rely more on automatic updates of software, require better proof of identities of people, devices and software, and more widely use the Trusted Platform Module, an embedded security chip.

The advisers also said for swifter response to cyber threats, private companies should share more data among themselves and, "in appropriate circumstances" with the government. Press said the government should promote such private sector partnerships, but that sensitive information exchanged in these partnerships "should not be and would not be accessible to the government."

The advisers steered the administration away from "government-mandated, static lists of security measures" and toward standards reached by industry consensus, but audited by third parties.

The report also pointed to Internet service providers as well-positioned to spur rapid improvements by, for instance, voluntarily alerting users when their devices are compromised.

To read PCAST's report, see r.reuters.com/ryq84v

(Reporting by Alina Selyukh; Editing by Vicki Allen)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (2)
And could this be the reason why the health care website malfunctioned? mmmmmmmmmm…………just saying!

Nov 22, 2013 10:59pm EST  --  Report as abuse
jimmiek wrote:
Upon reading the report, the council does not sight sources of their information. What policies where they looking at? To what lists are they referring? For example, if one takes NIST SP 800-53 are “the list” of security features to be implemented, then yes.. it is just a list. However, within the list processes are specified. Is this not the council’s recommendation. Further, the expectation is that government cyber sites implement NIST SP 800-37 Risk Management Framework, which is in fact a best practice process for implementing Cyber Security on par with ITIL, unless you don’t think that ITIL is very good.

THen there is the comment about ISPs being in the best position to collect cyber security information and to distribute updates and so forth. Did the council look at the Trusted Internet Connection (TIC) program? which is exactly what they recommend. Hmmmmmm…. just saying…

Then there is the Einstein program which is integrated with the TIC program as a sort of StarWars for the Cybersphere…

Now, if they are saying that lots of government agencies don’t do this, maybe… except that the OMB and now DHS has an agreesive program to monitor which agencies are pursuing cycber security and which are not… BTW the CMS agency, the one that implemented healthcare.gov received the second worst rating. Ouch! However the OMB has required all agencies to report on Cybersecurity since 2003 because of FISMA 2002. There are goals set each year. The Consequence of not achiving the goal is that funding can be cut which is the Clinger Cohen Act… hmmmmmmmm…

I’m not saying the report is not accurate. I’m saying there is no way to just its accuracy since there are no references, specific agencies, or specific situation provided. The report is mostly unsubstantiated charges… hmmmmmmmm…

If these charges are true, then certainly the issues need addressed. But if the authors of the report are the best and brightest…. ??? well….. they don’t show it in the report.

Nov 25, 2013 4:57pm EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.