WASHINGTON Nov 22 The U.S. government itself
seldom follows the best cybersecurity practices and must drop
its old operating systems and unsecured browsers as it tries to
push the private sector to tighten its practices, technology
advisers told President Barack Obama.
"The federal government rarely follows accepted best
practices," the President's Council of Advisors on Science and
Technology said in a report released on Friday. "It needs to
lead by example and accelerate its efforts to make routine
cyberattacks more difficult by implementing best practices for
its own systems."
PCAST is a group of top U.S. scientists and engineers who
make policy recommendations to the administration. William
Press, computer science professor at the University of Texas at
Austin, and Craig Mundie, senior adviser to the CEO at Microsoft
Corp, comprised the cybersecurity working group.
The Obama administration this year stepped up its push for
critical industries to bolster their cyber defenses, and Obama
in February issued an executive order aimed at countering the
lack of progress on cybersecurity legislation in Congress.
As part of the order, a non-regulatory federal
standard-setting board last month released a draft of voluntary
standards that companies can adopt, which it compiled through
But while the government urges the private sector to adopt
such minimum standards, technology advisers say it must raise
its own standards.
The advisers said the government should rely more on
automatic updates of software, require better proof of
identities of people, devices and software, and more widely use
the Trusted Platform Module, an embedded security chip.
The advisers also said for swifter response to cyber
threats, private companies should share more data among
themselves and, "in appropriate circumstances" with the
government. Press said the government should promote such
private sector partnerships, but that sensitive information
exchanged in these partnerships "should not be and would not be
accessible to the government."
The advisers steered the administration away from
"government-mandated, static lists of security measures" and
toward standards reached by industry consensus, but audited by
The report also pointed to Internet service providers as
well-positioned to spur rapid improvements by, for instance,
voluntarily alerting users when their devices are compromised.
To read PCAST's report, see