NSF cybersecurity research focuses on 3 “game-changing” themes

In a notice published this week in the Federal Register, the National Science Foundation’s National Coordination Office for Networking and Information Technology Research and Development (NCO/NITRD) announced three new federal cybersecurity research themes that represent a response to a challenge in the President’s Cyberspace Policy Review to identify research strategies that focus on “game-changing” technologies and approaches to securing cyberspace. The three themes identified by NITRD include:

  1. Tailored trustworthy spaces:  recognizing that meeting all security requirements derived from different contexts and purposes is infeasible, there could instead be “sub-spaces” defined in terms of specific uses or types of interactions, each with its own set of tailored security policies, services, and mechanisms.
  2. Moving target:  when the cost of attack favors the attacker, rather than the defender, defenders need ways to increase the cost of attack, such as by making the security environment more dynamic and therefore harder to predict or less susceptible to prolonged attack.
  3. Economic incentives:  security resources are not optimally allocated, in part due to a lack of meaningful security metrics and economically justified decision making criteria; ideally doing the “right” things in terms of security will also be justified in economic terms, and these should hopefully outweigh the return from illegal activities.

NITRD has scheduled a kickoff event for the new R&D themes on May 19, and has also published a more detailed set of recommendations related to these proposed research areas. In general, the themes appear to be logically consistent with the general push towards situational awareness and continuous security monitoring, although the idea of not just watching protected environments but regularly, proactively adjusting the security profile of those environments to make reconnaissance and attack more difficult is a pretty extreme contrast to the predominant approaches grounded in formal control baselines and static configurations that change little between accreditation dates. The concept of variable, purpose-driven security and trust models might also be considered a drastic departure from current federal information security guidance, which doesn’t distinguish among security provisions needed for different systems and environments beyond a high-level qualitative (high, moderate, low) security categorization.

    Change in European Commission, UK government likely to bring action on privacy

    While there appears to no shortage of consideration in the current administration or Congress for addressing privacy practices in some contexts in the United States, efforts to strengthen personal privacy protections seem to be gaining momentum in Europe. Since the formation of the new European Commission, whose term runs from 2010 to 2014, numerous public statements by commissioners have indicated the group’s interest in bringing privacy laws into the 21st century, potentially including revising or updating key data protection laws, such as the 1995 Personal Data Protection Directive. Commissioner Viviane Reding suggested earlier this year that unless social networking sites like Facebook continued to alter privacy practices in ways that fail to protect users’ personal information they could find themselves subject to new regulation. Those comments were partly in response to Facebook’s December 2009 changes to its default data sharing settings, changes which this week prompted the Article 29 Data Protection Working Party to write a letter to Facebook calling the company’s actions “unacceptable.”

    The coalition government that resulted from the recent U.K. national election has also given notice that it will move forward with a radical privacy agenda, elements of which would include altering or halting several formerly government-backed initiatives. Notable among these are:

    • Limiting video surveillance, which is in widespread use in much of the U.K., and putting new regulations in place regarding the use of closed-circuit television (CCTV)
    • Scrapping the nascent national ID card system, which is still in an early limited roll-out stage, and was potentially on track to start over entirely when more technologically advanced cards were to be introduced in 2012
    • Abandoning the previous government’s plan to capture and maintain email and telecommunications records, potentially on everyone in Britain
    • Changing DNA record retention approaches throughout the U.K. to match policy in Scotland, where only DNA from convicted individuals is stored in databases; in England and Wales such data is kept for anyone arrested, regardless of the disposition of those arrests
    • Expansion of recently enacted freedom of information laws to provide greater transparency regarding government activities
    • Reforming libel laws to give more protection to publishers and protect free speech rights

    The new coalition government appears mindful of the complexity of some of these privacy issues, and of the challenges in both political and technical terms with effecting such changes, but seems fully committed to reversing what it sees as inappropriate infringement of civil liberties under the former Labour government.

    Federal CISOs appear to trust technology more than Congress

    The results of the recently released (ISC)2 sponsored report, The 2010 State of Cybersecurity from the Federal CISO’s Perspective, suggest a pervasive distrust of U.S. legislators by federal Chief Information Security Officers, based in large part on a perceived lack of understanding of agency missions and the security measures needed to protect them, and of insufficient funding allocated to information security. In contrast, the same group of survey respondents reported relatively high levels of satisfaction with two of the government’s highest profile security initiatives, the Einstein intrusion detection and prevention program, and the Trusted Internet Connection (TIC) initiative, despite the slower than expected progress made on both of these efforts. As accurately noted by GovInfoSecurity.com’s Eric Chabrow, neither the dissatisfaction with Congress nor the relatively positive view of Einstein and TIC are hard to understand. Congress has a long history of writing security-focused legislation replete with vague yet mandatory requirements, often deferring to the market or to executive branch agencies like NIST to supply the technical details to implement the objectives in the laws. (The irony persists that FISMA and most other major security legislation applies only to executive branch agencies, not to the IT environments of the House or Senate.) Despite multiple bills introduced in both houses of Congress that would seek to strengthen the provisions of FISMA in particular and federal governance of IT security in general, CISOs apparently are less interested in the politics that become more and more a part of their jobs, maintaining a genuine interest in improving agency security posture and in finding ways to combat the growing and diversifying number of threats to their data and systems. From this perspective government-wide security programs like Einstein (the operation of which would be greatly facilitated by the TIC-driven reduction of government connection points to the Internet) are attractive not least because the individual agencies would not be responsible for much of the operational support for them. Compared to the immense (and arguably poorly spent) resources agencies put into FISMA compliance, a move towards at least some security measures that span all agencies provided in a common fashion is a nice change of pace from the underfunded mandates CISOs are so used to getting handed down from Congress.

    HHS publishes new guidance on conducting risk analysis

    Under the administrative safeguard provisions of the HIPAA Security Rule, covered entities are required to perform a risk analysis, specifically to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” (45 CFR §164.308(a)(1)(ii)(A)) While this has been a requirement for HIPAA-covered entities since the security rule went into effect in 2005, it has received renewed attention due to stronger enforcement provisions in the HITECH Act and its inclusion as the single security-related measure included in the “meaningful use” rules under which eligible healthcare providers and professionals can qualify for financial incentives to acquire and implement electronic health record (EHR) technology. Following the passage of the HITECH Act, HHS delegated responsibility for enforcement of the security rule to the HHS Office for Civil Rights (OCR); OCR was already responsible for enforcement of the HIPAA Privacy Rule. Part of OCR’s enforcement role includes issuing guidance to covered entities on compliance with the requirements in the Security Rule, and OCR recently published new draft guidance on risk analysis. This may be informative for covered entities in general, and should represent at least a staring point for providers and professionals seeking to demonstrate meaningful use.

    The draft guidance issued by OCR relies in large part on references to existing risk management and risk assessment approaches and guidelines contained in several NIST Special Publications, only one of which is specific to HIPAA (Special Publication 800-66, Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule). The most relevant of these NIST guidance documents are Special Publication 800-30, Risk Management Guide for Information Technology Systems, and Special Publication 800-115, Technical Guide to Information Security Testing and Assessment. The HHS Office of the National Coordinator (ONC) also produced a security practice guide for small health care practices in 2008 that serves as a sort of primer for health care providers who need to understand the basic security considerations relevant to their practices, and includes a number of references to more detailed information and guidance materials. Although the ONC small practice guidance document is linked from the new OCR draft guidance, health care practices of any size should not rely on the ONC document alone, as it does not reflect considerations related to the HITECH Act, including meaningful use.

    One limitation of the existing government guidance applicable to risk analysis is that substantially all of the guidance is written in a way that focuses on risk assessments of individual information systems, not on organizations overall. This limitation is important because the risk analysis requirement under the HIPAA Security Rule is not limited to systems used by covered entities, but instead address risks to any protected health information held by the organization. It seems reasonable to assume that despite the emphasis of the meaningful use rules on EHR systems, the scope for a risk analysis conducted to satisfy the meaningful use measure should address all potential risks to health information the organization has, not just the data associated with an EHR system. Also, as is likely not lost on private sector health care organizations, there are many sources of risk management and risk analysis guidance outside of materials produced by the U.S. federal government, notably including the ISO/IEC 27000 series of international standards, which covers risk assessment and risk management for information systems, particularly in ISO/IEC 27005 and the risk assessment section of ISO/IEC 27002. Organizations looking for more enterprise-level perspectives on assessing and managing risk can find relevant guidance in ISO 31000, within major IT governance frameworks such as ISACA’s Risk IT Framework based on COBIT or the Risk Management section of the Information Technology Infrastructure Library (ITIL).

    House appetite growing for cybersecurity, FISMA reform

    No sooner did the Federal Information Security Amendment (FISA) Act (H.R. 4900) clear the House Oversight and Government Reform Committee’s Subcommittee on Government Management, Organization and Procurement, another cybersecurity bill was introduced and referred to the Committee. Among other provisions FISA would require agencies to begin continuous information systems security monitoring to ensure compliance with FISMA and provide more operational awareness of threats and vulnerabilities, and would create a Federal Cybersecurity Practice Board to establish government-wide information security processes and oversee agencies’ implementation of those standard defenses. In contrast to this oversight, the newly introduced Executive Cyberspace Authorities Act (H.R. 5247) would not only require agencies to demonstrate and report on their compliance with FISMA, but would penalize agencies (in the form of withholding budget approval) whose efforts to protect their information technology are deemed insufficient by the Director of the National Cyberspace Office.

    In parallel to these legislative activities, OMB and the Department of Homeland Security are moving ahead with new FISMA reporting requirements, under which agencies must start using the online Cyberscope reporting system by November of this year. It’s not entirely clear how monthly reporting of summary data similar to what agencies currently report would produce the sort of “continuous monitoring” described in Appendix G of the revised NIST Special Publication 800-37 and also emphasized in the new draft version of Special Publication 800-53A released last week, but any movement away from annual (or tri-annual, if you consider system accreditation) point-in-time control documentation would be an improvement. It also seems feasible that OMB would get better, not just more frequent, security reports if the multiple overlapping bills currently under consideration are combined and reconciled with new proposed metrics that emphasize real-time monitoring of security configuration, remote access, incidents, and other operational characteristics.