It is a truism that compliance with IT security regulations and security are not the same thing. In fact, my colleague, Josh Corman, is on a personal crusade to talk about the ill effects our blinkered focus on compliance can have on security. As one CISO told Josh, "I might get hacked, but I will get audited!"
But with some luck, we may hear less of this kind of compliance chatter. There is evidence of a sea change in the thinking about security readiness, both in the federal government and among leading industry groups. Nowhere is that more evident than in the increasing calls for better metrics and IT security testing as part of compliance efforts.
Government IT security watchers point to an April 21 memo from the White House's Office of Management and Budget (OMB) as an example of the new thinking. That memo on information security rules, signed by federal CIO Vivek Kundra and Cybersecurity Coordinator Howard Schmidt, changes the guidelines that agencies must follow to comply with reporting requirements under the Federal Information Security Management Act (FISMA) of 2002.
The memo instructs agencies to be able to "continuously monitor security-related information" across their organizations in a way that is "manageable and actionable." Furthermore, it calls for annual IT security testing of information systems used by a federal agency or federal contractor to ensure proper security controls are in place. The testing, based on National Institute of Standards and Technology guidelines, involves making risk-based assessments of the various IT assets used by an agency or contractor, baselining security controls (both logical and physical) for those assets and then monitoring those controls.
The OMB also requires agencies to provide real-time compliance data through an integrated security management system. The system must cover IT inventory, hardware, software, systems and services, external connections and identity management, as well as security training and awareness. This is a shift toward actionable compliance reports and away from paper-based reporting.
However, according to Tom Kellermann, a vice president for security awareness at Boston-based Core Security Technologies Inc., the OMB memo is smaller in scope than any of the dozens of cybersecurity-related bills being debated on Capitol Hill.
"Agencies now have to benchmark, in an automated fashion, the effectiveness and assurance of their security controls," he said. That's a huge shift in thinking from a world of cyberdefenses -- the "castles, walls and moats," as Kellermann calls them -- to dynamic protections that change with attacks and can be proven effective through rigorous penetration testing, red teaming and other assays.
It's not hard to find evidence pointing to a greater focus on risk-based assurance and resiliency to attack. The military and government agencies have long been subject to "advanced persistent threats" -- a term coined by the U.S. Air Force and thought to euphemistically refer to China.
Recent attacks on high-profile companies like Google Inc., Adobe Systems Inc. and Juniper Networks Inc. by hackers believed to have links to the Chinese military underscore the degree to which state-sponsored entities and other "adaptive persistent adversaries" have set their sights on a far broader list of targets than just the government, military and defense contractors. They also illustrate how sophisticated attackers with discrete objectives are now the focus of cyberdefense.
Adaptive adversaries require better security information and tighter correlation of that information against knowledge of existing vulnerabilities and remedies. Still, too many regulations continue to focus on the deployment of layered, but static defenses, rather than on dynamic ones. The OMB guidance changes that paradigm, focusing attention on what military folks like to call "situational awareness" to attack, rather than adherence to a checklist.
President Barack Obama made cybersecurity a top priority of his administration upon taking office in January 2009. Most notably, he ordered a top-down review of cybersecurity and appointed Howard Schmidt cybersecurity czar in December. Just recently, the president announced a new governmentwide coordinator for cybersecurity, along with an initiative to remake the government's cybersecurity function and focus on interagency coordination and greater public-private partnerships on cybersecurity.
But deck-chair shuffling is nothing new, and this is hardly the first effort to whip Washington's notoriously tangled bureaucracy into shape. On Capitol Hill, a bevy of competing cybersecurity bills in the House and Senate appear stalled. With real legislative changes to the nation's cybersecurity still a ways off, OMB's new guidance on FISMA compliance and IT security testing may be the biggest step in establishing more effective cybersecurity in 2010.