A new set of cybersecurity guidelines, released by the U.S. National Institute of Standards and Technology (NIST), falls short of the protection needed for government systems, a cybersecurity analysis and advocacy group said.
The NIST guidelines for nonclassified data at civilian agencies, released July 31, leave many federal IT systems out of the highest security requirements, the Cyber Secure Institute said. Federal systems rated as low- or moderate-impact targets would have security controls not designed to stand up to skilled and well-funded hackers, the group said in a critique published this week.
"So called high-end threats are now the norm not the exception," CSI said in its report. "Federal and private sector IT professionals increasingly report that the attacks they confront on a regular basis are from highly skilled, highly motivated and well-resourced actors -- ranging from the Russian mob, to the Chinese military, to organized cyber-criminals."
The problem is that many sensitive federal systems would fall into the moderate-impact category, including systems containing information related to "extremely sensitive" investigations at federal law enforcement agencies, said Rob Housman, acting executive director at CSI. Electronic health data also would appear to fall into the moderate-impact category, he said.
"If an IRS [Internal Revenue Service] investigation isn't the sort of thing that you want to have a higher degree of protection against a sophisticated attacker, I don't know what is," said Housman, who served as assistant director for strategic planning in the White House Drug Czar's Office and who teaches counter-terrorism and homeland security classes at the University of Maryland. "In almost all my conversations with both public- and private-sector CIOs, CISOs and others, what they're telling that they see is ... sophisticated hackers."
The NIST recommendations require low- and moderate-impact systems to be secure only against unsophisticated threat, or "the proverbial teenager vanity hacker hacking away in the basement," the CSI report said.
But Ron Ross, a senior computer scientist and information security researcher at NIST, said CSI's critiques seem to be based on a misunderstanding of the NIST guidelines. First of all, the NIST guidelines are minimum standards, and individual agencies must do risk assessment and tailor the guidelines to their needs, he said.
Federal agencies are required to categorize their own systems, and high-impact systems would be those that have a "severe, catastrophic effect" if they are lost, Ross said. "Those baselines [in the NIST recommendations] are minimum starting points for agencies," he said. "The implication should not be there that that's a sufficient set of controls against some of the types of attacks that we're seeing."
Some agencies being targeted by U.S. adversaries will have to take additional steps to protect their computer systems, Ross said.
There is some risk that agencies work only to the minimum, Ross said. But he called the new NIST guidelines "the broadest, the richest, and the deepest set of controls ... anywhere in the world." The U.S. Department of Defense and intelligence agencies worked with NIST on this set of guidelines, he said.
If NIST were to follow CSI's recommendations, every security control in the guidelines would be recommended for every federal information system, Ross said. "Clearly, that'd be extremely expensive, and it'd be overkill for many of the systems that we do have," he said. "Every control you put into a system ... is going to cost the agency money."
In addition, the guidelines will continue to evolve, Ross said. While the White House Office of Management and Budget will set up the timeline for agencies to comply with this third version of the NIST cybersecurity guidelines, NIST will continue to refine the recommendations, he said.
Housman acknowledged that budget is a big issue for federal agencies. And even though he said the NIST recommendations don't go far enough, he called them a "big step forward" from past efforts.
However, U.S. President Barack Obama, in a late May speech, called for an end to the cybersecurity status quo, Housman added.
"This is a sort of a status-quo plus, which I call hack and patch," he said. "We've become complacent. We accept the fact that there are going to be hacks, and they're going to be successful, and we're going to have to patch them."