What can organizations do to build more secure networks and systems? That’s a question that Dr. Ron Ross tackles daily in his role as fellow at the National Institute of Standards and Technology (NIST). With a key focus in areas such as information security and risk management, Dr. Ross leads the Federal Information Security Modernization Act (FISMA) Implementation Project, an initiative focused on developing security standards for the federal government, as well as contractors, and the country’s information infrastructure as a whole.
Dr. Ross will bring his expertise to the upcoming Public Sector Cybersecurity Summit 2015, where he’ll discuss, “Systems Security Engineering: The Path to More Trustworthy and Resilient Systems.” Here’s a sneak peek of some of Dr. Ross’s talking points, including some surprising facts about ways to strengthen cybersecurity.
WashingtonExec: What’s the primary takeaway of your upcoming talk?
Ron Ross: The primary goal of the presentation is to show people the latest special publication that we [NIST] are working on that is attempting to fully integrate cyber security into the mainstream organizational and developmental processes within organizations. It really goes to the heart of what we need to do to protect ourselves in the 21st century with respect to the types of cyber threats that are out there – and the way that we currently build our products and systems to carry out our missions or business operations day-to-day. Ultimately, it takes a systems security engineering approach to accomplish those objectives and using an international standard as the foundation of that work.
WashingtonExec: Why should government contractors pay particular attention?
Ron Ross: Everybody in the country and for that matter, worldwide, depends on information technology today for their mission and business success. Everyone is concerned about protecting themselves and operating in a fairly high-risk environment. Government contractors serve the federal government, they serve state and local governments, and they have hundreds of thousands of customers in the private sector. When contractors help the government do a better job of protecting our systems, it also helps their private sector customers improve their cybersecurity posture since we are all using basically the same information technology.
WashingtonExec: What’s one of the most surprising facts about cybersecurity?
Ron Ross: Many people think that most [cyber]attacks, especially the big breaches, are due to sophisticated and advanced, persistent threats launched against the United States and our public and private companies. But a lot of these attacks are based on very simple things that are being compromised.
Just doing some of the fundamentals that we consider “cyber hygiene” — like doing a comprehensive inventory of all of the hardware and software components on your systems and networks; making sure your configuration settings are applied to all of the different components that you purchase and deploy; and then patching your systems as quickly as possible — could shut down an attack or greatly reduce your susceptibility to an attack.
WashingtonExec: What capabilities is the government buying more of to boost cybersecurity?
Ron Ross: The Federal government is certainly investing heavily in the Continuous Diagnostics and Mitigation Program that the Department of Homeland Security is leading. That program offers many new technologies that are helping us understand, in near real-time, the current security state of our systems and networks so we can close down critical vulnerabilities, understand when we’ve been hit, and respond quickly and appropriately in those situations.
WashingtonExec: What areas of cybersecurity should contractors invest more of their dollars in?
Ron Ross: If I were a contractor today, knowing that my customers are in both the public and private sector, just investing in good developmental processes – secure coding techniques and systems security engineering methodologies that we’ve known about for 40 years – [can]bring better products and systems to customers. I think that message needs to get out — not just [among]IT vendors but [among]more companies involved in bringing this kind of discipline and structure to the software and systems development processes. That’s really the primary focus of the [upcoming]Security Engineering publication, NIST SP 800-160 — to show how these general processes can be applied by using your own processes that a company would select and implement within their own organization. We are not trying to tell people what process to use. We just want to encourage government and industry to have a process and follow it. When they do that, they will reduce their susceptibility to cyberattacks.
WashingtonExec: Is that the biggest takeaway that you would like to impart?
Ron Ross: That is the biggest takeaway – just doing the fundamentals that we know have to be done. I use this analogy quite often. Since I live in the DC area, I cross bridges all the time and whenever I go across a bridge or I fly in an airplane, I really have a lot of confidence that everything is going to be OK. The reason I have that confidence is that I know there were competent engineers that did the designing and competent construction crews building those bridges and airplanes. We have to try to apply those same fundamental techniques to building our software products and systems because we depend upon those products and systems almost 100% today for everything we do; whether it is in our personal or professional lives. Having dependable information technology is at the core of our mission and business success in both the public and private sectors.
Hear Dr. Ron Ross’s upcoming talk, “Systems Security Engineering: The Path to More Trustworthy and Resilient Systems,” at this year’s Public Sector Cybersecurity Summit.