Officials: How much security is enough?

In the White House situation room and in corporate boardrooms, people debate how much information security is enough — without reaching consensus. But a panel of national security experts said today that federal standards can help minimize the risk of a disruptive cyber event.

Standards that the National Institute of Standards and Technology is developing provide the basics of due diligence for federal agencies and businesses, said Ronald Ross, a senior computer scientist and information security researcher at NIST. He spoke today at an event in Washington, D.C., sponsored by the Wall Street Journal.

Businesses are not required by law to follow those information security standards, but Ross said many are doing so voluntarily because they can reduce the risk of a major cyber incident disrupting companies' business.

The federal standards include one for categorizing information systems assets based on whether their loss would pose a high, medium or low risk to the agency or business. Ross said people are spending too much time and money to protect low-risk systems and not enough on high-risk systems.

He said NIST will soon issue another federal standard requiring specific security settings and controls for protecting low-, medium- and high-risk systems.

Roger Cressey, president of Good Harbor Consulting and a former counter-terrorism official, said the Homeland Security Department was slow to focus on cybersecurity vulnerabilities. To an extent, he added, the department is still reactive and “preparing to prevent the last attack.”

But Cressey said DHS Secretary Michael Chertoff has correctly adopted a risk management approach to the country’s cyber vulnerabilities. Whether Chertoff can gain support in Congress and elsewhere for that approach remains to be seen, Cressey said.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.