NASCAR, NASA and the secret to cybersecurity

One is a storied federal agency, the other a source of entertainment for millions. One races into space, the other races at breakneck speeds around a track. What do NASA and NASCAR have in common?

They probably have a better approach to managing risk and security than you do.

At both organizations, risk management and security are huge parts of their respective missions. A failure to protect NASA's networks could have disastrous effects; a failure to provide drivers with adequate security could be deadly. As a result, both groups build in those top priorities right at the front – and not as an afterthought, as is all too common at many departments scrambling to protect their IT assets.

"Our problems are bureaucratic, institutional, systemic. Integrating security into architecture, system development lifecycle, systems engineering process and acquisition – those four areas would go a long way into enhancing cybersecurity," said Ron Ross, senior computer scientist and information security researcher at the National Institute of Standards and Technology. "When you get to the point where security is done because people recognize it's central to the mission and success, then we've crossed that Rubicon and we're looking at security not as a cost, but more as an investment in our productivity, survivability and everything needed to compete today."

Of course, that may be easier said than done. Today the word "investment" alone will stop program leaders in their tracks because it means money – a precious resource in a climate of sequestration and budget cuts. But that climate itself is a stepping stone to better cybersecurity, Ross said.

"Program managers and mission and business owners care about schedule, cost and performance. So how do you get all of this started?" he said. "You have to look for forcing functions to start down the road to 'thinning the herd,' or reducing complexity. The current declining budget and frustrations we're enduring at the federal level is a great forcing function for reducing the costs of IT infrastructure."

As it happens, society as a whole – including the government – are swimming in IT. It's cheap, it's powerful and as a result everyone actually has more of it than is really needed, Ross noted.

"Studies show a lot of what we procure, we never deploy or use effectively. This is where to focus on simplifying architecture: When you use things like enterprise architecture, you by very definition consolidate, standardize and optimize the IT infrastructure," he said. "You build a leaner and meaner IT infrastructure. That simpler architecture provides more efficient services, is less expensive to deploy and maintain, and provides security professionals a better opportunity to protect what we own and deploy."

But how can departments and companies get to that improved architecture? As at NASA, security professionals need to have a seat at the table, whether that is a board room or the boss's office. All too often those in charge of information security – the ones overseeing the architecture and IT infrastructure – are not part of decision-making.

"NASA builds their spacecraft with integrated project teams; every stakeholder sits around the table and the mission doesn't move forward until every stakeholder has given a thumbs up. Our security teams and people need to be stakeholders at the table in order to integrate the important cybersecurity concepts, principles and technologies into the systems early in the lifecycle – and not as an afterthought," Ross said.

If threats and security are part of the plan from the very beginning, operators have a much better chance at resiliency when they do come under attack, or in the case of NASCAR, experience a high-speed crash. That survivability is a key metric for determining the strength of a department's defenses.

"In our business, when you talk about risk management and risk assessment, you deal with four things: threats, vulnerabilities, impact to the organization if threats are exploited and how likely threats are to be exploited," Ross said. "In NASCAR, their threat is the 200-mph race car potentially hitting the wall. NASCAR doesn’t sit around wringing their hands about the threat. They can't reduce the speed; they wouldn't have any fans in the stands. So they build the threat into the business model."

The result, which came after the  2001 death of Dale Earnhardt Sr. in a fiery crash at the Daytona 500: NASCAR officials designed a piece of equipment called the head and neck safety device, and since they instituted that, no driver has died from a neck injury sustained in a race, Ross said.

While the safety device successfully addressed a critical NASCAR vulnerability, it is not exactly the same as employing enterprise architecture at a major government agency, where the stakes involve many more people and less tactile threats.

But the vignette underscores the need for departments to move beyond patching systems, configuring firewalls and locking down components. Those are all important housekeeping duties, Ross said, but they do not go far enough.

"We can control only what we can control. We can't control the threat or the adversary or the attacks. What we can control is how we build and architect our systems to be stronger and more penetration-resistant," he said. "I'm passionate about integrating that into enterprise architecture, with the security team working right there as a partner ensuring security controls are in place. Until we do that, security will be an afterthought."