Experts tackle guidance to stop cyberattacks

A group of information security analysts in government and industry plans to publish guidance in six months to identify the most effective protections against the vulnerabilities most often exploited in cyberattacks, according to John Gilligan, president of the Gilligan Group and former chief information officer of the Air Force and Energy Department. He leads the effort. The ultimate goal of the organization, which has not yet been named, is to get the Office of Management and Budget to revise its security guidance and for agencies to incorporate those guidelines, Gilligan said Nov. 21 at a security conference sponsored by 1105 Government Information Group, which publishes Federal Computer Week. The guidelines would help agencies decide which controls to implement and measure for next-generation security assessments, Gilligan said. Agencies currently conduct and document certification and accreditation of their major computer systems to comply with requirements of the Federal Information Security Management Act. OMB directs agency inspectors general to evaluate the documentation to determine whether the systems meet security requirements. That process still does not assure agency information security, he said. “FISMA has the right objectives. But agencies spend a lot for security with little confidence that it is effective,” Gilligan said. The guidelines would establish measures and activities so CIOs would have more confidence in agencies' security, he said. The security experts are from agencies that include the Defense, Justice, Homeland Security and Energy departments, the National Security Agency and Government Accountability Office. They are combining their knowledge to define the most important defensive investments that CIOs could make in cybersecurity, he said. “People on this list understand offense and already have experience with attacks,” Gilligan said. Gilligan said he anticipates a preliminary view of the guidelines in February. For example, when Gilligan was the Air Force's CIO, the National Security Agency found that 80 percent of the service's vulnerabilities were due to incorrectly configured commercial software. Gilligan said he worked with NSA, other federal agencies, and Microsoft to create the Secure Desktop Configuration for the Air Force, which OMB later adopted governmentwide as the Federal Desktop Core Configuration. After the consensus guidelines are published for public comment and revision, the Chief Information Officers Council plans to review them. If they are acceptable, the council will ask OMB to revise its guidance to use the controls highlighted in the consensus guidelines to measure FISMA, said Alan Paller, research director at SANS Institute. The guidelines would define the security controls that would be best to stop an attack or help an agency quickly recover from known attacks and provide real-world examples of those attacks, he said. The guidelines would also describe how to validate the effectiveness of those controls, typically through automation, such as a computer application, Paller said. Agencies should pay more attention to correcting known risks to the security of the agency’s mission, he said. “If you know the known bads, fix them. Don’t do just compliance. Know how they got in and stop them; know how they got in, find them,” Paller said.