As the number and sophistication of cyber attacks targeting government agencies and large private enterprise continue to increase, the Department of Homeland Security has released new risk management strategies for the nation’s critical IT infrastructure.
The strategies were released last month in an effort to raise awareness and help public and private enterprises better understand and respond to emerging threats and vulnerabilities. Specifically, they pertain to products and services, incident management and Internet routing and were developed in cooperation with the private sector-led Information Technology Sector Coordinating Council.
The release came a month after DHS issued a risk management strategy related to the Domain Name System (DNS), which enables Internet users to access Web pages and other online services by typing a text-based Web address instead of the more difficult-to-remember series of numbers, known as an Internet Protocol (IP) address.
In a written statement responding to Breaking Gov’s questions about the strategies, Nicole Dean, Acting Director of the National Cyber Security Division (NCSD) at DHS, said the intent of the strategies, which are based on a 2009 IT Sector Risk Assessment (ITSRA), “is to provide high level guidance and tangible approaches to improving security that organizations from both the public and private sectors can use within their organizations and help inform agency and enterprise risk management practices.”
However, “these measures are not prescriptive and are intended to be general, high-level recommendations,” according to the statement.
Reaction from industry has been mixed. While most private sector security professionals said they can appreciate any effort to raise awareness, the strategies appear to lack several critical components, including specific, actionable guideline as well as incentives and details of current programs.
“These are better than past documents at getting the issues outlined and in decision-makers’ hands,” said Jose Nazario, Senior Manager of Security Research at Chelmsford,Mass.-based Arbor Networks. “However, they still lack some references for people to respond effectively.”
Eric Hemmendinger, Director of Managed Security Services for Tata Communications Ltd., a global networking company with offices in the United States, said he had the same impression of the strategy documents.
“What I saw in the strategies were fairly widely accepted and understood [security] frameworks,” said Hemmendinger. “What we haven’t heard about is what’s being done.”
If the documents contained actionable guidelines, progress reports could be expected from DHS over the course of the next six to 12 months, he added.
Edward A. Adams, President and CEO of the Wilmington, Mass.-based software security firm Security Innovation Inc., said a significant amount of thought and effort went into the strategies. However, as with past strategies, he questions whether they will be relevant a year from now.
“There have been many inter-agency and public-private partnerships that have produced plans and strategies in the past,” he said. “It just comes down to implementing that strategy, ensuring all parties understand and acknowledge that strategy and tweaking the strategy so that the pieces fit together and can evolve with the threat landscape.”
Adams sees some real value in how these new strategy documents address response.
“What it demonstrates is the acknowledgement that while you can have some type of uber-level of preparedness, bad things will still happen, and what matters is how you respond,” said Adams. “What it also shows is that DHS is really thinking beyond a reactionary methodology in how they approach security, and more about the entire process by which they can effectively measure their programs.”
Major General John Casciano (USAF-Ret.), an advisor to San Mateo, Calif.-based security vendor RedSeal Systems Inc., characterized the strategies as “a consensus document,” with something for everyone.
“Since the recommendations are voluntary, we can expect the industry participants to use it to argue for larger budgets to accomplish certain recommendations,” said Casciano. “Others will use it to show how they are already doing a great job.”
He added: “There is no enforcement…and no one seems to be talking about incentives, such as subsidies [and] tax benefits…so enterprises are free to cherry-pick.”
In her statement, Dean acknowledged the voluntary nature of the strategy guidelines.
“The activities are meant to be a starting point for organizations to address the evaluated risks from the ITSRA, or to complement their own risk management activities,” she said. “The strategies are not compulsory or binding; rather they provide a basis for public and private sector partners to work together to reduce risk across the Nation’s IT infrastructure.”
Dan Verton is an award-winning journalist, author specializing in homeland security issues and a regular contributor to Breaking Gov.