The federal government is spending billions of dollars annually combating attacks on U.S. computer networks and information resources. However, it does not appear to have firm criteria for how government agencies and owners of critical infrastructure should go about selecting providers of cybersecurity services. That’s a problem, because the cyber business is full of companies that lack the depth, breadth and commitment to cope with the kind of online attacks that countries like China are mounting. This week, the Lexington Institute is releasing a study that identifies the core requirements cybersecurity providers must meet if they are to successfully support federal efforts to guard the nation’s vital networks against disruption or subversion. Here is a brief summary of the study’s findings and link to the full text.
Findings In Brief
The information revolution has transformed every facet of commerce and culture, including the military enterprise. Unfortunately, it has also empowered extremists, criminals and agents of enemy nations who can use cyberspace to subvert or destroy information resources vital to U.S. security. The federal government has launched a comprehensive cybersecurity initiative to counter such threats. The most advanced, persistent threats are posed by state-sponsored perpetrators, especially those operating in China and Russia.
The federal government has made major strides in developing defenses against cyber espionage and aggression. However, its efforts are impeded by the changing character of threats and the infancy of techniques for addressing them. The absence of agreed standards and metrics for assessing performance sometimes leads federal agencies to select cybersecurity providers who lack the breadth and depth to cope with all potential threats. The government cannot sustain a truly comprehensive cybersecurity posture unless its top providers satisfy five core requirements:
1. Situational awareness. Capable providers must be able to precisely monitor the performance of information systems and networks they are protecting, predicting and/or detecting threats based on extensive understanding of adversary behavior. Awareness of dangers must be shared with potential victims in time for them to minimize harm, and providers must then be able to assess the success of remedial actions.
2. Full-spectrum skills. A comprehensive cybersecurity posture requires providers with expertise and experience in the full array of relevant skills. That includes all the major disciplines associated with computer-network defense, computer-network attack, and computer-network exploitation. Without an integrated understanding of all the necessary skills, federal providers cannot deploy the full panoply of tools needed to counter advanced threats.
3. Operational agility. The pace of activity in cyberspace requires providers that are extremely agile in responding to new threats. Ideally, those providers should be able to apply their situational awareness and full-spectrum skills to anticipate danger before it actually occurs, but at the very least they must have the capacity to detect, analyze, isolate and defeat enemy moves quickly, even when the threat is a “zero-day” attack with no previous history.
4. Organizational maturity. Maturity models are used in many fields to assess organizational effectiveness in applying best practices. In the cybersecurity arena, such models can be used to assess both government preparedness and the practices of outside providers. Mature solutions to cyber challenges typically stress values such as affordability, scalability and technical readiness. Companies capable of providing those solutions tend in turn to have mature cultures stressing retention of talent, continuous training, and diverse expertise.
5. Enterprise commitment. Cybersecurity is an infant industry with many recent entrants. The commitment of some providers to the business is hard to gauge. However, it is not feasible to fashion comprehensive responses to cybersecurity challenges unless customers and providers alike are committed to the mission. The commitment of providers can be determined by assessing how long they have been in the business, how deeply they have invested in talent, and how extensive their collaborative ties are with other centers of expertise.
This report was written by Dr. Loren Thompson of the Lexington Institute staff as part of the institute’s continuing inquiry into the changing requirements of national security.
Find Archived Articles: