A US-BASED research organisation has proposed a number of new regulations to improve the current state of cyber security.
The Cyber Secure Institute also offered its support for a series of related rules and incentives recently suggested by Congresswoman Yvette Clarke.
 "We would stress that any such incentives must be tailored to meet the goal of driving technological change and a new cyber secure end state. They should not be available to offset just any new IT security spending — helping companies deploy more patches will not change our nation's level of security. Rather, such incentives should be available solely for the deployment of high-level certified, inherently secure technologies," the Institute said in a statement.
According to organisation, previous efforts to improve cybersecurity have been limited and quite "marginal."
"[G]ains in cyber security to date have been marginal at best. At a time when we require bold action, we instead find ourselves caught up in a Sisyphean struggle – the endless cycle of hack and patch trying to fix legacy systems that are, at best, inherently insecure...Change will not come on its own, unprompted. To be blunt, we have tried the laissez-faire approach to cyber security and it has gotten us only so far, it is now time to drive technological progress."
To achieve "technological progress," Cyber Security explained that future legislation should be:
- Based on the NIAP-NSA certification program, which offers an objective technology and performance-based evaluation process.
- Mandatory for both government and private sector critical infrastructure IT systems.
- Phased-in but within an expedited timeframe that recognizes the serious present-day threats.
- Action forcing, driving the adoption of next generation technologies.
- Comprehensive and strong, including, for example, oversight provisions to ensure such standards, once promulgated, are actually implemented.
- Accompanied by both transition and technical assistance.
"The benefits of this approach are substantial. Most importantly, baseline evidence and performance-based requirements will ensure a high-level degree of security for all the nation’s  critical IT systems," added the Institute.
As The News previously reported, the US Department of Defense (DoD) recently announced its intention to develop capabilties that provided "global situational awareness of cyberspace, US freedom of action in cyberspace, the ability to provide warfighting effects within and through cyberspace, and, when called upon, provide cyberspace support to civil authorities."
The DoD emphasised that US national security remained inextricably linked to the cyberspace domain, where conflict was not limited by geography or time.
"The expanding use of cyberspace places United States' interests at greater risk from cyber threats and vulnerabilities. Cyber actors can operate globally, within our own borders, and within the borders of our allies and adversaries. The complexity and amount of activity in this evolving domain make it difficult to detect, interdict, and attribute malicious activities," said the report.
|