U.S. companies aren't doing enough to protect their IT systems from cyberattacks, according to a report released yesterday by the Computer Science and Telecommunications Board (CSTB), part of the Washington-based National Academy of Sciences.
"From an operational standpoint, cybersecurity today is far worse than what known best practices can provide," the CSTB said in the report, "Cybersecurity Today and Tomorrow."
"Even without any new security technologies, much better security would be possible if technology producers, operators of critical systems and users took appropriate steps," said the report. The CSTB is charged with providing independent advice to the U.S. government on technical and public policy issues relating to computing and communications.
Among the recommendations was that software and system vendors should drastically improve their products or be held liable for system breaches.
Meanwhile, many companies don't implement the necessary security because it's expensive, so firms tend to use as little security as they can get away with, the board said.
"Because serious cyberattacks are rare, the payoff from security investments is uncertain," said the report. "As a result, system and network operators tend to underinvest in security."
The CSTB said the harm from not implementing necessary security measures could be catastrophic, especially if a cyberattack were launched at the same time as a physical attack, such as a hijacking, that could endanger human life.
"A successful cyberattack launched on the air traffic control system in coordination with airliner hijackings could result in a much more catastrophic disaster scenario than was seen on Sept. 11, 2001," the CSTB said.
To prevent such attacks, the CSTB recommends that companies do the following:
-- Conduct frequent, random tests of their IT systems to determine the extent of their security vulnerabilities -- Ensure that adequate information security tools are available and that all employees are properly trained to use them -- Mandate the use of strong authentication mechanisms to protect sensitive or critical information and systems -- Develop a fallback plan for a more secure operation when under attack and rehearse it regularlyThe suggestions the board had for system vendors include the following:
-- Develop tools to monitor systems automatically for consistency with defined secure configurations and to enforce these configurations; the tools must promptly and automatically respond to changes that result from attacks --Provide well-engineered schemes for user authentication based on hardware tokens, which would be more secure and more convenient for users than current password systems -- Develop a few simple blueprints for secure operations that users can follow. One example is to ship systems with security features already turned on, since most organizations lack the expertise to do this properly on their own -- Conduct more rigorous testing of software and systems for security flaws before releasing their productsThe board also recommended that legislators make laws to hold software and system vendors liable for system breaches and require those vendors to report security breaches that could be a threat to society.
Eric Hemmendinger, an analyst at Boston-based Aberdeen Group Inc., said he agrees that companies aren't doing enough to protect themselves from cyberattack, but he also said the issues raised by the CSTB aren't new.
"Companies are more concerned with risk management than with risk elimination. When they make determinations about how to spend money on security, they determine what their comfort zone is," he said. "But this report is not news."
Pete Lindstrom, an analyst at Hurwitz Group Inc. in Framingham, Mass., said he agreed with the assertion that people can do more with security in their environments than they are doing today. They choose not to because it consumes much needed resources, he said.
"It's hard, tedious work, and everyone is not willing to put in the [necessary] effort," he said. "It's easier to pay lip service to security." Lindstrom added that when companies look at the ways in which they need to manage their environments, security takes a back seat.
Russ Cooper, an analyst at TruSecure Corp. in Reston, Va., said there are several reasons that businesses don't implement the necessary security. Those reasons include the expense, lack of technical experience and lack of knowledge regarding the various ways their systems could be hacked. Another reason is that when employers install new security measures, they sometimes close off users' access to certain functions, such as the ability to send and receive attachments with e-mail messages.