A new bill that would direct federal scientists to come up with a short list of cybersecurity best practices for consumers, businesses and federal agencies is sparking concern from some observers, who fret it will reinvent the wheel, create confusion, and fail to be effective because best practices are widely ignored.
The legislation, which has bicameral and bipartisan support, would mandate scientists at the National Institute for Standards and Technology to partner with the Department of Homeland Security and the Federal Trade Commission to create concise, voluntary guidelines for basic online security measures, dubbed “cyber-hygiene.”
Critics say there are already several existing lists of best practices, including the Top 20 and Top 5 Security Controls list maintained by the nonprofit Center for Internet Security.
“I am all for improving hygiene, but this bill will have no positive impact and because it will create another set of ‘best practices’ [and] it will actually cause damage by confusing organizations about what needs to be done first,” said Alan Paller, the director of research for the SANS Institute — a training and membership organization that first developed the Top 20 Controls list.
Too much noise
“The world is awash in best practices,” agreed Phil Reitinger, CEO of the Global Cyber Alliance, “and there is a risk that more can increase the cacophony. I also worry about unintentionally undermining broadly used and effective best practices, including the CIS Controls.”
But the plethora of existing best practices and security recommendations is exactly the point, notes Megan Stifel, a former Justice Department cybersecurity official who now works with consumer advocacy group Public Knowledge.
“Companies and consumers don’t know which list they should be using,” she told CyberScoop. “The bill certainly wouldn’t duplicate any ongoing federal project,” she added.
Reitinger agreed that there was “value” in a single approach from the federal government — providing a baseline for regulators, if nothing else. “That would, for example, likely preclude an FTC unfair trade practice case for entities complying with the best practices.”
“But,” he told CyberScoop, rather than starting a new list from scratch, “to me, it would be better to adopt an existing, expert-based set of best practices, like the CIS Controls.”
Stifel argues that the bill — if it is eventually signed into law — would increase transparency: “Going through the process [of interagency and public consultation] will be an opportunity for a transparent public dialogue” about what the most important security measures are, she told CyberScoop.
“It would be a step forward,” she said, “It’s obviously not a silver bullet.”
CIS President and COO Steven Spano said his group would support legislation that encouraged the use of tried and tested security practices.
“Good cyber hygiene will help mitigate a substantial number of known vulnerabilities,” he told CyberScoop via email. “The CIS Controls … help public and private sector organizations start secure and stay secure.”
Forcing the feds to collaborate
The new bill would also provide a “forcing function” for federal agencies to collaborate, said Stifel. “NIST can’t make the FTC sit down with them for a conversation about this, but Congress can.”
Making that conversation happen, she said, “will hopefully provide, like the NIST Framework did, a really positive outcome.”
Stifel said she still had some questions about the bill, however. “It’s hard to have a one-size fits all list” of security measures that would work for consumers, small businesses, multinational giants and federal agencies, which seems to be what the bill envisages, she acknowledged.
Other critics also questioned the efficacy of best practices in themselves. The bill “will have absolutely no impact whatsoever on the problem” of getting businesses to improve their cyber-hygiene, attorney Michael Overly, of Foley & Lardner LLP, told SC Magazine.
“For the last twenty years, two of the most fundamental precepts of good information security practices have been: (i) prompt patch management for security issues; and (ii) proper employee training. Notwithstanding the fact that every single treatise, white paper, best practice, industry group, security standard, etc. has made clear that those two practices form the foundation of good security … some business are not taking the necessary steps,” he said.
Stifel acknowledged that “existing best practices out there haven’t been implemented as widely as we need them to be.” But she added she believed the bill ought to include a mandate for a study about why that was.
In the Senate, S.1475 — “A bill to provide for the identification and documentation of best practices for cyber hygiene by the National Institute of Standards and Technology, and for other purposes” — was introduced last week by Sen. Orrin Hatch, R-Utah, chairman of the powerful Finance Committee, and Sen. Ed Markey, D-Mass., a veteran of tech-policy debates.
The House version, H.R.3010, the Promoting Good Cyber Hygiene Act of 2017, was introduced earlier in June by California Democrat Anna Eshoo and Indiana Republican Susan Brooks. Eshoo introduced similar legislation in 2015, but it went nowhere in Congress. Now, with a companion bill in the Senate backed by Hatch, its passage chances look much better.
The bill would give NIST a year to consult with the other agencies and publish drafts for public comment before finalizing the guidance, which should give special consideration to “emerging technologies and processes that provide enhanced security protections, including multi-factor authentication, data loss prevention, micro-segmentation, data encryption, cloud services, anonymization, software patching and maintenance, phishing education, and other standard cybersecurity measures to achieve trusted security in the infrastructure.”
The resulting guidelines would be reviewed and updated annually.