Infosecurity

US cybersecurity guidlines under attack

By Robin Hicks | 11 August 2009

A new set of guidelines on cybersecurity released by the National Institute of Standards and Technology (NIST) in the United States has fallen short of the protection needed for government systems, a cybersecurity analysis group has warned.

View photos

Related Articles

• New US cyber security detection system raises privacy concerns
• UK launches cybersecurity agency
• US cyber warfare policy under attack

Related Categories

• INFOSECURITY

From this Section

• NEWS

The guide lines (to be found at www.nist.gov/public_affairs/techbeat) for non-classified data at civilian agencies, leave many federal IT systems out of the highest security requirements, the Cyber Secure Institute (CSI) noted.

Federal systems rated as low- or moderate-impact targets would have security controls not designed to stand up to skilled and well-resourced hackers, CSI said.

“So called high-end threats are now the norm not the exception,” reads the report. “Federal and private sector IT professionals increasingly report that the attacks they confront on a regular basis are from highly skilled, highly motivated and well-resourced actors - ranging from the Russian mob, to the Chinese military, to organised cyber-criminals.”

The problem is that many sensitive federal systems would fall into the moderate-impact category, including systems containing information related to “extremely sensitive” investigations at federal law enforcement agencies, said Rob Housman, acting executive director at CSI.

The NIST recommendations require low- and moderate-impact systems to be secure only against unsophisticated threat, or “the proverbial teenager vanity hacker hacking away in the basement,” the CSI report continued.

But Ron Ross, a senior computer scientist and information security researcher at NIST, said CSI’s critiques seem to be based on a misunderstanding of the NIST guidelines. Firstly, the NIST guidelines are minimum standards, and individual agencies must do risk assessment and tailor the guidelines to their needs, he said.

Federal agencies are required to categorise their own systems, and high-impact systems would be those that have a “severe, catastrophic effect” if they are lost, Ross said. “Those baselines [in the NIST recommendations] are minimum starting points for agencies. The implication should not be there that that’s a sufficient set of controls against some of the types of attacks that we’re seeing.”