ADAPTIVE RESPONSE
     EXECUTIVE VIEWPOINT
A Conversation with
RON ROSS
  RON ROSS
Fellow, National Institute of Standards and Technology
The NIST computer scientist discusses upcoming guidelines for strengthening the resiliency and privacy protections of agencies’ IT systems
What new NIST guidelines can help agencies develop a more adaptive approach to cyberthreats?
We’ve been working on a new publication, and we’ve moved up the release date by about a month because of the urgency of it. It’s NIST Special Publication 800-
160, Volume 2, and it’s titled “Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems.” We plan to release the initial public draft on March 21.
The publication looks at the fact that we’re deploying computers into lots of critical places and talks about how we can deal with advanced persistent threat
— those high-level adversaries with lots of resources, lots of capabilities, lots of skills who are constantly attacking our critical systems.
How do we have systems that are cyber resilient, which means they can operate after they’ve been attacked and have the
When we try to protect systems today, there are three major objectives we try to do. We harden the target. That would be doing some basic things like two-factor authentication, encryption, access control mechanisms. Most of these things are reflected in the NIST security controls.
We know that even if an agency is doing everything right, sometimes adversaries still get in. So the second thing we focus on is trying to limit the damage they can do once they’re in. One way to do that is by not allowing them to move laterally or making it very difficult for them to move. The other way is to limit their time on target through virtual machine technology, where you’re refreshing the software on a regular basis.
The third thing is you try to make the system what we call survivable or resilient, which means it can operate even while under attack. It may be a little bit degraded at some point, but it’s not catastrophic.
What we’re trying to do with this
How do we have systems that can continue to support critical missions and business operations after they’ve been attacked?
resilience to continue to support critical missions and business operations? That’s probably one of the most important questions that we’re going to deal with in the next couple of years.
Obviously, we want the industry to
be able to implement some of those best practices to build more trustworthy, secure components and systems. But for agencies, 90 percent of our stuff is already installed. What do you do with all that?
This document is going to give people strategies for that as well because agencies aren’t going to get rid of everything as they modernize.
publication is deal with cyber resiliency. How do we arrange things, and what kind of things can we do? What strategies can we put into place to make that system difficult to get into and then difficult to bring the whole house down? That’s the bottom line.
Why is an adaptive approach to cybersecurity important?
I’m not sure everybody is prepared for
the world that we’re starting to emerge into in the 21st century. Most of us look
at computers, smartphones, tablets or laptops as a black box. You are interacting
 S-76 | SPONSORED CONTENT