CYBER RESILIENCE
Executive Viewpoint
ONE-ON-ONE WITH RON ROSS
Fellow at the National Institute of Standards and Technology (NIST) and leader of the Federal Information Security Management Act Implementation Project shares his views on building cyber-resilient systems.
SPONSORED CONTENT
RON ROSS
FELLOW, NIST
Ron Ross recently spoke with Francis Rose,
host of Government Matters on ABC 7 and News Channel 8, about how agencies need to look beyond simply protecting systems and data and instead consider how the enterprise responds to the constantly evolving threat landscape.
Rose: What are agencies and industry missing as they go about building the most cyber-resilient systems possible? Ross: We’re building a powerful and complex information technology infrastructure. You
can see the direction we’re going by the convergence of computers and physical systems. The buzzword you hear a lot is the “Internet of Things.” That represents the vast deployment of computers, driven by firmware and software, in almost everything that you can imagine. Whether it’s critical infrastructure or otherwise, there’s this massive infusion now of computers bringing this world to great new heights as far as capability, productivity and all the things that we enjoy with this wonderful new technology.
In the ocean, there are things below the waterline you can’t see. And there are things above the waterline you can see very clearly. A lot of the cyber work we’re doing today doesn’t reach below the waterline. That’s where industry plays a major role, because they’re the ones building the hardware, the software, the systems and all the things upon which we depend.
Rose: IT leaders within the government have reached the point of recognition that they will be hacked. How can they ensure their systems are resilient enough to recover?
Ron: Most CIOs and CISOs worry about things above that waterline. We know from the empirical data we’ve gathered over more than two decades: there are certain percentages of
adversaries that get into your system and do damage. How do you limit the damage they can do? Let’s use the OPM breach as an example. Let’s say they have 21 million records. In many cases, the adversary penetrates one system
and then works its way in through privileged escalation. To protect those records, you may have some design decisions. One would be to decide on a mandate like: “The only records that are going to be accessible to our field agents are those that they have to work on every day—just one-tenth of one percent of the records. Everything else is going to be taken offline, or into a different domain.”
It’s not just personal information records. It’s information pertaining to intellectual property, national security, and economic security. That’s why all the things we’re working on at NIST with regard to cybersecurity issues are so important, because of this great dependence on the technology.
Rose: What do you expect to be
the biggest resilience questions government will ask, both about its own security and in policy making? Ross: We’re working against a society compelled to use technology because it’s so powerful and affordable. You combine those two factors and people will tend to buy and use a lot of it. We’re trying to encourage people to do the right thing—to build in security. At the same time, we realize we live in an imperfect world where you can’t have 100 percent confidence or assurance in every system or every component.
This interview continues at carahsoft.com/innovation/Ross
S-24