The President’s Council of Advisors on Science and Technology (PCAST) released a less than flattering report on the federal government’s lax approach to network security, stating that “the federal government rarely follows accepted best practices… for its own systems.”
The report warned that “static protective mechanisms are no longer adequate” and that the government should lead by example by adopting “protective processes that continuously couple information about evolving threats to defensive reactions and responses.”
PCAST is a White House advisory group comprised of leading scientists and engineers appointed by the President that makes policy recommendations concerning science, technology, and innovation for the purpose of aiding in the creation of good policy measures.
Other key findings from PCAST include:
- Many private-sector entities come under some form of Federal regulation for reasons not directly related to national security. In many such cases there is opportunity, fully consistent with the intent of the existing enabling legislation, for promoting and achieving best practices in cybersecurity.
- Industry-driven, but third-party-audited, continuous-improvement processes are more likely to create an effective cybersecurity culture than are Government-mandated, static lists of security measures.
- To improve the capacity to respond in real time, cyberthreat data need to be shared more extensively among private-sector entities and—in appropriate circumstances and with publicly understood interfaces—between private-sector entities and Government.
- Internet Service Providers are well-positioned to contribute to rapid improvements in cybersecurity through real-time action.
- Future architectures will need to start with the premise that each part of a system must be designed to operate in a hostile environment. Research is needed to foster systems with dynamic, real-time defenses to complement hardening approaches.
The full report is available here (PDF)…