One of the issues I have with standards is that they often take on a life of their own – different from what their authors intended – and, eventually become stale checklists that rob energy and innovation from operations and products. So it is refreshing to see how the National Institute of Standards and Technology (NIST) is (and has been for several years) aggressively reviewing and re-inventing guidance for cyber based on how the government and the nation are performing in the cyber fight. And leading the charge in this cyber standards renewal by NIST is Dr. Ron Ross – an icon in the cybersecurity field. I am extremely grateful to Dr. Ross for providing my first interview for Active Cyber™ over three years ago on the important ramifications of the Risk Management Framework which he originated. Now Dr. Ross is back to share his insights into how we as a nation, as companies, as government agencies, and as everyday consumers of things electronic must re-examine and reconfigure our cyber protection strategies moving forward. And we can get help from NIST who is tying together a variety of guidance and developing new approaches to ensure we have the right strategy along with the tactical focus to meet the growing cyber challenges head-on. So please check out the Active Cyber™ interview with Dr. Ross below to learn more about this new multi-dimensional strategy and guidance from NIST.
Spotlight on Dr. Ron Ross
» Title: Dr. Ron Ross, Fellow, National Institute of Standards and Technology (NIST)
» Website: csrc.nist.gov
» LinkedIn: linkedin.com/in/ronrossecure
» Twitter: twitter.com/@ronrossecure
» Email: firstname.lastname@example.org
Read his bio below.
November 27, 2018
Chris Daly, Active Cyber: In 2016, NIST released the first in a series of systems security engineering publications (known as the SP 800-160 series). What was the motivation for developing these publications?
Dr. Ron Ross, NIST Fellow: Having been involved in cybersecurity for almost thirty years and observing the continuing devastation and disruptions from an ever-increasing number of cyber-attacks on the public and private sectors, it was time to pursue a new direction in cyber defense and return to some fundamental, time-tested concepts and principles for protecting our systems and networks. For the last four decades, our defensive cyber strategy has been largely one-dimensional, looking at reactive capabilities after systems are deployed and focusing primarily on penetration resistance or “hardening the target.” Over the years, a variety of frameworks, controls, programs, processes, and technologies were developed to stop adversaries at the front door—that is, at the perimeter or boundary of the system. But this one-dimensional strategy, which is necessary for defense-in-depth and successful much of the time, fails us on a regular basis, resulting in many effective and very damaging cyber-attacks that exfiltrate sensitive information, bring down mission essential capabilities of organizations, and insert (i.e., preposition) malicious code in critical systems for future attacks and requiring response and recovery activities. To date, these cyber-attacks have been very costly to the Nation, with the loss of trillions of dollars in intellectual property, the compromise of critical defense and intelligence information, and the theft of years of R&D investments in new technologies. Moreover, the massive convergence of cyber and physical systems, including the new world of the “Internet of Things” (IoT), has made our U.S. critical infrastructure more vulnerable than ever to these continuing attacks. This has become a true existential threat to our national and economic security interests. So, given the current cyber threats and the highly complex systems that are being developed and deployed into every sector of the critical infrastructure, we wanted to capture and make available over forty years of knowledge and best practices in systems security engineering—with the ultimate objective of providing guidance to government, businesses, and citizens on how to design, develop, acquire, and deploy more trustworthy, secure and resilient systems, components, applications, and services.
Active Cyber: What does that new cyber defense strategy look like?
Dr. Ross: The new cyber defense strategy is a multi-dimensional strategy that builds on the first dimension of penetration resistance and adds two additional dimensions. The second dimension focuses on limiting the damage adversaries can do once they have successfully penetrated the system and now have an active presence in the IT infrastructure as is the case with advanced persistent threats (APT). Adversaries need time to be able to cause harm and they need to be able to move laterally through the system or hop from system to system until they reach the target of opportunity. So, for example, the use of virtualization technologies and techniques, including micro-virtualization, can significantly reduce the adversaries’ “time on target” by compartmentalizing and rapidly changing system components—with the net effect of “churning the IT infrastructure” faster than the adversaries can exploit vulnerabilities in the system and do damage. Alternatively, employing a robust system security architecture that implements the concepts of domain separation, network segmentation, and strong domain authentication can promote a “zero trust” environment that makes it extremely difficult for adversaries to move laterally through the system and do damage. Both approaches limit the damage adversaries can do either through an exfiltration attack or an attack to bring down mission capability. And finally, the third dimension builds on penetration resistance and damage limitation to achieve system and cyber resiliency—meaning the system has the innate capability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises—and continue to operate even in a degraded or debilitated state. All three dimensions in the cyber defense strategy depend on the use of best practices in systems security engineering—which is ground zero for the new NIST SP 800-160 series of publications.
Active Cyber: So, how did we end up in this extremely vulnerable position today with a complete dependence on untrustworthy software and systems?
Dr. Ross: Well, the situation we are in today did not happen overnight. It’s a good news, bad news story. The good news is that we are living in an age of unprecedented technological advancement and innovation. The information technology is more powerful and affordable than at any time in our 242-year history. We are consuming the technology as fast as the industry can produce it and demanding more and more functionality as computers are literally being pushed to “the edge” in every type of device or consumer product imaginable—from automobiles to dishwashers to medical devices to smart phones. This vast expansion of the IT infrastructure has resulted in systems and components with an unprecedented level of complexity—billions of devices, trillions of lines of code in software and firmware, and terabytes of valuable information being collected and saved in mass storage devices. All that complexity that produces the great technology and drives innovation and productivity also provides a vast and ever-expanding “attack surface” for adversaries. From the consumers perspective, it’s just a “black box.” Whether it’s a smartphone, tablet, laptop computer or smart refrigerator, the complexity of the system stack which includes applications, middleware, operating system software, firmware, and the integrated circuits in the computer chips, is largely invisible to the consumer. And so, no one really understands what goes on inside the black box—we just don’t know what we don’t know. Therefore, the complexity becomes the number one threat to our systems and networks because adversaries can choose the time, the place, and the intensity of the attacks and basically have free reign within our critical systems and networks to search for and discover new vulnerabilities or exploit known vulnerabilities. And because the technology is so good and compelling with a never-ending richness in user functionality, we have become totally addicted to it—and that addiction has given us as a society a huge blind spot with respect to the actual vulnerabilities that are now hard-wired into our devices, systems, networks, and infrastructure.
Active Cyber: This sounds like an enormous problem with large implications for the Nation and society at large. How do we change course and start to right the ship?
Dr. Ross: I think the first and most important step is to have a fundamental understanding of the modern threat space and today’s threat actors and what the adversaries are capable of doing to the systems we depend on for mission and business success or to carry out critical federal responsibilities. Today, we treat our cybersecurity problems and challenges in a uniform manner—trying to protect all of our assets to the best of our ability. That homogeneous or “one-size-fits-all” protection philosophy has resulted in over protecting systems that do not warrant that level of protection and under protecting our high value assets. So, going forward, we will have to make better use of criticality analysis to divide our assets into two buckets—the first bucket will represent mission-essential applications, systems, services, and information; and the second bucket will represent everything else (i.e., nonessential applications, systems, information, and services). Bifurcation of assets is necessary to successfully execute the cyber defense strategy discussed earlier. Separating critical assets from noncritical assets allows organizations to focus their attention on things that matter the most; things that can affect security, safety, and the well-being of individuals. That focus translates to applying best practices in science, engineering, and mathematics to reduce and manage complexity and to develop more trustworthy secure, and cyber resilient systems and components for the critical infrastructure. The protection philosophy of separating critical assets from noncritical assets is analogous to an individual identifying his or her most valuable possessions and moving those possessions from the home domain with reasonable security (i.e., locks on the doors and windows of the house) to the bank domain with strong security (i.e., guards, cameras, vaults, and safe deposit boxes)—providing greater assurance and peace of mind to the individual. Building stronger domains and providing increased levels of protection for critical assets require greater investments in security—not always an easy, inexpensive, or popular option. But the increased levels of protection can be very targeted, limited in scope, and applied judiciously—in essence, “right-sizing” the security investments according to the potential impact of loss or adverse consequences.
Active Cyber: With that context and strategic vision, how do we execute this from a tactical perspective and what role does NIST play in that process?
Dr. Ross: We have many important projects underway at NIST currently and continuing into 2019 and beyond to develop guidance for our customers to help them build and implement robust cybersecurity and privacy programs. At the heart of that work is the new systems security engineering series which includes the flagship publication SP 800-160, Volume 1—providing the playbook for incorporating security design principles and concepts into an IEEE/ISO/IEC Systems and Software Engineering Standard. The objective of this initiative is to move security “left” in the system development life cycle as part of a systems engineering process—so the protection measures needed to ensure mission and business success are designed, developed, and integrated early and throughout the life cycle. We also have a new effort to explore how the security design concepts in SP 800-160, Volume 1, can be applied to Agile and DevOps development processes and environments—so security features and development evidence can be produced at the speed of innovation by industry. If successful, that would be an ultimate game-changer in how security is viewed and handled by industry in their current development processes in which time to market and innovation are key drivers.
Active Cyber: Have there been any additions to the security engineering series since the flagship publication, SP 800-160, Volume 1, was released in 2016?
Dr. Ross: Last March, we published an initial draft of the second volume in the systems security engineering series which deals with cyber resiliency, a hot topic on everyone’s radar today. SP 800-160, Volume 2, introduces a cyber resiliency engineering framework that defines cyber resiliency goals, objectives, techniques, and approaches and shows how to incorporate those constructs into the systems security engineering processes described in Volume 1. There are also threat models that can be used to drive cyber resiliency requirements and strategic and structural design principles that guide and inform the development of cyber resiliency capabilities. The publication assumes the APT is present in the system and provides guidance on how to limit the damage the adversaries can do while continuing to support critical missions and business functions. The cyber resiliency guidance can be applied to new systems or existing systems that are part of the installed base. In the next draft of the publication, we plan to include several use cases on power plants and the electric grid, transportation systems, and medical devices to demonstrate how applying the cyber resiliency concepts in a life cycle-based engineering process can stop or mitigate many of the recent serious cyber threats and attacks. And finally, we hope to finish the series with two additional systems security engineering publications addressing hardware security and software security. Very exciting stuff.
Active Cyber: It sounds like SP 800-160, Volume 2 is on the critical path to implementing the overall strategy. What kind of feedback have you received during the initial public comment period and when do you expect the publication to be finalized?
Dr. Ross: We received excellent feedback on the cyber resiliency guidelines from a wide variety of stakeholders in both the public and private sectors. Based on that customer feedback, we are making some design changes to the document and focusing on the use cases that I mentioned earlier. It is important to produce standards and guidelines that are both technically correct and implementable. Showing real world examples of cyber-attacks on critical infrastructure systems, providing an analysis of those attacks, and producing a mapping of cyber resiliency techniques and approaches to mitigate the threat transforms the guidance from shelf ware to “on the ground” applicability and utility. We are targeting the Fall of 2019 for final publication.
Active Cyber: Are there any plans to incorporate the concepts in the systems security engineering series into other long-standing NIST publications, such as SP 800-53, the security and privacy control catalog?
Dr. Ross: Absolutely. We have a full court press on to revise several NIST guidelines and to start infusing systems security engineering and cyber resiliency concepts into those publications. For example, in SP 800-53, Revision 5, targeted for publication in 2019, we have developed 34 new control enhancements that represent the security design principles in SP 800-160, Volume 1. In addition, we have developed a host of new cyber resiliency controls that can be directly mapped to the cyber resiliency techniques and approaches in SP 800-160, Volume 2. Adding these controls and control enhancements to SP 800-53, Revision 5, will provide a state-of-the-practice catalog of safeguards and countermeasures that can be used by our customers to help defend their systems and networks. The cyber resiliency controls can also be incorporated into other standing programs such as FedRAMP that supports cloud-based systems and applications. Resiliency controls can be implemented in hardware and software (e.g., in SAAS, PAAS, or IAAS offerings) or inherited as common controls where appropriate (e.g., in the facilities that support cloud-based systems). We also plan to update our control assessment publication in 2019 (SP 800-53A), adding assessment procedures for the new cyber resiliency and security design principles controls. Control assessment procedures are paramount to determining the effectiveness of implemented controls and providing authorizing officials with the best information possible, so they can make informed risk management decisions. Building on our work in the control space, SP 800-37, Revision 2, introduces the next generation Risk Management Framework (RMF). In this update, we have provided a mapping of systems security engineering processes in SP 800-160, Volume 1, to the steps and tasks in the RMF to bring the systems and security engineering teams closer to the enterprise risk management cybersecurity, and privacy teams—and subsequently, taking the first and very important step to building bridges between these disparate communities. The alignment of security and privacy with systems engineering processes also emphasizes the importance of executing the RMF as a system life cycle process for managing cybersecurity and privacy risk—and moving away from using the RMF as static checklist and paperwork exercise solely to obtain a system Authorization To Operate (ATO). This also helps organizations consider important security and privacy issues as they plan, acquire, or develop new systems.
Active Cyber: There has been widespread adoption of the NIST Cybersecurity Framework. How can Framework adopters take advantage of the NIST systems security engineering and cyber resiliency guidelines?
Dr. Ross: The Cybersecurity Framework can provide an excellent vehicle to help define the security requirements that are important to an organization. There is also a mapping of security controls from five different sources to the subcategories, categories, and functions that comprise the Framework Core. The mappings will be updated in the future to include SP 800-53, Revision 5 controls addressing systems security engineering and cyber resiliency. So as organizations develop their Cybersecurity Framework profiles on a sector-by-sector basis, controls supporting security design principles and cyber resiliency techniques and approaches can be selected and implemented as needed to support specific mission and business objectives. Ultimately, the Framework can provide important linkages from the C-Suite to the implementers on the ground ensuring that there is effective communication within organizations in all matters relating to cybersecurity.
Active Cyber: You have provided a great update to the plethora of activities ongoing at NIST. Taking a step back now and looking into your crystal ball, how does this story end? Are you optimistic or pessimistic about our ability to finally get our arms around these incredibly difficult cybersecurity problems and challenges?
Dr. Ross: Well, I am an optimist by nature but also grounded in reality. As a computer scientist and engineer by trade, I have an appreciation for how difficult it can be to design, build, and deploy trustworthy secure and cyber resilient systems. Can we, as a Nation, get the job done? Absolutely. Will we get the job done? Not so clear. The benefits we reap from the use of IT are clear and have dramatically added to the quality of our nation and way of life. We anticipate that will continue but, we want to minimize the risks that this also will bring so we can maximize this potential. We have smart people and forty years of computer and information security concepts and expertise to bring to the fight. But it will take strong leadership and a commitment from what I call the “essential partnership”—government, industry, and the academic community. Everyone has a role to play in getting us on the right path. Making the difficult choices to separate critical assets, invest in stronger protection measures that can be “engineered in” to systems from the start, and ensure that systems are cyber resilient—that is where the heavy lift comes in. We also need to develop the next generation toolsets and systems security engineers who understand that real security is not just “cyber hygiene” but developing robust security architectures, applying secure coding techniques to software development efforts, and reducing the complexity of systems to obtain greater assurance in the IT infrastructure. In the end, the technology and innovation are intoxicating. But the greatest technological advancements are not worth much if the systems containing that technology are unreliable, untrustworthy, and fail at inopportune times. That said, I continue to ask myself, what kind of world are we leaving to our children and grandchildren? And how can we help ensure that the digital world that they will live in has the same basic security and privacy protections that we took for granted in the paper-based world? That may be the most important question of all—and the most difficult to answer.
Thank you Dr. Ross for sharing information about the outstanding work by you and your staff at NIST in reshaping our security strategy guidance to enable multi-dimensional approaches to battling the cyber threat. I am optimistic that all the guidance you have produced and the advice you have provided here will enable us to turn the corner on the cyber threats we face today and tomorrow. I also would like to especially thank you for being my first repeat interviewee – the last 3 and half years have sure gone by quickly since our first interview. I look forward to the next time when you can report on a new shift in cyber strategy.
And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, securing the Internet of Things, or other security topics. Also, email email@example.com if you’re interested in interviewing or advertising with us at Active Cyber™.
About Dr. Ron Ross
Ron Ross is a Fellow at the National Institute of Standards and Technology. His focus areas include information security, systems security engineering, and risk management. Dr. Ross leads the Federal Information Security Modernization Act (FISMA) Implementation Project, which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical infrastructure. His current publications include Federal Information Processing Standards (FIPS) 199 (security categorization), FIPS 200 (security requirements), and NIST Special Publication (SP) 800-39 (enterprise risk management), SP 800-53 (security and privacy controls), SP 800-53A (security assessment), SP 800-37 (Risk Management Framework), SP 800-30 (risk assessment), SP 800-160 Vol.1 (systems security engineering), and SP 800-171 (security requirements for non-federal systems and organizations), SP 800-160 Vol. 2 (cyber resiliency), and SP 800-171A (security assessments for non-federal organizations). Dr. Ross also leads the Joint Task Force, an inter-agency partnership with the Department of Defense, Office of the Director National Intelligence, U.S. Intelligence Community, and the Committee on National Security Systems, with responsibility for the development of the Unified Information Security Framework for the federal government and its contractors.
Dr. Ross previously served as the Director of the National Information Assurance Partnership, a joint activity of NIST and the National Security Agency. In addition to his responsibilities at NIST, Dr. Ross supports the U.S. State Department in the international outreach program for information security and critical infrastructure protection. He has also lectured at many universities and colleges across the country including the Massachusetts Institute of Technology, Dartmouth College, Stanford University, the George Washington University, and the Naval Postgraduate School. A graduate of the United States Military Academy at West Point, Dr. Ross served in many leadership and technical positions during his twenty-year career in the United States Army. While assigned to the National Security Agency, Dr. Ross received the Scientific Achievement Award for his work on a national security project and was awarded the Defense Superior Service Medal. Dr. Ross is a four-time recipient of the Federal 100 award for his leadership and technical contributions to critical information security projects affecting the federal government and is a recipient of the Presidential Rank Award. He has received the Department of Commerce Gold and Silver Medal Awards and has been inducted into the National Cyber Security Hall of Fame. Dr. Ross has also been selected as an (ISC)2 Fellow and inducted into the Information Systems Security Association Hall of Fame receiving its highest honor of Distinguished Fellow.
Dr. Ross has received numerous private sector awards including the Partnership for Public Service Samuel J. Heyman Service to America Medal for Homeland Security and Law Enforcement, Applied Computer Security Associates Distinguished Practitioner Award, Government Computer News Government Executive of the Year Award, Vanguard Chairman’s Award, Government Technology Research Alliance Award, InformationWeek’s Government CIO 50 Award, Billington Cybersecurity Leadership Award, ISACA National Capital Area Conyers Award, ISACA Joseph J. Wasserman Award, Symantec Cyber 7 Award, SC Magazine’s Cyber Security Luminaries, (ISC)2 Inaugural Lynn F. McNulty Tribute Award, 1105 Media Gov30 Award, and three-time Top 10 Influencers in Government IT Security.
During his military career, Dr. Ross served as a White House aide and a senior technical advisor to the Department of the Army. He is a graduate of the Defense Systems Management College and holds Masters and Ph.D. degrees in Computer Science from the U.S. Naval Postgraduate School specializing in artificial intelligence and robotics.