Have you been wondering about what makes systems trustworthy and how to manage risk? We recently interviewed Dr. Ron Ross about the NIST Risk Management Framework, active cyber defense, and some of the other innovative projects that NIST is currently leading in the areas of cybersecurity.
Dr. Ross is a long-time leader and visionary in the area of cyber with a special focus on the fundamental and practical requirements for making cyber work in the enterprise. Take a few minutes to learn what this leading thinker says about what’s next on the cybersecurity horizon, his views on some of the pending cyber challenges, and his thoughts on active cyber defenses.
Spotlight On Dr. Ron Ross
» Title: Fellow at the National Institute of Standards and Technology
» Email: email@example.com
» Website: csrc.nist.gov
» LinkedIn: linkedin.com/in/ronrossnist
» Twitter: @ronrossecure
Read his bio below.
July 31, 2015
Chris Daly: Ron, your work on the Risk Management Framework is providing a foundation for agencies and industry to secure their critical systems and data. What are the evolutionary technology advances you see coming that will build upon this foundation and start to turn the tide on cyber attacks?
Dr. Ron Ross: Based on NIST’s legislative mandate under the 2002 Federal Information Security Management Act, or FISMA, we have spent the past twelve years developing the core information security standards and guidelines for the Federal government. These standards and guidelines, including the Risk Management Framework, have now been adopted by all Federal agencies and provide a comprehensive toolset for those agencies to use in building their security and privacy programs.
While we have outstanding fundamental building blocks in the cybersecurity toolset, our most significant challenges still seem to be focused in two areas—finding ways to institutionalize security best practices within our organizations, and managing and reducing the complexity of our IT infrastructure, or what adversaries see as the “attack surface.” So to address these challenges, we initiated a major systems security engineering project to develop comprehensive guidance on effective approaches for integrating cybersecurity best practices into our information systems throughout the life cycle. We are using forty years of established scientific and engineering principles, concepts, and methodologies to help our customers build systems that are inherently more trustworthy and resilient from initial design through development, deployment, operations, sustainment, and retirement.
Just as we use the foundational principles and concepts in science and engineering to design and build bridges and airplanes, we are advocating the use of the foundational principles and concepts in systems and security engineering, computer science, and mathematics to build systems and system components that are trusted and operate with higher levels of assurance. This is especially important in systems and applications that support critical Federal missions and the U.S. critical infrastructure.
Daly: One of your more recent projects – NIST SP 800-160, Systems Security Engineering – An Integrated Approach to Building Trustworthy Resilient Systems (draft) presents a phased engineering approach for building security into systems. Can you speak to what makes a system trustworthy and how trustworthiness relates to a risk-managed approach?
Ross: A trustworthy system is a system that you can rely on to support your missions and business functions while operating in the modern threat space. Trustworthiness, from a security perspective, reflects the confidence you have as a CEO or the head of a Federal agency that your systems will meet their security requirements while subjected to disruptions, human errors, and attacks that may occur.
Risk management, in the world of complex systems, must be able to assess the risks that an organization faces including the range of threats that could exploit system and organizational vulnerabilities to negatively impact the mission or business; and how the organization should invest in the appropriate security safeguards to respond to those risks within the organization’s established risk tolerance.
The systems security engineering approach in SP 800-160 ensures that all security-related investments are tightly coupled to the mission or business objectives of the organization. The specific protection needs of key stakeholders drive the system and security requirements to ensure that the system being developed is as dependable and as secure as it needs to be in order to reduce its susceptibility to modern cyber attacks and more traditional threats.
As our systems and IT infrastructure continue to be targets of opportunity for adversaries with increasingly sophisticated cyber capabilities (including nation-states, terrorist groups, criminals, and hacktivists), it is extremely important for us to be able to harden those targets, limit the damage to those targets if the attacks are successful, and make the targets survivable or resilient so we can continue to carry out our critical missions and business activities. Achieving this capability requires strong leadership and governance, significant investments in personnel and technologies, a disciplined and structured engineering process, and a process for continuous improvement to be able to react to ongoing changes in the threat space, IT infrastructure, or technological advances.
Daly: I outlined 6 key capability areas for next generation cyber defenses in my recent eBook, Protecting the Future Enterprise: Active Cyber Defense. Which of these capability areas appeals the most to you in terms of its ability to provide a significant boost to cyber protections for enterprises and why?
Ross: There is clearly an evolution in our thinking on how to best protect our information, systems, and assets. We have migrated from a pure boundary protection strategy which is static in nature to a dynamic strategy that extends the static protections to an “agile defense.” We know that all cyber attacks cannot be stopped so we have to be able operate while under attack. That means “cyber resilience” becomes the primary objective to ensure the systems can absorb the first strike and be able to operate even in a degraded or debilitated state—limiting damage and continuing to support critical missions and business operations.
That’s a tall order but achievable, if we make smart and targeted investments, apply established systems security engineering concepts, and employ state-of-the-art commercially available trust technologies from the hardware through the application layers. Taking these steps will make systems more penetration-resistant and reduce the adversaries’ freedom of movement and time on target, once they have broken through the initial perimeter defenses. Limiting the damage from cyber-attacks depends on the system design and architectural considerations that are fundamental in a systems security engineering process. Adding a continuous monitoring component to a well-engineered system provides the capability of using threat intelligence in real- or near real-time to increase the organization’s situational awareness and be able to react to changing conditions on the ground. Employing virtualization, concealment and misdirection, and a host of other resiliency techniques, can make the system environment less predictable and more challenging for adversaries.
Daly: For me, the two most alarming aspects of recent data breaches are: the amount of time from initial breach to discovery; and the exploitation of the supply chain to penetrate the target. What approaches do you recommend to begin to address these issues?
Ross: Those are two very important and very different problems.
Certainly building security in from the start through sound systems security engineering practices reduces an organization’s susceptibility to the initial cyber attacks and subsequent breaches. But as part of a comprehensive defense-in-depth strategy, it is also essential to have a robust continuous monitoring program to understand the security state of your systems and networks on a real time or near real time basis. Well-designed continuous monitoring programs include the deployment of intrusion detection and prevention systems and using automated tools to provide the greatest breadth and depth of monitoring coverage possible. Being able to detect an attack early and respond aggressively to ether stop the attack or limit the damage to the system or organization is critically important to an organization’s survival. There are many commercially available tools that can help organizations implement effective detection and response programs.
Supply chain security risk is an increasing concern for organizations because of our dependence on IT components and systems to support our missions and business functions. The trustworthiness of individual components, systems, and services is a top priority for organizations. NIST has published extensive guidance on supply chain security risk (NIST SP 800-161 Supply Chain Management Practices for Federal Information Systems and Organizations) and these issues are also being addressed in the security engineering guidance in SP 800-160.
Daly: Can you tell us what challenges you see facing the security of the Internet of Things and what NIST is doing in this area? Do you think that autonomous agents would be helpful elements in this space?
Ross: The Internet of Things, or IoT, is a great example of how the rapid advancements in computing and information technologies are driving innovation and fueling the consumer’s appetite for an ever-expanding set of applications used in a variety of devices and systems from automobiles to home appliances. So as the Internet of Things grows, so does the complexity (and attack surface) of the individual IoT components, systems, and system-of-systems that are emerging with the ubiquitous connectivity that is fundamental to making it all work.
Part of the systems security engineering approach that I described earlier addresses the growing complexity of systems and how to reduce and manage that complexity using fundamental computer security principles and trusted systems development. In addition to our systems security engineering project which is very relevant to the development and deployment of IoT products and systems, NIST has a robust and highly interactive Cyber Physical Systems Program that is working collaboratively with government, industry, and academia to address the many challenges and opportunities (including security) associated with IoT.
With regard to autonomous agents in the IoT space, there is ongoing research to determine the feasibility of decentralizing the needed security capabilities to achieve some of the fundamental security properties such as non-bypassability and tamper resistance—helping to facilitate a self-protecting mode for devices, systems, or data when operating in the “wild.”
Thanks Ron for such an insightful look at the innovations that are happening at NIST and across the federal space. I believe as we see these innovations begin to roll out and be adopted as foundational elements in our cyber enterprises, that we have a way of creating better and more active defenses for this cyber war.
And thanks for tuning in with us! Be on the lookout for more interviews coming up. Please give us your feedback on this interview because we’d love to know some topics you’d like to hear about in the area of active cyber defenses. Also, feel free to email firstname.lastname@example.org if you’re interested in interviewing with us at Active Cyber.
About Ron Ross
Ron Ross is a Fellow at the National Institute of Standards and Technology (NIST). His current focus areas include information security and risk management. Dr. Ross leads the Federal Information Security Management Act (FISMA) Implementation Project, which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical information infrastructure. Dr. Ross is the principal architect of the Risk Management Framework (RMF), a multi-tiered approach that provides a disciplined and structured methodology for integrating the suite of FISMA-related standards and guidelines into a comprehensive enterprise-wide security program. Dr. Ross also leads the Joint Task Force, an interagency partnership with the Department of Defense, the Office of the Director National Intelligence, the U.S. Intelligence Community, and the Committee on National Security Systems that developed the Unified Information Security Framework for the federal government and its contractors.
In addition to his responsibilities at NIST, Dr. Ross supports the U.S. State Department in the international outreach program for information security and critical infrastructure protection. He has also lectured at many universities and colleges across the country. A graduate of the United States Military Academy at West Point, Dr. Ross served in many leadership and technical positions during his twenty-year career in the United States Army. While assigned to the National Security Agency, Dr. Ross received the Scientific Achievement Award for his work on an inter-agency national security project and was awarded the Defense Superior Service Medal upon his departure from the agency. Dr. Ross is a three-time recipient of the Federal 100 award for his leadership and technical contributions to critical information security projects affecting the federal government and is a recipient of the Department of Commerce Gold and Silver Medal Awards. Dr. Ross has been inducted into the Information Systems Security Association (ISSA) Hall of Fame and given its highest honor of ISSA Distinguished Fellow. He has received several private sector information security awards including the Applied Computer Security Associates Distinguished Practitioner Award, Vanguard Chairman’s Award, Symantec Cyber 7 Award, InformationWeek’s Government CIO 50 Award, Best of GTRA Award, Billington Cybersecurity Leadership Award, ISACA National Capital Area Conyers Award, SC Magazine’s Cyber Security Luminaries, (ISC)2 Inaugural Lynn F. McNulty Tribute Award, 1105 Media Gov30 Award, and the Top 10 Influencers in Government IT Security. Dr. Ross is a graduate of the Defense Systems Management College and holds Masters and Ph.D. degrees in Computer Science from the U.S. Naval Postgraduate School specializing in artificial intelligence and robotics.