New Paper Calls for Investment in IT Security, Offers Guidance on How to Do It

A new publication, Systems Security Engineering: Consideration for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, provides guidance on how to minimize attack surfaces.

This paper is targeted at readers with limited exposure to technical jargon related to security vulnerabilities that led to things like state-sponsored APTs, hacktivist efforts, and other cybersecurity intrusions. It comes courtesy of the Institute for Critical Infrastructure Technology, and is cataloged as NIST Special Publication 800-160. James Scott, ICIT senior fellow for the ICIT, and Drew Spaniel, ICIT visiting scholar from Carnegie Mellon University, were its authors.

In this paper, which is worth a download even if you have technical expertise, the authors sound the alert that bad actors could leverage our information systems and networks to bring down critical infrastructure in the U.S. Natural disasters and critical component failure, they say, could have similar consequences.

“The complete dependence of the public and private sector upon foundationally insecure systems jeopardizes the mission and business success of individual organizations, and it jeopardizes the stability of the United States as a nation,” the authors exclaim. “After decades of constructing systems without incorporating security through the life cycle of the system, the United States is underprepared for the threats that arose in the age of information.”

The authors go on to note that NIST Senior Fellow Ron Ross has called for significant investment in the development of information security systems. That, Ross has said, will first require those that implement them to understand the threat landscape, have a good handle of the assets they need to protect, know how to put in place new infrastructure and processes for protection, figure out how to make that work with what’s already in place, and learn how to assure and measure what they are deploying to allow for more secure environments.

Edited by Peter Bernstein