Companies, government agencies and other organizations should concentrate the vast bulk of their cyber security efforts on implementing best practices with the least effort going to incident response to buy down risk, a Department of Homeland Security (DHS) official, told Congress this week.
“At least 70 percent” of the effort of companies and agencies should be for implementing best practices, “in particular through the Cybersecurity Framework,” Andy Ozment, assistant secretary for the Office of Cybersecurity & Communications within the DHS National Protection and Programs Directorate, told a Senate panel on Wednesday. The Cybersecurity Framework published by the National Institute of Standards and Technology last year and created in partnership between the private and public sectors outlines flexible, repeatable guidelines and practices that organizations can use to cost-effectively manage their cyber risks.
“We know that best practices alone can defeat the vast majority of cyber threats and force our adversaries to pay more, frankly, for the benefits that they’re hoping to obtain,” Ozment told the Senate Appropriations Homeland Security Subcommittee.
The next most important risk mitigation activity as DHS sees it is “robust information sharing in near real-time and whenever possible,” Ozment said. Organizations should invest about 25 percent of their effort here, he said.
The House and Senate are expected to vote on cyber security bills next week that promote the sharing of cyber threat information between the private sector and the federal government. A key provision in the bills to incentivize the private sector companies and organizations to voluntarily share cyber threat indicators they find with DHS is limited liability protections.
Those liability protections will give industry the “comfort” to share threat data with DHS, Ozment said.
Incident response requires about 5 percent or so of an organization’s investment in cyber security, Ozment said.
“These are ballpark figures, but my idea here is to give you a sense of the magnitude and relative effort that should be expended,” he said.
At the national level federal agencies “are doing, frankly, a pretty darn good job of” sharing of cyber threat information with each other, Ozment said. This is “far better than at any time during my time in government,” he said. “The problem is too big for us to be worried about hoarding solutions.”
“We coordinate and collaborate deeply, daily,” Ozment said. Every morning beginning at 8:30 the six federal cyber centers have a conference call to discuss the latest issues, he said.
“We all talk daily,” Ozment said. “Depending on the mission we all have more recurring close ties than others. We also have liaison exchanges. So on the NCCIC floor, for example, we have FBI, NSA, Northern Command, Central Command, Coast Guard, Secret Service, homeland security investigators, and those are the people there every day. Appearing about once a week or so we have Treasury, Energy, and I’m sure I’m missing agencies but we do a lot of liaisons and essentially swapping people. And we have our people out at almost all of the other centers as well.”