Cyber Compliance Is Not Necessarily Cybersecurity
To succeed, improve defenses at the speed of the threat.
Cybersecurity program managers are facing the dilemma of appropriately balancing compliance with threat tracking and mitigation. Today, amidst the ever-growing problem of data breaches, organizations are investing in protection. But simply complying with security and privacy standards seldom means systems and data are automatically secure.
A well-publicized and much-studied 2013 data breach of the Target Corporation is one example of the numerous challenges organizations encounter when balancing compliance with effective cybersecurity. Target had completed a successful Payment Card Industry (PCI) audit in September 2013; yet by December 2013, an estimated 40 million customer credit card numbers had been exfiltrated.
Target had invested heavily to ensure PCI compliance. It also had a sizable investment in network auditing and monitoring. In addition, the company hired a cyber industry leader to assist in malware detection. Despite these safeguards, a small architectural flaw in the organization’s trusted relationship with a vendor’s network unraveled the entire effort.
An important takeaway from this case is that compliance with industry standards alone cannot be interpreted as having a secure system or architecture.
The U.S. Defense Department Cybersecurity Maturity Model Certification, or CMMC, was developed to address the wholesale intellectual property theft from the defense industrial base. In 2012, Gen. Keith Alexander, USA (Ret.), former director of the National Security Agency, characterized the Chinese harvesting of vital data as “the greatest transfer of wealth in history.” According to Gen. Alexander and a multitude of FBI indictments, the Chinese military and other nations actively pilfered U.S. national defense-related information from across the defense industry.
The case of the theft of the technical plans for the Defense Department’s Joint Strike Fighter, the F-35, illustrates how significantly troubling these exploits have become. According to analysis, China exfiltrated staggering amounts of design data related to the United States’ state-of-the-art fighter jet from multiple defense contractors tasked with development of the fighter.
The Defense Department’s goal is to help the defense industrial base protect its intellectual equity by mandating minimum cybersecurity controls for implementation on systems supporting defense programs. These compliance standards, or maturity levels in the CMMC example, will raise the bar by ensuring a baseline of security controls are implemented. The challenge, however, will be to consider the maturity levels as “minimum” expected security controls and certainly not a guarantee against dedicated nation-state targeting.
Over the past two years, many nation-state and cyber industry exploitation tools have been released into the wild. As a direct result, every would-be cyber criminal, hacktivist and nation-state now have an ample supply of weapons to exploit any company’s systems. This continuous release of ever-improving exploit tools requires each company to be continuously evaluating, testing and improving its cyber posture. This environment mandates not only adhering to compliance standards but also implementing a dynamic mission assurance program with constantly evolving capabilities. At a minimum, to be successful, a company will need to improve its cyber posture at the speed of the threat.
The challenge, therefore, for any C-suite executive is to understand that being compliant with current standards or certifications does not translate directly to secure systems and data. It is certainly the minimum entry fee for doing business.
While these certification policies and controls may keep many nuisance hackers and some criminal elements out of company systems, they definitely will not be sufficient to keep out well-funded criminal elements and nation-state actors. As a result, it is critical that security managers develop an enterprise corporate assurance program that balances both compliance certification with additional resilience measures. By focusing only on compliance standards, an organization may have expended its allocated security resources to achieve certification and not be effectively secure or resilient for the dynamic threat environment.
Today, many security and privacy compliance standards for business sectors—from health care to payment cards—set a minimum for operating and safeguarding. However, these standards often focus on management practices and technical and nontechnical controls. They rarely emphasize the current exploit methods cyber threat actors use. Balancing investments in both compliance and cyber threat mitigations can be a challenging calculus that weighs legal, reputational and operational risks.
Armed with these concepts, cyber program managers should review their own program plan. Organizations require certification standards with an agile cybersecurity program that can respond to today’s evolving threat environment. Program goals must not be fixed on one point such as certification or standard. The aim should be to build a program proficient in responding to an ever-changing threat environment that requires continuous improvement of cyber defenses.
Mark A. Spangler is an advisory board member for Secuvant, a managed security service provider. He also serves on AFCEA’s Cyber Committee and is the senior cybersecurity advisor to the TriSept Corporation. Spangler has 39 years of experience across information technology and cybersecurity, and served as the chief information security officer for the National Reconnaissance Office.