The Register® — Biting the hand that feeds IT

Feeds

Phone, internet corps SNUB US government's cybersecurity ABCs

20 computer defences rejected by telecoms industry

By Brid-Aine Parnell, 19th March 2013
  • print
  • alert

Ensure Ease of Recovery with Asigra’s Agentless Software

Phone companies and ISPs in the US have convinced a top advisory panel to hold back the American government from forcing a set of basic IT cybersecurity standards on them.

The Federal Communications Commission (FCC) set up a group of experts to figure out if the communications industry should be forced to adapt 20 "critical security controls", designed to stop or mitigate known attacks on computer systems.

But the panel informed the FCC in a report that there isn't a consensus among the key players that the recommended security checks are appropriate for telcos and ISPs - and that the commission should instead "encourage" companies to use them.

The report concluded:

While the 20 controls have been effective in guiding security management in enterprise and government institutions, the communications sector participants believe that some unique aspects of managing diverse multi-tenant communications networks will require additional evaluation in order to determine the extent to which the 20 Controls protect network infrastructure directly; as well as to determine the applicability of the 20 Controls to communications sector.

The full review can be found here [PDF]. Skip to page 15 for the 20 controls - they range from keeping tabs on the number of authorised and unauthorised devices to controlled use of privileged accounts.

The group - which included experts from state authorities and non-profits along with representatives from firms such as AT&T, Sprint, Verizon and Microsoft - said the FCC needed to carry out a further review of cybersecurity practices and what standards should apply to the comms industry.

The US government has said that the security of electronic systems and protection of national infrastructure from hackers are top priorities, but it's having trouble passing new laws without defining the standards companies should be measured against. The private sector is also resisting any attempts to turn voluntary standards into potentially expensive enforced regulations.

Last month, President Barack Obama issued an executive order for the establishment of voluntary minimum standards for any companies dealing with critical infrastructure.

The 20 cyber-controls came from secret lists of security measures that could stop known attacks on computers; the lists were compiled by government agencies including the NSA, FBI and the UK's Communications-Electronics Security Group (CESG) and computer security companies such as Mandiant and McAfee. ®

Cloud based data management

COMMENTS

House Rules Send Corrections
All Reader Comments (16)
Highly Rated
Henry Wertz 1

Maybe...

Maybe... *my* guess is (in some cases) the companies are being cheap and not implementing basic common sense. But, I'm guessing in OTHER cases, this type of security is a done deal, they just don't want to have to file ream after ream of paperwork (yes, on PAPER) to the gummint to prove it.

2
0
Mike Moyle

Maybe it's just me...

...but it seems like there's an easy solution to getting industry to use best security practices: Just make it impossible for them to collect "damages" in legal cases involving computer intrusion, while allowing THEIR customers to collect damages from THEM for downtime/identity theft, etc. as a result from that intrusion.

Making the cost of not securing their systems an INternal cost, rather than an EXternality, would -- to paraphrase Samuel Johnson -- "concentrate their minds wonderfully."

1
0
Yes Me
Reply Icon

Re: ISP's, Telco's and moiles say "We're *special*"

I'm not so sure what moiles are when they're at home, but if you actually look at the details, many of these "critical controls" are only relevant to enterprise networks (including government departments and the like). For example, there is a global recommendation of default/deny for protocols and ports without an identified business need. An ISP can hardly do that (nor can any enterprise that wants to encourage innovation, but of course that would never concern government departments, would it?).

So the ISPs, Telcos and moiles probably are special.

2
1

More from The Register

breaking news
UK telcos chuck another £1m at online child abuse watchdog
Web enforcers IWF gain power to seek and destroy illegal content
36
breaking news
Pttow! Ofcom kicks hams out of MoD bands
Geet off my land, you, you ... 'secondary user'
30
breaking news
Now you can use your phone instead of your wallet at the ATM, too
Blimey, these little paper towels out of the vending machine are really expensive
47
breaking news
UK.gov's £530m bumpkin broadband rollout: 'Train crash waiting to happen'
Whitehall whispers of damning watchdog report next month
30
Google launches broadband balloons, radio astronomy frets
A careless Loon could blind the square kilometre array
46
breaking news
MySpace zaps millions of teens' tearful rants, causes wave of angst
'Your crappy redesign SUCKS, I wanna read my blogs' screech users
53
breaking news
Microsoft Office 365 on iPhone NOW: No, we're not making this up
Word, Excel, Powerpoint for your pocket-stroker
83
Increased cell phone coverage tied to uptick in African violence
'Significantly and substantially increases the probability of violent conflict'
23
Vodafone Oz launches '100 Mbps' 4G service
Nice speed if you can get it
7
breaking news
Clearwire board to shareholders: Go on, grab that Dish cash
Sprint looks on in dismay
3