Cybersecurity

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

The increase in cyber attacks and ransom-ware payments is increasing the demand for "experts" beyond the supply.

Context

  • It seems that a snake-oil industry is in development to provider service for high costs beyond the capacity of the talent to respond.
  • Cybernetics was described by Norbert Weiner before computers were anything more than a curiosity. It was not the source may any terms in English before very suspect activities like Bitcoin.

Problems

  • New companies like Sentinel One start advertising on national television with no known track record. (2021-10-13 on NBC)
  • Finding and fixing Cybersecurity breaches seems like an endless game of "Whack-a-Mole" where the more you whack them down, the faster that keep popping up.
  • In most countries, like UK and EU, Cybersecurity is not required by law.

DoD

  • December 2017 DFARS 48 CFR § 252.204 - 7012 (Safeguarding covered defense information and cyber incident reporting) has been a requirement of DoD. Requiring defense contractors and subcontractors through flow - down to implement 110 NIST (SP) 800 – 171 cybersecurity practices.
  • November 2020, the DoD introduced DFARS 48 CFR § 252.204 – 7019, 7020 and 7021.
    • DFARS clause 252.204 – 7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) -
    • Contractors and subcontractors must submit a basic NIST SP 800 - 171 compliance score to the DoD
    • Supplier Performance Risk System (SPRS) to be considered for contract award.
    • DFARS clause 252.204 – 7020 (NIST SP 800-171 DoD Assessment Requirements) Contractor shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.
    • Contractors shall not award contracts to subcontractors unless a NIST SP 800-171 score is held in SPRS.
  • November 4, 2021 DFARS clause 252.204 – 7021 (CMMC 2.0).
    • 3 levels
    • Based on FAR & NIST 800-171
    • Self-attestation/3rd Party Audit
  • None of that seems to apply to COTS (commercial off-the-shelf) software.
  • Legal precedence across the DoJ, DoT and SEC for prosecutions for failing to meet cybersecurity standards is documented.

Executive Order 14028

Solutions

"The past 10 years have seen a move from R&D in purely defensive enterprise protection concepts to increasingly smart, autonomous, and reactive Cybersecurity research. This movement away from boundary protection and after-attack analysis, to proactive automonic systems has opened the door to new investigations and opportunities that are vital to future R&D."[1]

References

  1. Terry Benzel, Cybersecurity Research of the Future CACM 64 no. 1 (2021-01)

Other Material