CybersecurityNew international consortium helps shape future cybersecurity practices

Published 2 November 2012

The Consortium for Cybersecurity Action (CCA), a newly-formed international consortium of government agencies and private organizations from around the world, will host a conference call  to promote the most effective approaches to cybersecurity and support eleven key developments which are shaping events

The Consortium for Cybersecurity Action (CCA), a newly-formed international consortium of government agencies and private organizations from around the world, will host a conference call  to promote the most effective approaches to cybersecurity and support eleven key developments which are shaping events.

The conference call is scheduled for Monday, 5 November, at 11:00 a.m. EST. Dial-in instructions: domestic (dial-in): 877-268-9432; international (dial-in): 817-755-8752; conference call ID# 63979758.

The SANS Institute says that the briefing will feature analysis by the world’s top security experts of eleven major “headlines” about efforts to prevent and thwart cyber attacks. The experts will also discuss the most effective ways for organizations to implement the newly updated Critical Controls, a prioritized, risk-based set of information security measures to defend against myriad internal and external threats.

The major cybersecurity headlines for discussion are:

  • The United States, United Kingdom, Australia, and dozens of major agencies and corporations agree to cooperate in defining and promoting the most effective controls for computer and network security and the most rapid and cost-effective ways to deploy them.
  • Tony Sager, most recently COO of the National Security Agency’s Information Assurance Directorate, agrees to lead the CCA. Sager heads the list of experts who will conduct the conference call, along with Dr. Eric Cole, Randy Marchany, and Alan Paller.
  • The CCA releases the updated (Version 4.0) Critical Controls for Effective Cyber Defense document reflecting improved consensus on global risk assessment and the most effective actions enterprises can take to manage risk. The updated Controls will be published November 5th and available online at the SANS Web site.
  • The British government’s Center for the Protection of National Infrastructure (CPNI) describes the Critical Controls as the “baseline of high-priority information security measures and controls that can be applied across an organization in order to improve its cyber defense.”  CPNI is mapping its guidance products against the controls to assist organizations with implementation.
  • The Australian Defense Signals Directorate revises its “35 Strategies to Mitigate Targeted Cyber Intrusions” and re-ranks the “Top 4 Mitigation Strategies to Protect Your ICT System.” Available online here. Educational video available here.
  • DHS announces a large procurement package to automate the first five of the Critical Controls across .gov networks with buying options for federal cloud initiatives and state and local governments. In its procurement process the DHS has adopted Australia’s top priority strategies (whitelisting, configuration, and patching) as core elements of its first phase of a large contract implementing the Critical Controls.
  • The U.S. Federal Communications Commission launches a task force to determine how the Critical Controls can best be applied to protect the telecommunications industry.
  • The CCA announces it will publish Quarterly Updates to ensure that all consortium members have access to the most current threat information and that the controls are updated annually to address cutting-edge threats and vulnerabilities.
  • Training programs on the Critical Controls and the Top 4 Mitigation Strategies planned for the Asia-Pacific region, Europe, and United States over the next seven months.
  • The states of Ohio and Colorado adopt the Critical Controls as their cybersecurity standard.
  • Virginia Tech University adopts the Critical Controls as its cybersecurity standard.  VT is polling other schools to determine which others have made similar decisions.

The CCA says it will serve as an ongoing mechanism to bring together community expertise on attacks and threats; identify and prioritize the most effective defensive controls (based on performance in stopping attacks); identify tools and processes to support implementation; encourage and support adoption of the Critical Controls by organizations, standards bodies, and governments; and enable the world community to share cyber defense information and effective practices.

The Critical Controls are specific guidelines that CISOs, CIOs, IGs, systems administrators, and information security personnel can use to both manage and measure the effectiveness of their defenses. They are designed to complement existing standards, frameworks, compliance schemes, etc. by bringing priority and focus to the most critical threat and highest payoff defenses, while providing a common baseline for action against the risks that we all face.