Cybersecurity & Cryptology Today
The Council on CyberSecurity and the Critical Security Controls for Effective Cyber Defense
Tony Sager & Frank Guido, Council on CyberSecurity on 06/07/2014
Despite a growing understanding of the threats and vulnerabilities within the technical IT and telecommunications community, widespread adoption of good practice and safe behavior in cyberspace is the exception, not the norm. The Council on CyberSecurity was formed to accelerate widespread availability and adoption of effective cybersecurity practices by providing an independent, expert platform to help identify, validate, and promote practices that work best to conduct our lives more securely in cyberspace. The Council believes that all three elements of the cyber ecosystem — people, technology, and policy — must be considered together and brought into alignment in order to create a foundation of security practices that are understandable and usable by each user and scalable for every user.
Aligning the technology element begins with the Critical Security Controls for Effective Cyber Defense (the Controls), the measures widely acknowledged as representing the most important steps an enterprise can take to markedly strengthen its ability to thwart attacks. Previously known as the SANS Top 20 Critical Security Controls, the Council has assumed the responsibilities associated with leading the volunteer collaboration credited with identifying and developing the Controls. Originally developed by a public-private consortium led by the SANS Institute and the Center for Strategic and International Studies, the Council now leads the volunteer community which identifies and supports the Controls. As a Founding Member of the Council, the SANS Institute remains very involved with the Controls. The Council’s stewardship of the Controls includes the regular convening of experts to refine, update and validate the Controls, as well as collaboration with public and private partners globally to promote their adoption and implementation.
The actions defined by the Controls are demonstrably a subset of the comprehensive catalog defined by NIST SP 800-53. The Controls do not attempt to replace that framework, but rather prioritize and focus on a smaller number of actionable controls with high-payoff, aiming for a “must do first” philosophy. Since the Controls are derived from the most common attack patterns and vetted across a very broad community of government and industry, with very strong consensus on the resulting set of controls, they serve as the basis for immediate high-value action.
Taking an “offense must inform defense” approach, the Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive attacks. One of the earliest adopters, the U.S. Department of State, determined that among the 3,085 cyber attacks it experienced over fiscal year 2009, the Controls showed remarkable alignment with actual attacks. Subsequently implemented by every system administrator across 24 time zones in which the Department operates, the Controls achieved an 88% reduction in vulnerability-based risks across 85,000 systems.
The Controls illustrate the kind of large-scale, public-private, voluntary cooperation needed to improve individual and collective security in cyberspace. In an age of constant new information that affects risks, the Controls play a vital role by defining what is worth monitoring continuously – information created by the highest priority defensive actions. Too often in cybersecurity, it seems the “bad guys” are better organized and collaborate more closely than the “good guys.” The Controls provide a means to turn that around.
Tony W. Sager is the Director of Programs of the Council. Tony spent 35 years in federal service, 34 of which were dedicated to cryptography and cybersecurity with the National Security Agency. During his extended government career with the NSA, Mr. Sager headed the Systems and Network Attack Center, oversaw all Red and Blue Team projects, established and led security product evaluation teams, helped guide the agency's top talent development programs, served as the founding chief of the Vulnerability Analysis and Operations Group (comprised of 700 of the NSA's top technical cybersecurity specialists serving the defensive mission), and was the Chief Operating Officer for the Information Assurance Directorate. Tony also led the release of NSA security guidance to the public starting in 2001, and greatly expanded NSA’s role in the development of open standards for security.
Having recently retired from government work, Mr. Sager has become a prominent and vocal advocate at the national level for open and elevated network security standards such as the Security Content Automation Protocols (SCAP). In 2012, Mr. Sager was named Director of the SANS Institute, a private corporation specialized in computer and network security training. In that same year, Mr. Sager assumed the lead role for the Consortium for Cybersecurity Action (CCA), a volunteer organizationwhich prioritizes information and network-based threats to help both public and private sector entities prioritize their network defenses given recent attacks and the transforming threat environment.
Mr. Sager holds a B.A. in mathematics from Western Maryland College and an M.S. in computer science from The Johns Hopkins University. Mr. Sager is also a civilian graduate of the US Army Signal Officer Basic Course and the National Security Leadership Course.