Dec 14, 2010

New ESG Survey Puts IT Vendors on Notice: Improve the Resiliency of Products or Face Government Intervention

by Pam O'Neal

By Pam O'Neal

A word to the wise: IT equipment vendors had better brace themselves for a wave of regulation that will force them to measure and certify the resiliency of their network and security products. The smart ones will get ahead of this wave; the laggards risk being swept away by it.

Companies Turn to Uncle Sam for Cybersecurity

You know you have a serious problem when Fortune 500 companies ask the Federal government to get involved in their business. Remember the controversial 2008–09 General Motors and Citigroup bailouts? Companies that once were staunchly opposed to government intervention in matters of private enterprise suddenly became vocal about the urgent need for the feds to step in and save them from disaster.

Asking for a bailout from Uncle Sam isn’t so surprising, really. It’s easy to understand the willingness of corporations to invite government intervention (and cash) when they are on the verge of collapse. We’re in new territory, though, when private enterprises ask the government to step in to enforce cyber security measures. After all, new regulations, or tougher enforcement of existing ones, typically drive up the cost of doing business.

That’s why I was shocked by the results of the recent Enterprise Systems Group (ESG) survey [PDF] of organizations that are categorized by the U.S. Department of Homeland Security (DHS) under Critical Infrastructure and Key Resources (CIKR). According to responses to the survey, which was commissioned by Hewlett-Packard and Microsoft:

“Rather than an anti-government mindset, 71% of the CIKR organizations surveyed believe that the U.S. Federal Government should be a more active participant in cyber security strategies and defenses. Survey respondents would like to see the Federal Government institute programs to identify IT vendors with poor security, create better methods for public/private security data sharing, enact more stringent cyber security legislation, and provide incentives to organizations for improving their cyber security.”

The Severity of Cyber Risks

If the desire for government intervention in private business matters can be used to measure the severity of a problem, our current cyber security crisis must be a whopper. Indeed, other results from the survey bear this out:

“Based on primary research with 285 U.S.-based CIKR organizations, ESG concludes that critical infrastructure firms realize they are under attack. ESG found that the vast majority of CIKR firms participating in the survey suffered at least one security breach over the past two years. 13 percent experienced more than three.”

“Survey respondents believe that the current threat landscape is worse than it was two years ago and will grow even more insidious between 2010 and 2012. In spite of increasing security risks, ESG found abundant security vulnerabilities: about 20% of survey respondents don’t believe their organizations are prepared to meet today’s cyber security challenges.”

While the idea that 20% of CIKR organizations are unprepared is disturbing enough, I for one believe that this number is badly understated. At BreakingPoint, our work lets us see firsthand how many of today’s network and security products — even some of the most sophisticated ones, from the most reputable vendors — fail to perform as advertised in the face of real-world traffic, live attacks, and heavy user load.

IT Vendors Are Failing Their Customers

The ESG survey highlights one of the reasons for this dangerous false sense of security:

“. . . few organizations are doing thorough due diligence on their IT vendors’ security, so CIKR firms may be buying hardware and software with security vulnerabilities ‘baked-in’.”

Saying “may be” is far too kind, both to the CIKR companies and the IT vendors serving them: these companies certainly are buying products with vulnerabilities baked in.

Results of BreakingPoint Resiliency Score trials on top-brand network and security gear bear this out, which leads me to assume that far more than 20% of the CIKR respondents are actually unprepared to thwart the increasingly sophisticated cyber attacks of organized criminals and enemy nations.

ESG’s report does make it clear, however, that the most security-conscious firms surveyed do conduct rigorous product reviews. We at BreakingPoint are likewise seeing this more and more often. Many of our customers have adopted the BreakingPoint Resiliency Score as a fast and standardized way to measure the performance, security, and stability of network, security, and data center products prior to purchase and deployment. Some of them, including leaders in financial services and telecommunications, have incorporated our products and Resiliency Score methodologies into their ongoing network and security auditing processes.

Increasing Pressure for Change

With the exception of a handful of leading vendors, equipment manufacturers have been much slower to measure and reveal their Resiliency Scores. I’m pleased to say, however, that this is changing rapidly, thanks to both private and public pressure. On the public front, we are starting to see much-needed legislation to regulate the evaluation of equipment performance and security claims. A bill sponsored by Rep. Bennie Thompson, D–Miss., the outgoing chairman of the Homeland Security Committee, calls for two key requirements, among several others:

Development of performance-based standards for private networks determined to be critical.
The ability to share and protect relevant threat information with other federal agencies and applicable companies.

By all means, companies and legislators alike must be vigilant to make sure that we do this right. Clearly we don’t need more compliance check-boxes to fill in. We do need meaningful standards that reward the behaviors that will make us all more secure.

For a start, the Federal government can establish standards for the evaluation and certification of network and security equipment resiliency. These could operate like the standards for electrical goods that are monitored by Underwriters Laboratories. We also need a public-private partnership — coordinated by DHS — in which all parties collaborate to share the most current data on cyber attacks.

The combination of certification and collaboration enables the most important step of all, when enterprises establish the best practice of incorporating up-to-date cyber attack information into complex, realistic simulations of their own network and data center environments. Only by running such simulations — and running them regularly — can companies make themselves truly resilient against cyber attack. These simulations also empower companies to hold equipment manufacturers responsible for delivering resilient devices.

Rewarding the Vigilant, Punishing the Slackers

Our customers are already using the BreakingPoint Resiliency Score to inform their IT purchasing decisions. This allows them to vote with their pocketbooks, rewarding the forward-thinking vendors who invest the needed effort to deliver products without “baked-in” vulnerabilities. These end users, and the responsible vendors serving them, have nothing to fear regardless of how the Federal government acts to enforce cybersecurity standards, because they are already doing what they should to ensure their own readiness to withstand cyber attacks, which in turn improves security for the rest of us, too.

But the foot-draggers — especially the vendors who have yet to embrace transparency in reporting the resiliency of their products — are in for a rude awakening. The clamor for government action is getting louder by the day, and we must all expect that the feds will step in at some point.

Do you want to be ahead of that curve, or behind it?