by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : August and September 2016
SPONSORED CONTENT S-24 ONE-ON-ONE WITH RON ROSS Fellow at the National Institute of Standards and Technology (NIST) and leader of the Federal Information Security Management Act Implementation Project shares his views on building cyber-resilient systems. Ron Ross recently spoke with Francis Rose, host of Government Matters on ABC 7 and News Channel 8, about how agencies need to look beyond simply protecting systems and data and instead consider how the enterprise responds to the constantly evolving threat landscape. Rose: What are agencies and industry missing as they go about building the most cyber-resilient systems possible? Ross: We’re building a powerful and complex infor mation technology infrastructure. You can see the direction we’re going by the convergence of computers and physical systems. The buzzword you hear a lot is the “Internet of Things.” T hat represents the vast deployment of computers , d riven by firmware and software, in almost everything that you can imagine. Whether it’s critical infrastr ucture or otherwise, there’s this massive infusion now of computers bringing this world to great new heights as far as capability, productivity and all the things that we enjoy with this wonderful new technology. In the ocean, there are things below the waterli ne you can’t see. A nd there are things above the waterline you can see very clearly. A lot of the cyber work we’re doing today doesn’t reach below the waterline. That’s where industry plays a major role, because they’re the ones building the hardware, the software, the systems and all the things upon wh ich we depend. Rose: IT leaders within the government have reached the point of recognition that they will be hacked. How can they ensure their systems are resilient enough to recover? Ron: Most CIOs and CISOs worry about things above that waterline. We know from the empirical data we’ve gathered over more than two decades: there are certain percentages of adversa ries that get into your system and do damage. How do you limit the damage they can do? Let’s use the OPM breach as an exa mple. Let’s say they have 21 million records. I n many cases, the adversary penetrates one system and then works its way in through privileged escalation. To protect those records, you may have some design decisions. One would be to decide on a mandate like: “The only records that are going to be accessible to our field agents are those that they have to work on every day—just one -tenth of one percent of the reco rds. Everything else is going to be taken offline, or into a different domain.” It’s not just personal information records. It’s information pertaini ng to intellectual property, n ational security, and economic security. That’s why all the things we’re working on at NIST with regard to cybersecu rity issues are so important, because of this great dependence on the technology. Rose: What do you expect to be the biggest resilience questions government will ask, both about its own security and in policy making? Ross: We’re work ing against a society compelled to use technology because it’s so powerful and affordable. You combine those two factors a nd people will tend to buy and use a lot of it. We’re trying to encourage people to do the right thing—to build in security. At the same time, we realize we live in an imperfect world where you can’t have 100 percent confidence or assurance in every system or every component. This interview continues at carahsoft.com/innovation/Ross Executive Viewpoint RON ROSS FELLOW, NIST CYBER RESILIENCE
June and July 2016
October and November 2016