7.2 Tactical and strategic analysis of cyberattacks and vulnerability assessments

To advance the national ability to analyze cyberattacks and vulnerabilities, several things need to change in how the government and private-sector user organizations interact, as well has in how technology producers report vulnerabilities to the government.

The analysis of cyberattacks will require more detailed reporting of activitiesand intrusion attempts on an ongoing basis. However, most organizations are still leery of reporting incidents. The 100 name-brand organizations were asked if they ever reported a computer crime or intrusion to law enforcement. As shown in Table 7.1, only 26 percent reported that they had. In Chapter 4 it was recommended that IT managers analyze how to participate in the reporting process, and guidelines were provided for what to report.

To analyze vulnerabilities successfully, two primary areas need to be examined: (1) how technology is produced and what types of flaws and vulnerabilities exist in products sold on the open market, and (2) how users configure and deploy that technology in their organizations and how well field systems are configured to minimize the vulnerabilities that may be inherent in the technology.

The NIST and the NSA have been actively evaluating the vulnerabilities of information and network technology and issued many standards and recommendations. However, several certified security professionals that were interviewed for this book reported that many organizations are still deploying technology with weak configurations that increases the vulnerability of their systems and networks.

To eliminate vulnerabilities in cyberspace, it is also necessary to identify those vulnerabilities as quickly as possible. This will require more vigorous testing before technology producers release new products or upgrades to existing products. It will also require reporting of vulnerabilities that are discovered in products. Given the competition in the technology marketplace, it is not likely that technology producers will willingly reveal what they know about vulnerabilities until those vulnerabilities are discovered by independent testers.

Regardless of the position technology producers take on reporting vulnerabilities, it should be recognized that the manufacturers of IT and networking products have remained liability free for flaws, defects, or vulnerabilities in their products. The manufacturers of IT and networking products protect themselves through licensing agreements that displace all the liability to the user as part of the agreement for the product to be licensed to the user. This situation is not likely to change in the near future.