White House advisers: Government ‘rarely’ follows cybersecurity best practices

by Kate Tummarello - 11/22/13 6:45 PM ET

The federal government needs to lead by example when it comes to cybersecurity best practices, the White House’s technology advisers said Friday.

In a report released Friday, the President’s Council of Advisors on Science and Technology — which includes Google’s Eric Schmidt, Microsoft’s Craig Mundie and leaders from the country’s science and technology-focused universities — said the government should follow best practices to prevent cyberattacks.

{mosads}“The Federal Government rarely follows accepted best practices,” the group wrote.

“It needs to lead by example and accelerate its efforts to make routine cyberattacks more difficult by implementing best practices for its own systems.”

These best practices include using software that updates automatically, adopting secure browsers and phasing out “unsupported and insecure operating systems, such as Windows XP.”

The report also encourages regulatory agencies to encourage best practices for the industries they regulate.

“In particular, the Securities and Exchange Commission (SEC) should mandate, for publicly held companies, the disclosure, as investment risks, of cybersecurity risk factors,” the group said.

The Commerce Department’s National Institute of Standards and Technology should work with Internet providers to develop best practices, the report said.

Internet providers need best practices so they “can alert users and direct them to appropriate resources when their machines or devices are known to be compromised,” the report said.

The group also encouraged the federal government “to encourage continuously improving, consensusbased standards” across the private sector rather than “mandated, static lists of security measures” and encourage private companies to share cyberthreat information with one another.

The report notes that the data being shared between private companies “should not and would not be accessible by the Government.”

While the government might provide the standards or technology for that information sharing, “the protocols or technology utilized should have sufficient transparency to mitigate legitimate concerns about inappropriate Government access to private data,” the report said.