cybersecurity standards
TRANSCRIPT
Cybersecurity Standards 2
Table of ContentsIntroduction...............................................................................................................................................2
Cybersecurity Standards: Challenges in progress..................................................................................4
The Policy Maker’s Dilemma..................................................................................................................4
Technology Architectures........................................................................................................................6
Unified Architecture............................................................................................................................6
Proprietary Technologies.....................................................................................................................7
Is there a right technology for cybersecurity standards and ensuring compliance?................................8
Can global standards unify under differing standards?.......................................................................12
Will true unity be achieved?..................................................................................................................14
What impact does this have on decision-makers in regards to budgetary concern in IT investment?....16
How will cyberattack challenge developing global standards?.............................................................17
Conclusion................................................................................................................................................18
References................................................................................................................................................19
Cybersecurity Standards 3
Introduction
Transforming, modernizing, revolutionizing, life-altering. All words synonymous with
the introduction of the Internet and the World Wide Web. It has truly changed the way we
communicate, socialize, work; the very dynamic that makes us human. Our collective entity
encased in bits and bytes of data stored and shared online through a single global digital
infrastructure created to meet our growing demands in both the individual, private and public
arenas (National Academy of Sciences, 2014). We go about our daily routines reliant upon this
technology to make our lives easier but in our haste we sometimes forget about the danger that
can manifest in ease. With an immeasurable amount of data online, the vulnerability to attack
becomes much more evident and those who wish to do harm become much more inclined to
acquiesce. Sun Tzu once said attack where he is unprepared, appear where you are not expected,
for cleverness has never been associated with haste.
Cybersecurity is now intertwined into every conversation from almost every perspective.
The many issues range from the protection at a single computer, through decision-making of
architectures, to global initiatives on how to be more secure in cyberspace. The United States
(U.S.) began looking to establish a security standard in the early 1980’s but it wasn’t until
explosion of the World Wide Web and internet service providers that a paradigm shift in
business was to take place. Now we are engulfed in the Internet economy fully embracing
globalization as the new norm. So how do we protect ourselves? So far the U.S. has doubled
down on its efforts at creating standards for businesses to use but as fast as we can make them,
technology innovation renders them obsolete. The international community has done far less to
develop and implement effective solutions to impede cyberattack as the governing bodies cannot
come to consensus on concerns with legality, jurisdiction, forensics, research and development,
Cybersecurity Standards 4
or even best practices. It is incumbent of the global community to look into reviewing
innovative technologies and system architectures in order to design, develop, and maintain a
collaborative set of standards unifying the cybersphere and ensuring a commonality of
compliance.
Cybersecurity Standards: Challenges in progress
Standards and compliance is now a part of doing business whether it be state, local,
federal or even international. Almost every agency of government has need for standards as a
key element in maintain conformity while fostering innovation through the reinvention of
processes, practices, and product development. Standards set for a user or organization’s cyber
environment are dependent upon the various entities within and have evolved over time. The
network, the applications, the hierarchy of process and system architecture are all interconnected
and in need of established objectives to reduce the risk of breach or attack in all its forms. With
various countries now doing business via these networks, the international community has long
collaborated on policies and practices designed around information assurance and security.
The Policy Maker’s Dilemma
The U.S. Congress in coordination with various private corporations has pushed tirelessly
through efforts trying to improve cybersecurity in a digital world. In 1998, the National Security
Agency (NSA) contracted with Stanford University to devise a program aimed solely at
identifying cyber threats and developing a way to address these concerns. The program became
known as CRISP (Consortium for Research on Information Security and Policy) and findings
suggested that critical infrastructure was at risk due to the government limitations on both
privately owned infrastructure and industry cooperation towards security, unilateral national
actions were ineffective, and legal problems with little to no applicable international laws
Cybersecurity Standards 5
governing suspicious or malicious activity in cyber space (May & Elliott, 2001). More
importantly, the latent nature of cyber-attack has led many to discount the need for cybersecurity
thus putting others at risk.
Efforts to pass legislation such as the 2011 Cyber Intelligence and Sharing Protections
Act (CISPA) and Senate Cybersecurity Act (CSA) of 2012, have failed due to the framework
proposed from a regulatory approach leaves many with doubts. Federal regulation is a slow,
cumbersome process that takes between 24-36 months to implement whereas the processing
power of computers and the dynamic field takes roughly half that amount of time, leaving the
regulation out-of-date and useless (Bucci, Rosenzweig, & Inserra, 2013). Coupled with the
recent breaches and failures of many government agencies, the push for standards and
responsibility to the private sector is all but warranted. The Government Accountability Office
(GAO) sides with technology innovators and contends that regulation would in fact create a
culture focused solely on compliance rather than a culture focused on achieving comprehensive
and effective cybersecurity (2012).
The other issue policymakers are finding especially nerve-wracking is the contrasting
landscape of technology architectures and auditing methodologies used in the cyber environment
and the legality across borders. For a more effective cybersecurity framework a standard set of
operating procedures can be used to through a specific architecture to improve internal controls
and assess risks to informational assets or systems. By making the appropriate preparations,
considering all possible outcomes of misfortune should they occur, advancing into uncertainty is
warranted (Clausewitz, 1989). However, deciding on the best stratagem to develop cyber
controls in a cyber-centric world only escalates when dealing with regulatory standards versus
Cybersecurity Standards 6
proprietary technology, secure coding practices, systems-based versus risk-based approach to
auditing and various others.
Technology Architectures
Information technology architecture is the process of developing the intricate
specifications, working parts, and modeling concepts following a framework to make up and
organization’s technology portfolio. It is an attempt to formulate a set of resources that enable
the logical and physical application of data components, bridging the gap between IT and
business, into a deliverable approach consistent with industry practices and safeguarded within
the physical design of the building.
Unified Architecture
Open Platform Communications (OPC) was released in 1996 as Object Linking and
Embedding (OLE) for Process Control designed for Microsoft Windows operating systems. The
major design was an attempt to associate software applications and process control hardware
through a defined set of standards used to facilitate interoperability. A goal of OPC is to reduce
redundancy efforts between manufacture and software entities and to interface the two through
the creation of a common interface to be reused by any business. The OPC Foundation was
established to oversee the standard and grow its usage in a consistent manner offering
membership to include the latest specifications and updates.
OPC Unified Architecture (UA) released in 2008 is the culmination of years of work to
successfully integrate new technology to the OPC suite. The original protocol while advanced at
the time suffered a number of drawbacks like low security and configuration issues but the three
main points were:
Cybersecurity Standards 7
1.) It surpassed it use as a simple point-to-point solution taking on a more integral use in
extremely complex OPC architectures that required key specifications in functional areas.
2.) Clients and businesses requested more to leverage standards to assist in defining other
industries.
3.) Needed to expand its base beyond Microsoft Windows; to support Linux, Apple OSX and
other platforms as a cross-platform service oriented architecture (SOA) able to handle
XML, TCP, Java and Web Services (Honeywell International, Inc., 2016).
The evolution to a multi-platform approach built upon the original design specifications, UA
addresses the issues of vendor lock-in, compatibility, and configuration. President and executive
director of the OPC Foundation Thomas Burke (2008) explained that UA allows OPC the
interoperability between the factory floor and the enterprise but also satisfies the embedded
market so inter-devices on the floor as well (ISS Connectivity).
The objective for UA is to allow customers to select the best application for
interoperability by setting standards on technology, not by the product or the vendor. These sets
of standards define services that servers can provide and the individual server specifies to the
client what service sets they support. The Address Space builds common discipline in an
unambiguous manner so data is represented hierarchically so simple and complex structures can
be discovered and utilized in a real-time environment (OPC Foundation, 2016). Information
modeling is also a new feature that allows structures to be modeled and extended using object-
oriented capabilities. With complete platform independence, the issues of security are addressed
through a number of different controls like session encryption, sequenced packets,
authentication, auditing, and message signing. Lastly, UA is extensible so new transport
Cybersecurity Standards 8
protocols or security algorithms can be incorporated while not affecting historical data or
existing products (OPC Foundation, 2016).
Proprietary Technologies
Proprietary technology is a process, product, system, or technology owned exclusively by
a single company or entity. This product or technology is closely guarded with patents or
copyrights as they can give its owner a competitive advantage or benefit in a given market. The
development of proprietary technologies in-house allow its owner the right to sell for profit or
lease out the technology to other parties and reap higher profits built around a long term strategy.
While there numerous kinds of proprietary technologies, some of the major types of are:
1. Lock-in Technologies – a commitment to a product the market selects as a technological
standards because of network effects in the market are so vast that the decision-makers
are stuck with a product even in the face of a more qualified alternative.
2. Patented Technologies – a set of exclusive rights to a specific process, technology, or
similar item granted to a company by an agreement through licensing or permission.
3. Trade Secrets – any accumulation of information that is generally unknown that provides
a significant advantage over others in a specific arena.
4. Digital Rights Management (DRM) – any access control technology that limits or
restricts the way consumers copy content they’ve purchased in an attempt to prevent
unauthorized redistribution or digital media.
These examples highlight the overwhelming need that companies address in order to stay
relevant. The pressure to conform to digital media, streamline the business from top to bottom is
already an immense task but with new technology developing custom programming and
applications, the need for adoption is present.
Cybersecurity Standards 9
Is there a right technology for cybersecurity standards and ensuring compliance?
Standards are important as they provide rules and guidance for the culmination of an
activity. They may specify the capacity of a product, or establish its shape, size, and even how
the manufacturing process is run with definitive procedures to guarantee no misunderstanding is
found among those using the standard. The U.S. employs over 100,000 standards across all
industries to include: product-based, performance-based, management system, personnel
certification, and construction standards. But as we tackle the expansion of the Internet of
Things, how do these standards transfer into a digital medium and further the interconnectivity of
our world. With focus on the IT side of an organizations standards bodies can significantly
impact the decisions of research and developmental assignments. For instance, any web-based
application has specific standards imposed by: ANSI (American National Standards Institute),
IEEE (Institute of Electrical and Electronics Engineers), ISO (International Standards
Organization), W3C (World Wide Web Consortium), as well as many others. With faster, more
improved, business practices created everyday how can we leverage the new with our existing
information systems to ensure complete data and information transference?
With the introduction of OPC Unified Architecture and the open innovation model, more
firms have been advocating the use to accelerate innovation. Chesbrough (2006) described open
innovation as the use of purposive inflows and outflows of knowledge to accelerate internal
innovation, and expand the markets for external use of innovation, respectively. For example, in
the late 1980’s IBM released its personal computer architecture and launched a field of personal
computing. But when joined with Microsoft’s operating system and the new microprocessors of
Intel, a standard for PC’s was set for the industry and the explosion of new software and
applications followed suit (Rao, Klein, & Chandra, 2011). OPC UA has taken the need for
Cybersecurity Standards 10
standardization and given it a more robust framework for all to use across multiple development
groups. End users have seen value in the growth from the Classic OPC with an easy migration
mechanism to permit existing products the new benefits of UA. The issue with interconnectivity
is solved with OPC drivers available for thousands of devices with embedded OPC servers built
in. And while the technical side of OPC UA is far advanced, the real niche is in interoperability.
It allows the participation in creation of standards and what direction they seek giving both
insight into the future (competitive advantage) and increase efficiency with towards future
growth. With membership in OPC Foundation, organizations are allowed to be a part of the
process. Consistent standards from the beginning also allows an organization to interact with
other applications through any common merger or alliance without the need for system
integration or re-work (Epperson, 2014). This consistency can also prove beneficial as increased
user experience leads to more confidence in the product and ease-of-use when updates come
down the line. From a compliance standpoint, when software is equipped with standards and
protocols built in, it goes through rigorous testing and quality assurance to ensure compliance.
Lastly, a major advantage is the encouragement of innovation when vendors compete within
internationally accepted standards leading to a higher customer satisfaction.
Many security experts believe that the influx of malicious behavior on the Internet has led
to more companies to focus primarily on compliance and forgo risk assessment and
cybersecurity awareness (Allen, 2014). Over-confidence in the security as they are written and
not tailored to an organization’s overall structure can lead to disaster. For instance the NIST SP
800-53 Rev. 4 states that controls listed are not the minimum but a starting point for
organizations to begin their own risk assessment in order to define the amount of controls and
inputs needed for their security requirements (Allen, 2014). Supervisory control and data
Cybersecurity Standards 11
acquisition (SCADA) network are especially vulnerable as strategists have labeled them the
‘backbone’ of any country’s critical infrastructure (Paganini, 2013). The Stuxnet worm, a rootkit
exploit that can identify Siemen’s SCADA software, is an example of malicious code that was
designed to cripple the infrastructure through injection into logic controllers (Rouse, 2010). In
2007, Iran’s nuclear program was severely infiltrated by the Stuxnet worm and while compliant
with all international laws, a lapse in security protocol on a basic level allowed this breach to
happen; a perfect example of how risk assessment and cybersecurity awareness are as pivotal as
compliance regulation.
Proprietary technologies are innovative assets that can improve efficiency and quality as
it continues bold advancement in the marketplace by maintaining and properly protecting its
competitive advantage. According to Jin, Vonderembse, and Ragau-Nathan (2013) a firm’s
heterogeneity creates its competitive advantage because of the value and rareness of its unique
resources (p. 5713). A major advantage is the professional services and automatic updates
associated with proprietary software. Patching, software updates and 24/7 support allows IT
departments to maintain a secure and up-to-date system making it difficult and time consuming
for hackers to discern usable code to exploit a weakness. Along with this is the many
components and tools attached to proprietary software what allows the organization to access
specific programs built directly for niche or specific industries, difficult for OPC who do not
cater to specificity. However, following proprietary standards can leave an organization in the
dark or open to obsolescence should the manufacturer move its focus to another market leaving
the program stagnant in the eyes of industry standards (Epperson, 2014). For example, Adobe
Acrobat has long been heralded for its ease of use and compatibility and is widely endorsed by
the US government. So because a preference is given to a proprietary software, vendors must
Cybersecurity Standards 12
install and have a structure that supports Adobe (Linux does not) in order to stay current while
forced to take reasonable assurance that Adobe has done it due diligence in regards to
cybersecurity. This is also a cost concern, in comparison to OPC, where changing proprietary
programs can be extremely expensive with no real benefit in the forecast for future use.
Nicholas Carr (2003) stated that when a resource becomes essential to competition but
inconsequential to strategy, the risks it creates become more important than the advantages it
provides. In this case, proprietary technology while laden with historical value is now only
viable if the market is expanding at a rate equivalent to cover the costs from past sales with
future revenue (Carroll, 2004).
With the impact of government oversight and driven by the innovative technologies
promoting interconnectivity, more firms are moving away from proprietary technologies in favor
of a more open, interconnected control system. OPC and open source technology have given
organizations the ability to set future-focused international standards adding flexibility, cross
functional integration and a more progressive way of measuring performance than ever before
(Epperson, 2014). Just recently, Microsoft broke down and allowed Its Windows-centric SQL
Server database the ability to run on Linux, an open-source software, a huge step for proprietary
systems. Red Hat chief executive Jim Whitehurst told analysts, “Microsoft is recognizing that
Linux is a big part of the enterprise footprint…what we’re seeing now is that enterprises
typically pick one cloud to start but even today they recognize they have to run on multiple
clouds just to have some leverage and some choice” (Darrow, 2016). When both technologies
are properly coupled, there are benefits attributable to flexibility and firm performance; both
technologies are needed for a firm to create flexibility and to enhance quality, delivery
dependability and time-to-market (Jin, Vonderembse, and Ragau-Nathan, 2013).
Cybersecurity Standards 13
Can global standards unify under differing standards?
The Internet has proven to be the most prolific asset in a company’s arsenal through its
ability to create a common, open area to share information and conduct business transactions in
real-time across international borders. These transactions need protection from malicious
activity with standards kept to ensure a viable cybersecurity structure is in place. Still, with all
of the measures in place, solving the issue of decision-making that affects the international
community in regards to cybersecurity standards is proving to be more difficult with so many
different bodies vying for consideration. According to the Government Accountability Office
(GAO) there are more than twenty global organizations whose international influence
significantly affect security and governance in cyberspace (Cooney, 2010). The organizations
affiliated cross all genres of governing bodies such as Asia-Pacific Economic Cooperation
(APEC), the European Union, Forum of Incident Response and Security Teams (FIRST), the
International Telecommunication Union (ITU), International Organization for Standardization
(ISO), and INTERPOL. Of course the U.S. has a number of agencies devoted to cyberspace
governance and effectively coordinates with these entities to formulate new efforts.
In order to establish a set of global standards we first need to search through the myriad
of differing sources of standards used throughout the global cyber sphere and identify some
major players. The Software Engineering Institute (SEI) at Carnegie-Mellon University helps
improves software development processes. One such is the Capability Maturity Model (CMM) a
five-level model organizing ‘maturity’ to determine the effectiveness in software development
process. Originally intended for use within the U.S. government as a way to evaluate
contractors, its accepted principles can be applied to software reliant systems in the industry as a
whole. CMM is similar to ISO 9000 and 9001 which is a series of standards advocating quality
Cybersecurity Standards 14
assurances in manufacturing and service industries with ISO 9001 dealing specifically with
software development. ISO 27001, established in 2005, uses a top down, risk-based approach to
information security management systems in a technology-neutral six-step planning process:
1. Define a security policy;
2. Define the scope of ISMS;
3. Conduct a risk assessment;
4. Manage identified risk;
5. Select control objectives and controls to be implemented; and
6. Prepare a statement of applicability (Rouse, 2009).
The reason ISO 27001 is so universally important is that it demonstrate a clear adherence to ISM
to contractual parties promoting confidence while providing a framework of overarching
management ensuring security needs remain current with an established threat matrix. The
National Information Assurance Partnership (NIAP) is the governing U.S. body responsible for
the implementation of the Common Criteria (CC), and arrangement among nations continuously
improve the efficiency and cost-effectiveness of IT products. CC seeks to provide the grounds
for confidence in the reliability of judgments on certificates given that products meet or exceed
high, consistent standards (Common Criteria, 2016). The National Institute of Standards and
Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity was
developed in response to the 2013 Executive Order from President Obama to improve the U.S.
stance on cyber security. After 10 months of collaboration and input from over 3,000 security
professionals, the Framework crafted leverages and integrates industry-leading practices
developed by NIST, ISO and others into a risk-based compilation of guidelines for cybersecurity
Cybersecurity Standards 15
as well as creates a common language for internal and external communication of cybersecurity
issues (PwC, 2014).
Will true unity be achieved?
The landscape for cybersecurity both domestic and internationally has changed so
drastically in the last ten years that it is challenging to get all parties to adopt and international
standard covering these topics. And with the ever-changing and sophisticated cyber attackers
attempt to undermine national infrastructures, steps to improve are apparent. Former National
Security Agency (NSA) and U.S. Cyber Command Chief General Keith Alexander rated, out of
10 (10 being fully prepared), the U.S.’s preparedness to withstand a national infrastructure attack
at a low 3 (Shackleford, Proia, Martell, & Craig, 2015). So not only is it prudent, it’s
advantageous to promote a single set of standards agreed upon by all to mitigate the onslaught of
breach and intrusions suffered on a daily basis. The NIST Framework since its rollout has been
foreshadowed as model of cybersecurity standards to be adopted by the international community.
According to Shackleford, et al. (2015) the uptake of the NIST Framework in the United
Kingdom, India, and the European Union can help facilitate a global standard as its ‘common
sense’ approach and simplistic nature could create a common matrix for cyber risk eliminating
some of the more burdensome regulatory statutes. Surveys conducted by
PricewaterhouseCoopers in 2008 indicated a growing number of firms 57% Indian, 58% U.S.,
and 72% Chinese were extremely unhappy with cybersecurity regulation often times buried
under layers of compliance resulting in fines for nonfulfillment (Shackleford, Proia, Martell, &
Craig, 2015). The NIST Framework can also provide ancillary benefits in the form of assisted
collaboration and communication of cybersecurity posture with alike organizations leading to the
potential of future improvements in legality and threat intelligence (PwC, 2014).
Cybersecurity Standards 16
Even beyond the tangible benefits of adopting the NIST Framework as an international
standard, communication is vital to the support for a common goal with cybersecurity.
Information Sharing and Analysis Centers (ISACs) have proven to be most effective in many
industries. Cybercrime is the fastest growing area of crime in the world and continued
collaboration and communication between industry leaders, law enforcement, and private sector
partners will promote innovation. INTERPOL has been integral in the transnational fight against
cybercrime and in 2014 opened the Global Complex for Innovation (GCI) in Singapore whose
mission is to leverage global cyber expertise through proactive research, the latest training
techniques and the development of innovative new policing tools (INTERPOL, 2016).
What impact does this have on decision-makers in regards to budgetary concern in IT
investment?
Positioning other countries and industries into an ideal framework for cybersecurity
standards and compliance may be a few years from fruition but the goal for everyone is to find a
way to mitigate risk and leverage the assets and knowledge gained to thwarting cyberattacks. If
true unity is not a realistic approach to this, policy and decision-makers need to refocus their
efforts to establish effective cybersecurity intervention points in line with regulations with a
streamline compliance package. Some of the more effective points are:
Minimize or eliminate conflicting security requirements, rationalize and streamline
processes for compliance, and eliminate barriers that preclude the sharing of actionable
intelligence between private and public sectors;
Review and revise any U.S. policy from a global perspective proactively seeking
dialogue with the international community to support best practices and counter any
attempt by others to enact legislation countermanding the global markets shared interest;
Cybersecurity Standards 17
Allow flexibility with real risk management to organizations so they can adapt the model
that best fits their needs while advocating awareness and bolster the reach of security
education through the National Initiative for Cybersecurity Education (NICE) program in
partnership with the private sector; and
Provide more resources to law enforcement building on bilateral and multilateral
agreements on cross-border prosecution, condemning safe havens for cyber criminals,
and assist technically and financially those countries in need to help improve the capacity
to fight joining the international efforts (ITIC, 2014).
How will cyberattack challenge developing global standards?
Information and Communication Technology (ICT) has seen exponential growth in
emerging economies and by the year 2025, will have upwards 4.7 billion people online creating a
significant shift in cybersecurity needs (Microsoft, 2014). Government resistance coupled with
restrictive technologies in a rapidly changing technological environment can inhibit cooperation,
all in an attempt to control the flow of information. In doing so, governments will knowingly
violate intellectual property rights or attempt to force judicial mandates on businesses to such an
extent that businesses will refuse to invest in research and development. These are the roads that
must not be followed if any understanding and cooperation is to be found (Tzu, 2009).
Currently, Apple is taking the fight to the Federal Bureau of Investigation (FBI) over privacy
issues and the ability to break into encryption. This has huge implication in regards to what a
government can or cannot do and if this technology is created how do we safeguard against
piracy or misappropriation as seen with NSA and the Edward Snowden leak. Fostering an
environment of mistrust and animosity towards government restriction can only divide the line
further affecting the global community as a whole.
Cybersecurity Standards 18
Cyberattacks are not limited to hackers and credit card theft or stolen identities. Nation
states have been viciously attack other nations or organizations in order to destabilize and or
disrupt through the use of manipulation, cyber espionage and illegal access to gain data or
information. This type of aggressive behavior further denigrates the global collective towards
ratifying a set of international standards. Furthermore, the lack of repercussion or punishment
for such behavior has not been addressed since there is no current legal international framework
to measure against. And while denouncing in a public forum may gain points in the polls, it does
nothing to eradicate the behavior. Lastly, international law does not differentiate between
attacker and state nor does it decide what is an unlawful cyberattack leaving the option for
reciprocity in the hands of those affected which could be tantamount to all out cyber warfare.
These types of jurisdictional issues coupled with the need for attribution in order to understand
and make informed decisions.
From a scaled down perspective, cybersecurity awareness, simple authentication protocol
and encryption can go a long way in improving from an operational standpoint. According to
Weidman (2014), the cutting edge of password cracking and breaking authentication protocol
resides in harnessing multiple top-spec cloud servers and once a foothold on the system is held,
advanced attack methods can exploit any and all vulnerabilities (P. 214). If you entrench
yourself behind strong fortifications, you compel the enemy seek a solution elsewhere
(Clausewitz, 1989). Continuous improvement in R&D, testing services and knowledge of IT
personnel and employees will lead to better coverage and a firm cybersecurity posture.
Conclusion
Governing powers and private entities have embraced ICT reaped the immeasurable
benefits provided from email to cloud-computing. New technology paves the way for innovation
Cybersecurity Standards 19
and improved processes for all making business more accessible and more profitable. But IT has
to be looked upon as an asset worth protecting, not just a part of business. Make no mistake
there are people and organizations in the world ready to wreak havoc with the touch of a
keyboard and it is the duty as consumers of all things digital to safeguard ourselves from them.
This is a global issue for nation states and multinational companies to take note of because
information has no boundaries on it. In order to make a more perfect union, governing bodies
need to set aside differences and work towards the common goal of creating and maintaining a
set of standards to unify cyberspace. Instead of taking a reactive approach to a breach, use the
tools and best practices while communicating with other entities to find a proactive stance and
pursue one great decisive aim with force and determination (Clausewitz, 1989) by mitigating risk
through a common management standard. Foster an open, flexible dialogue with other countries
about legislation and involve judicial entities like INTERPOL to hunt down and prosecute
offenders leaving no safe haven. This issue is too large for any one government to establish but
through dedicated coordination to a greater cause a solution can be found.
Cybersecurity Standards 20
ReferencesAllen, D. (2014). Compliance standards create false sense of cybersecurity awareness.
Techtarget.com. Retrieved from: http://searchcompliance.techtarget.com/tip/Compliance-standards-create-false-sense-of-cybersecurity-awareness
Bucci, S., Rosenzweig, P. & Inserra, D. (2013). A Congressional Guide: Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace. Heritage.org. Retrieved from: http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us-security-prosperity-and-freedom-in-cyberspace
Carr, N. (2003). It Doesn’t Matter. HBR.org. Retrieved from: https://hbr.org/2003/05/it-doesnt-matter/ar/1
Carroll, J. (2004). Open source vs proprietary: Both have advantages. ZDNet.com. Retrieved from: http://www.zdnet.com/article/open-source-vs-proprietary-both-have-advantages/
Cavelty, M.D. (2014). Breaking the Cyber-Security Dilemma: Aligning Security Needs and Removing Vulnerabilities. Science and Engineering Ethics, 20(3). DOI 10.1007/s11948-014-9551-y
Chesbrough, H. (2006). Open innovation: Researching a new paradigm. Oxford: Oxford University Press.
Common Criteria. (2016). About The Common Criteria. Commoncriteria.org. Retrieved from: http://www.commoncriteriaportal.org/ccra/
Cooney, M. (2010). Who really sets global cybersecurity standards? Netwrorkworld.com. Retrieved from: http://www.networkworld.com/article/2231519/security/who-really-sets-global-cybersecurity-standards-.html.
Darrow, B. (2016). Red Hat is now a $2 Billion Open-Source Baby. Fortune.com. Retrieved from: http://fortune.com/2016/03/22/red-hat-revenue-2-billion-open-source/
Epperson, B. (2014). Choosing Standards Compliance Over Proprietary Practices. Mozilla.org. Retrieved from: https://developer.mozilla.org/en-US/docs/Choosing_Standards_Compliance_Over_Proprietary_Practices
Honeywell, International, Inc. (2016). OPC Unified Architecture. Matrinkonopc.com. Retrieved from: https://www.matrikonopc.com/downloads/58/specifications/index.aspx
Information Technology Industry Council. (2011). The IT Industry’s Cybersecurity Principlesfor Industry and Government. ITIC.org. Retrieved from: https://www.itic.org/policy/cybersecurity
INTERPOL. (2016). Cybercrime. Interpol.int. Retrieved from: http://www.interpol.int/Crime-areas/Cybercrime/Cybercrime.
ISS Connectivity. (2016). Introduction to OPC UA and its Concepts. Issconectivity.com. Retrieved from: http://issconnectivity.com/opc-ua/
Jin, Y., Vonderembse, M., & Ragau-Nathan, T.S. (2013). Proprietary technologies: building a manufacturer’s flexibility and competitive advantage. International Journal of Production Research, 51(19). P. 5711-5727. http://dx.doi.org/10.1080/00207543.2013.784407.
May, M.M. & Elliott, D. (2001). Consortium for Research on Information Security and Policy. Stanford.edu. Retrieved from: http://fsi.stanford.edu/research/consortium_for_research_on_information_security_and_policy
Cybersecurity Standards 21
Microsoft. (2014). Cyberspace 2025: Today's Decisions, Tomorrow's Terrain. Microsoft.com. Retrieved from: https://www.microsoft.com/security/cybersecurity/cyberspace2025/#chapter-1
National Academy of Sciences. (2014). Cybersecurity Dilemmas: Technology, Policy, and Incentives. NAP.edu. Retrieved from: http://www.nap.edu/read/21833/chapter/1#ii
OPC Foundation. (2016). Unified Architecture. OPCFoundation.org. Retrieved from: https://opcfoundation.org/about/opc-technologies/opc-ua/
Paganini, P. (2013). Improving SCADA System Security. Infosecinstitute.com. Retrieved from: http://resources.infosecinstitute.com/improving-scada-system-security/
PwC. (2014). Why You Should Adopt the NIST Cybersecurity Framework. PWC.org. Retrieved from: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=23&ved=0ahUKEwimnsjdmtfLAhXESiYKHVDfAME4FBAWCCYwAg&url=https%3A%2F%2Fwww.pwc.com%2Fus%2Fen%2Fincreasing-it-effectiveness%2Fpublications%2Fassets%2Fadopt-the-nist.pdf&usg=AFQjCNHNw-BCoTXT3faCbv5hYg4qaMjroQ&sig2=jG7zFTRnpcyzBE_0n2UHfg&cad=rjt
Rao, P.M., Klein, J.A., & Chandra, R. (2011). Innovation Without Property Rights and Property Rights Without Innovation: Recent Developments in the ICT Sector. Advances in Competitiveness Research, 19 (1/2). P. 83-99.
Rouse, M. (2010). ISO 27001. Techtarget.com. Retrieved from: http://searchsecurity.techtarget.co.uk/definition/ISO-27001
Rouse, M. (2010). Stuxnet. Techtarget.com. Retrieved from: http://searchsecurity.techtarget.in/definition/Stuxnet.
Shackleford, S.J., Proia, A.A., Martell, B., & Craig, A.N. (2015). Toward a Global Cybersecurity Standard of Care? Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices. Texas International Law Journal, 50(2). P. 303-353
Tzu, S. (2009). The Art of War: Translated by Daniel Gillies. Classics.mit.edu. Retrieved from: http://classics.mit.edu/Tzu/artwar.html
U.S. Government Accountability Office. (2012). Cybersecurity: Challenges in Securing the Electricity Grid. GAO.org. Retrieved from: http://www.gao.gov/assets/600/592508.pdf
Von Clausewitz, C. (1989). On War. Princeton, NJ: Princeton University Press.Weidman, G. (2014). Penetration Testing: A Hands on Introduction to Hacking. San Francisco,
CA: No Starch Press, Inc.