Cybersecurity Standards

John Harvey

CSEC 635

25 March 2016

Cybersecurity Standards 2

Table of ContentsIntroduction...............................................................................................................................................2

Cybersecurity Standards: Challenges in progress..................................................................................4

The Policy Maker’s Dilemma..................................................................................................................4

Technology Architectures........................................................................................................................6

Unified Architecture............................................................................................................................6

Proprietary Technologies.....................................................................................................................7

Is there a right technology for cybersecurity standards and ensuring compliance?................................8

Can global standards unify under differing standards?.......................................................................12

Will true unity be achieved?..................................................................................................................14

What impact does this have on decision-makers in regards to budgetary concern in IT investment?....16

How will cyberattack challenge developing global standards?.............................................................17

Conclusion................................................................................................................................................18

References................................................................................................................................................19

Cybersecurity Standards 3

Introduction

Transforming, modernizing, revolutionizing, life-altering. All words synonymous with

the introduction of the Internet and the World Wide Web. It has truly changed the way we

communicate, socialize, work; the very dynamic that makes us human. Our collective entity

encased in bits and bytes of data stored and shared online through a single global digital

infrastructure created to meet our growing demands in both the individual, private and public

arenas (National Academy of Sciences, 2014). We go about our daily routines reliant upon this

technology to make our lives easier but in our haste we sometimes forget about the danger that

can manifest in ease. With an immeasurable amount of data online, the vulnerability to attack

becomes much more evident and those who wish to do harm become much more inclined to

acquiesce. Sun Tzu once said attack where he is unprepared, appear where you are not expected,

for cleverness has never been associated with haste.

Cybersecurity is now intertwined into every conversation from almost every perspective.

The many issues range from the protection at a single computer, through decision-making of

architectures, to global initiatives on how to be more secure in cyberspace. The United States

(U.S.) began looking to establish a security standard in the early 1980’s but it wasn’t until

explosion of the World Wide Web and internet service providers that a paradigm shift in

business was to take place. Now we are engulfed in the Internet economy fully embracing

globalization as the new norm. So how do we protect ourselves? So far the U.S. has doubled

down on its efforts at creating standards for businesses to use but as fast as we can make them,

technology innovation renders them obsolete. The international community has done far less to

develop and implement effective solutions to impede cyberattack as the governing bodies cannot

come to consensus on concerns with legality, jurisdiction, forensics, research and development,

Cybersecurity Standards 4

or even best practices. It is incumbent of the global community to look into reviewing

innovative technologies and system architectures in order to design, develop, and maintain a

collaborative set of standards unifying the cybersphere and ensuring a commonality of

compliance.

Cybersecurity Standards: Challenges in progress

Standards and compliance is now a part of doing business whether it be state, local,

federal or even international. Almost every agency of government has need for standards as a

key element in maintain conformity while fostering innovation through the reinvention of

processes, practices, and product development. Standards set for a user or organization’s cyber

environment are dependent upon the various entities within and have evolved over time. The

network, the applications, the hierarchy of process and system architecture are all interconnected

and in need of established objectives to reduce the risk of breach or attack in all its forms. With

various countries now doing business via these networks, the international community has long

collaborated on policies and practices designed around information assurance and security.

The Policy Maker’s Dilemma

The U.S. Congress in coordination with various private corporations has pushed tirelessly

through efforts trying to improve cybersecurity in a digital world. In 1998, the National Security

Agency (NSA) contracted with Stanford University to devise a program aimed solely at

identifying cyber threats and developing a way to address these concerns. The program became

known as CRISP (Consortium for Research on Information Security and Policy) and findings

suggested that critical infrastructure was at risk due to the government limitations on both

privately owned infrastructure and industry cooperation towards security, unilateral national

actions were ineffective, and legal problems with little to no applicable international laws

Cybersecurity Standards 5

governing suspicious or malicious activity in cyber space (May & Elliott, 2001). More

importantly, the latent nature of cyber-attack has led many to discount the need for cybersecurity

thus putting others at risk.

Efforts to pass legislation such as the 2011 Cyber Intelligence and Sharing Protections

Act (CISPA) and Senate Cybersecurity Act (CSA) of 2012, have failed due to the framework

proposed from a regulatory approach leaves many with doubts. Federal regulation is a slow,

cumbersome process that takes between 24-36 months to implement whereas the processing

power of computers and the dynamic field takes roughly half that amount of time, leaving the

regulation out-of-date and useless (Bucci, Rosenzweig, & Inserra, 2013). Coupled with the

recent breaches and failures of many government agencies, the push for standards and

responsibility to the private sector is all but warranted. The Government Accountability Office

(GAO) sides with technology innovators and contends that regulation would in fact create a

culture focused solely on compliance rather than a culture focused on achieving comprehensive

and effective cybersecurity (2012).

The other issue policymakers are finding especially nerve-wracking is the contrasting

landscape of technology architectures and auditing methodologies used in the cyber environment

and the legality across borders. For a more effective cybersecurity framework a standard set of

operating procedures can be used to through a specific architecture to improve internal controls

and assess risks to informational assets or systems. By making the appropriate preparations,

considering all possible outcomes of misfortune should they occur, advancing into uncertainty is

warranted (Clausewitz, 1989). However, deciding on the best stratagem to develop cyber

controls in a cyber-centric world only escalates when dealing with regulatory standards versus

Cybersecurity Standards 6

proprietary technology, secure coding practices, systems-based versus risk-based approach to

auditing and various others.

Technology Architectures

Information technology architecture is the process of developing the intricate

specifications, working parts, and modeling concepts following a framework to make up and

organization’s technology portfolio. It is an attempt to formulate a set of resources that enable

the logical and physical application of data components, bridging the gap between IT and

business, into a deliverable approach consistent with industry practices and safeguarded within

the physical design of the building.

Unified Architecture

Open Platform Communications (OPC) was released in 1996 as Object Linking and

Embedding (OLE) for Process Control designed for Microsoft Windows operating systems. The

major design was an attempt to associate software applications and process control hardware

through a defined set of standards used to facilitate interoperability. A goal of OPC is to reduce

redundancy efforts between manufacture and software entities and to interface the two through

the creation of a common interface to be reused by any business. The OPC Foundation was

established to oversee the standard and grow its usage in a consistent manner offering

membership to include the latest specifications and updates.

OPC Unified Architecture (UA) released in 2008 is the culmination of years of work to

successfully integrate new technology to the OPC suite. The original protocol while advanced at

the time suffered a number of drawbacks like low security and configuration issues but the three

main points were:

Cybersecurity Standards 7

1.) It surpassed it use as a simple point-to-point solution taking on a more integral use in

extremely complex OPC architectures that required key specifications in functional areas.

2.) Clients and businesses requested more to leverage standards to assist in defining other

industries.

3.) Needed to expand its base beyond Microsoft Windows; to support Linux, Apple OSX and

other platforms as a cross-platform service oriented architecture (SOA) able to handle

XML, TCP, Java and Web Services (Honeywell International, Inc., 2016).

The evolution to a multi-platform approach built upon the original design specifications, UA

addresses the issues of vendor lock-in, compatibility, and configuration. President and executive

director of the OPC Foundation Thomas Burke (2008) explained that UA allows OPC the

interoperability between the factory floor and the enterprise but also satisfies the embedded

market so inter-devices on the floor as well (ISS Connectivity).

The objective for UA is to allow customers to select the best application for

interoperability by setting standards on technology, not by the product or the vendor. These sets

of standards define services that servers can provide and the individual server specifies to the

client what service sets they support. The Address Space builds common discipline in an

unambiguous manner so data is represented hierarchically so simple and complex structures can

be discovered and utilized in a real-time environment (OPC Foundation, 2016). Information

modeling is also a new feature that allows structures to be modeled and extended using object-

oriented capabilities. With complete platform independence, the issues of security are addressed

through a number of different controls like session encryption, sequenced packets,

authentication, auditing, and message signing. Lastly, UA is extensible so new transport

Cybersecurity Standards 8

protocols or security algorithms can be incorporated while not affecting historical data or

existing products (OPC Foundation, 2016).

Proprietary Technologies

Proprietary technology is a process, product, system, or technology owned exclusively by

a single company or entity. This product or technology is closely guarded with patents or

copyrights as they can give its owner a competitive advantage or benefit in a given market. The

development of proprietary technologies in-house allow its owner the right to sell for profit or

lease out the technology to other parties and reap higher profits built around a long term strategy.

While there numerous kinds of proprietary technologies, some of the major types of are:

1. Lock-in Technologies – a commitment to a product the market selects as a technological

standards because of network effects in the market are so vast that the decision-makers

are stuck with a product even in the face of a more qualified alternative.

2. Patented Technologies – a set of exclusive rights to a specific process, technology, or

similar item granted to a company by an agreement through licensing or permission.

3. Trade Secrets – any accumulation of information that is generally unknown that provides

a significant advantage over others in a specific arena.

4. Digital Rights Management (DRM) – any access control technology that limits or

restricts the way consumers copy content they’ve purchased in an attempt to prevent

unauthorized redistribution or digital media.

These examples highlight the overwhelming need that companies address in order to stay

relevant. The pressure to conform to digital media, streamline the business from top to bottom is

already an immense task but with new technology developing custom programming and

applications, the need for adoption is present.

Cybersecurity Standards 9

Is there a right technology for cybersecurity standards and ensuring compliance?

Standards are important as they provide rules and guidance for the culmination of an

activity. They may specify the capacity of a product, or establish its shape, size, and even how

the manufacturing process is run with definitive procedures to guarantee no misunderstanding is

found among those using the standard. The U.S. employs over 100,000 standards across all

industries to include: product-based, performance-based, management system, personnel

certification, and construction standards. But as we tackle the expansion of the Internet of

Things, how do these standards transfer into a digital medium and further the interconnectivity of

our world. With focus on the IT side of an organizations standards bodies can significantly

impact the decisions of research and developmental assignments. For instance, any web-based

application has specific standards imposed by: ANSI (American National Standards Institute),

IEEE (Institute of Electrical and Electronics Engineers), ISO (International Standards

Organization), W3C (World Wide Web Consortium), as well as many others. With faster, more

improved, business practices created everyday how can we leverage the new with our existing

information systems to ensure complete data and information transference?

With the introduction of OPC Unified Architecture and the open innovation model, more

firms have been advocating the use to accelerate innovation. Chesbrough (2006) described open

innovation as the use of purposive inflows and outflows of knowledge to accelerate internal

innovation, and expand the markets for external use of innovation, respectively. For example, in

the late 1980’s IBM released its personal computer architecture and launched a field of personal

computing. But when joined with Microsoft’s operating system and the new microprocessors of

Intel, a standard for PC’s was set for the industry and the explosion of new software and

applications followed suit (Rao, Klein, & Chandra, 2011). OPC UA has taken the need for

Cybersecurity Standards 10

standardization and given it a more robust framework for all to use across multiple development

groups. End users have seen value in the growth from the Classic OPC with an easy migration

mechanism to permit existing products the new benefits of UA. The issue with interconnectivity

is solved with OPC drivers available for thousands of devices with embedded OPC servers built

in. And while the technical side of OPC UA is far advanced, the real niche is in interoperability.

It allows the participation in creation of standards and what direction they seek giving both

insight into the future (competitive advantage) and increase efficiency with towards future

growth. With membership in OPC Foundation, organizations are allowed to be a part of the

process. Consistent standards from the beginning also allows an organization to interact with

other applications through any common merger or alliance without the need for system

integration or re-work (Epperson, 2014). This consistency can also prove beneficial as increased

user experience leads to more confidence in the product and ease-of-use when updates come

down the line. From a compliance standpoint, when software is equipped with standards and

protocols built in, it goes through rigorous testing and quality assurance to ensure compliance.

Lastly, a major advantage is the encouragement of innovation when vendors compete within

internationally accepted standards leading to a higher customer satisfaction.

Many security experts believe that the influx of malicious behavior on the Internet has led

to more companies to focus primarily on compliance and forgo risk assessment and

cybersecurity awareness (Allen, 2014). Over-confidence in the security as they are written and

not tailored to an organization’s overall structure can lead to disaster. For instance the NIST SP

800-53 Rev. 4 states that controls listed are not the minimum but a starting point for

organizations to begin their own risk assessment in order to define the amount of controls and

inputs needed for their security requirements (Allen, 2014). Supervisory control and data

Cybersecurity Standards 11

acquisition (SCADA) network are especially vulnerable as strategists have labeled them the

‘backbone’ of any country’s critical infrastructure (Paganini, 2013). The Stuxnet worm, a rootkit

exploit that can identify Siemen’s SCADA software, is an example of malicious code that was

designed to cripple the infrastructure through injection into logic controllers (Rouse, 2010). In

2007, Iran’s nuclear program was severely infiltrated by the Stuxnet worm and while compliant

with all international laws, a lapse in security protocol on a basic level allowed this breach to

happen; a perfect example of how risk assessment and cybersecurity awareness are as pivotal as

compliance regulation.

Proprietary technologies are innovative assets that can improve efficiency and quality as

it continues bold advancement in the marketplace by maintaining and properly protecting its

competitive advantage. According to Jin, Vonderembse, and Ragau-Nathan (2013) a firm’s

heterogeneity creates its competitive advantage because of the value and rareness of its unique

resources (p. 5713). A major advantage is the professional services and automatic updates

associated with proprietary software. Patching, software updates and 24/7 support allows IT

departments to maintain a secure and up-to-date system making it difficult and time consuming

for hackers to discern usable code to exploit a weakness. Along with this is the many

components and tools attached to proprietary software what allows the organization to access

specific programs built directly for niche or specific industries, difficult for OPC who do not

cater to specificity. However, following proprietary standards can leave an organization in the

dark or open to obsolescence should the manufacturer move its focus to another market leaving

the program stagnant in the eyes of industry standards (Epperson, 2014). For example, Adobe

Acrobat has long been heralded for its ease of use and compatibility and is widely endorsed by

the US government. So because a preference is given to a proprietary software, vendors must

Cybersecurity Standards 12

install and have a structure that supports Adobe (Linux does not) in order to stay current while

forced to take reasonable assurance that Adobe has done it due diligence in regards to

cybersecurity. This is also a cost concern, in comparison to OPC, where changing proprietary

programs can be extremely expensive with no real benefit in the forecast for future use.

Nicholas Carr (2003) stated that when a resource becomes essential to competition but

inconsequential to strategy, the risks it creates become more important than the advantages it

provides. In this case, proprietary technology while laden with historical value is now only

viable if the market is expanding at a rate equivalent to cover the costs from past sales with

future revenue (Carroll, 2004).

With the impact of government oversight and driven by the innovative technologies

promoting interconnectivity, more firms are moving away from proprietary technologies in favor

of a more open, interconnected control system. OPC and open source technology have given

organizations the ability to set future-focused international standards adding flexibility, cross

functional integration and a more progressive way of measuring performance than ever before

(Epperson, 2014). Just recently, Microsoft broke down and allowed Its Windows-centric SQL

Server database the ability to run on Linux, an open-source software, a huge step for proprietary

systems. Red Hat chief executive Jim Whitehurst told analysts, “Microsoft is recognizing that

Linux is a big part of the enterprise footprint…what we’re seeing now is that enterprises

typically pick one cloud to start but even today they recognize they have to run on multiple

clouds just to have some leverage and some choice” (Darrow, 2016). When both technologies

are properly coupled, there are benefits attributable to flexibility and firm performance; both

technologies are needed for a firm to create flexibility and to enhance quality, delivery

dependability and time-to-market (Jin, Vonderembse, and Ragau-Nathan, 2013).

Cybersecurity Standards 13

Can global standards unify under differing standards?

The Internet has proven to be the most prolific asset in a company’s arsenal through its

ability to create a common, open area to share information and conduct business transactions in

real-time across international borders. These transactions need protection from malicious

activity with standards kept to ensure a viable cybersecurity structure is in place. Still, with all

of the measures in place, solving the issue of decision-making that affects the international

community in regards to cybersecurity standards is proving to be more difficult with so many

different bodies vying for consideration. According to the Government Accountability Office

(GAO) there are more than twenty global organizations whose international influence

significantly affect security and governance in cyberspace (Cooney, 2010). The organizations

affiliated cross all genres of governing bodies such as Asia-Pacific Economic Cooperation

(APEC), the European Union, Forum of Incident Response and Security Teams (FIRST), the

International Telecommunication Union (ITU), International Organization for Standardization

(ISO), and INTERPOL. Of course the U.S. has a number of agencies devoted to cyberspace

governance and effectively coordinates with these entities to formulate new efforts.

In order to establish a set of global standards we first need to search through the myriad

of differing sources of standards used throughout the global cyber sphere and identify some

major players. The Software Engineering Institute (SEI) at Carnegie-Mellon University helps

improves software development processes. One such is the Capability Maturity Model (CMM) a

five-level model organizing ‘maturity’ to determine the effectiveness in software development

process. Originally intended for use within the U.S. government as a way to evaluate

contractors, its accepted principles can be applied to software reliant systems in the industry as a

whole. CMM is similar to ISO 9000 and 9001 which is a series of standards advocating quality

Cybersecurity Standards 14

assurances in manufacturing and service industries with ISO 9001 dealing specifically with

software development. ISO 27001, established in 2005, uses a top down, risk-based approach to

information security management systems in a technology-neutral six-step planning process:

1. Define a security policy;

2. Define the scope of ISMS;

3. Conduct a risk assessment;

4. Manage identified risk;

5. Select control objectives and controls to be implemented; and

6. Prepare a statement of applicability (Rouse, 2009).

The reason ISO 27001 is so universally important is that it demonstrate a clear adherence to ISM

to contractual parties promoting confidence while providing a framework of overarching

management ensuring security needs remain current with an established threat matrix. The

National Information Assurance Partnership (NIAP) is the governing U.S. body responsible for

the implementation of the Common Criteria (CC), and arrangement among nations continuously

improve the efficiency and cost-effectiveness of IT products. CC seeks to provide the grounds

for confidence in the reliability of judgments on certificates given that products meet or exceed

high, consistent standards (Common Criteria, 2016). The National Institute of Standards and

Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity was

developed in response to the 2013 Executive Order from President Obama to improve the U.S.

stance on cyber security. After 10 months of collaboration and input from over 3,000 security

professionals, the Framework crafted leverages and integrates industry-leading practices

developed by NIST, ISO and others into a risk-based compilation of guidelines for cybersecurity

Cybersecurity Standards 15

as well as creates a common language for internal and external communication of cybersecurity

issues (PwC, 2014).

Will true unity be achieved?

The landscape for cybersecurity both domestic and internationally has changed so

drastically in the last ten years that it is challenging to get all parties to adopt and international

standard covering these topics. And with the ever-changing and sophisticated cyber attackers

attempt to undermine national infrastructures, steps to improve are apparent. Former National

Security Agency (NSA) and U.S. Cyber Command Chief General Keith Alexander rated, out of

10 (10 being fully prepared), the U.S.’s preparedness to withstand a national infrastructure attack

at a low 3 (Shackleford, Proia, Martell, & Craig, 2015). So not only is it prudent, it’s

advantageous to promote a single set of standards agreed upon by all to mitigate the onslaught of

breach and intrusions suffered on a daily basis. The NIST Framework since its rollout has been

foreshadowed as model of cybersecurity standards to be adopted by the international community.

According to Shackleford, et al. (2015) the uptake of the NIST Framework in the United

Kingdom, India, and the European Union can help facilitate a global standard as its ‘common

sense’ approach and simplistic nature could create a common matrix for cyber risk eliminating

some of the more burdensome regulatory statutes. Surveys conducted by

PricewaterhouseCoopers in 2008 indicated a growing number of firms 57% Indian, 58% U.S.,

and 72% Chinese were extremely unhappy with cybersecurity regulation often times buried

under layers of compliance resulting in fines for nonfulfillment (Shackleford, Proia, Martell, &

Craig, 2015). The NIST Framework can also provide ancillary benefits in the form of assisted

collaboration and communication of cybersecurity posture with alike organizations leading to the

potential of future improvements in legality and threat intelligence (PwC, 2014).

Cybersecurity Standards 16

Even beyond the tangible benefits of adopting the NIST Framework as an international

standard, communication is vital to the support for a common goal with cybersecurity.

Information Sharing and Analysis Centers (ISACs) have proven to be most effective in many

industries. Cybercrime is the fastest growing area of crime in the world and continued

collaboration and communication between industry leaders, law enforcement, and private sector

partners will promote innovation. INTERPOL has been integral in the transnational fight against

cybercrime and in 2014 opened the Global Complex for Innovation (GCI) in Singapore whose

mission is to leverage global cyber expertise through proactive research, the latest training

techniques and the development of innovative new policing tools (INTERPOL, 2016).

What impact does this have on decision-makers in regards to budgetary concern in IT

investment?

Positioning other countries and industries into an ideal framework for cybersecurity

standards and compliance may be a few years from fruition but the goal for everyone is to find a

way to mitigate risk and leverage the assets and knowledge gained to thwarting cyberattacks. If

true unity is not a realistic approach to this, policy and decision-makers need to refocus their

efforts to establish effective cybersecurity intervention points in line with regulations with a

streamline compliance package. Some of the more effective points are:

Minimize or eliminate conflicting security requirements, rationalize and streamline

processes for compliance, and eliminate barriers that preclude the sharing of actionable

intelligence between private and public sectors;

Review and revise any U.S. policy from a global perspective proactively seeking

dialogue with the international community to support best practices and counter any

attempt by others to enact legislation countermanding the global markets shared interest;

Cybersecurity Standards 17

Allow flexibility with real risk management to organizations so they can adapt the model

that best fits their needs while advocating awareness and bolster the reach of security

education through the National Initiative for Cybersecurity Education (NICE) program in

partnership with the private sector; and

Provide more resources to law enforcement building on bilateral and multilateral

agreements on cross-border prosecution, condemning safe havens for cyber criminals,

and assist technically and financially those countries in need to help improve the capacity

to fight joining the international efforts (ITIC, 2014).

How will cyberattack challenge developing global standards?

Information and Communication Technology (ICT) has seen exponential growth in

emerging economies and by the year 2025, will have upwards 4.7 billion people online creating a

significant shift in cybersecurity needs (Microsoft, 2014). Government resistance coupled with

restrictive technologies in a rapidly changing technological environment can inhibit cooperation,

all in an attempt to control the flow of information. In doing so, governments will knowingly

violate intellectual property rights or attempt to force judicial mandates on businesses to such an

extent that businesses will refuse to invest in research and development. These are the roads that

must not be followed if any understanding and cooperation is to be found (Tzu, 2009).

Currently, Apple is taking the fight to the Federal Bureau of Investigation (FBI) over privacy

issues and the ability to break into encryption. This has huge implication in regards to what a

government can or cannot do and if this technology is created how do we safeguard against

piracy or misappropriation as seen with NSA and the Edward Snowden leak. Fostering an

environment of mistrust and animosity towards government restriction can only divide the line

further affecting the global community as a whole.

Cybersecurity Standards 18

Cyberattacks are not limited to hackers and credit card theft or stolen identities. Nation

states have been viciously attack other nations or organizations in order to destabilize and or

disrupt through the use of manipulation, cyber espionage and illegal access to gain data or

information. This type of aggressive behavior further denigrates the global collective towards

ratifying a set of international standards. Furthermore, the lack of repercussion or punishment

for such behavior has not been addressed since there is no current legal international framework

to measure against. And while denouncing in a public forum may gain points in the polls, it does

nothing to eradicate the behavior. Lastly, international law does not differentiate between

attacker and state nor does it decide what is an unlawful cyberattack leaving the option for

reciprocity in the hands of those affected which could be tantamount to all out cyber warfare.

These types of jurisdictional issues coupled with the need for attribution in order to understand

and make informed decisions.

From a scaled down perspective, cybersecurity awareness, simple authentication protocol

and encryption can go a long way in improving from an operational standpoint. According to

Weidman (2014), the cutting edge of password cracking and breaking authentication protocol

resides in harnessing multiple top-spec cloud servers and once a foothold on the system is held,

advanced attack methods can exploit any and all vulnerabilities (P. 214). If you entrench

yourself behind strong fortifications, you compel the enemy seek a solution elsewhere

(Clausewitz, 1989). Continuous improvement in R&D, testing services and knowledge of IT

personnel and employees will lead to better coverage and a firm cybersecurity posture.

Conclusion

Governing powers and private entities have embraced ICT reaped the immeasurable

benefits provided from email to cloud-computing. New technology paves the way for innovation

Cybersecurity Standards 19

and improved processes for all making business more accessible and more profitable. But IT has

to be looked upon as an asset worth protecting, not just a part of business. Make no mistake

there are people and organizations in the world ready to wreak havoc with the touch of a

keyboard and it is the duty as consumers of all things digital to safeguard ourselves from them.

This is a global issue for nation states and multinational companies to take note of because

information has no boundaries on it. In order to make a more perfect union, governing bodies

need to set aside differences and work towards the common goal of creating and maintaining a

set of standards to unify cyberspace. Instead of taking a reactive approach to a breach, use the

tools and best practices while communicating with other entities to find a proactive stance and

pursue one great decisive aim with force and determination (Clausewitz, 1989) by mitigating risk

through a common management standard. Foster an open, flexible dialogue with other countries

about legislation and involve judicial entities like INTERPOL to hunt down and prosecute

offenders leaving no safe haven. This issue is too large for any one government to establish but

through dedicated coordination to a greater cause a solution can be found.

Cybersecurity Standards 20

ReferencesAllen, D. (2014). Compliance standards create false sense of cybersecurity awareness.

Techtarget.com. Retrieved from: http://searchcompliance.techtarget.com/tip/Compliance-standards-create-false-sense-of-cybersecurity-awareness

Bucci, S., Rosenzweig, P. & Inserra, D. (2013). A Congressional Guide: Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace. Heritage.org. Retrieved from: http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us-security-prosperity-and-freedom-in-cyberspace

Carr, N. (2003). It Doesn’t Matter. HBR.org. Retrieved from: https://hbr.org/2003/05/it-doesnt-matter/ar/1

Carroll, J. (2004). Open source vs proprietary: Both have advantages. ZDNet.com. Retrieved from: http://www.zdnet.com/article/open-source-vs-proprietary-both-have-advantages/

Cavelty, M.D. (2014). Breaking the Cyber-Security Dilemma: Aligning Security Needs and Removing Vulnerabilities. Science and Engineering Ethics, 20(3). DOI 10.1007/s11948-014-9551-y

Chesbrough, H. (2006). Open innovation: Researching a new paradigm. Oxford: Oxford University Press.

Common Criteria. (2016). About The Common Criteria. Commoncriteria.org. Retrieved from: http://www.commoncriteriaportal.org/ccra/

Cooney, M. (2010). Who really sets global cybersecurity standards? Netwrorkworld.com. Retrieved from: http://www.networkworld.com/article/2231519/security/who-really-sets-global-cybersecurity-standards-.html.

Darrow, B. (2016). Red Hat is now a $2 Billion Open-Source Baby. Fortune.com. Retrieved from: http://fortune.com/2016/03/22/red-hat-revenue-2-billion-open-source/

Epperson, B. (2014). Choosing Standards Compliance Over Proprietary Practices. Mozilla.org. Retrieved from: https://developer.mozilla.org/en-US/docs/Choosing_Standards_Compliance_Over_Proprietary_Practices

Honeywell, International, Inc. (2016). OPC Unified Architecture. Matrinkonopc.com. Retrieved from: https://www.matrikonopc.com/downloads/58/specifications/index.aspx

Information Technology Industry Council. (2011). The IT Industry’s Cybersecurity Principlesfor Industry and Government. ITIC.org. Retrieved from: https://www.itic.org/policy/cybersecurity

INTERPOL. (2016). Cybercrime. Interpol.int. Retrieved from: http://www.interpol.int/Crime-areas/Cybercrime/Cybercrime.

ISS Connectivity. (2016). Introduction to OPC UA and its Concepts. Issconectivity.com. Retrieved from: http://issconnectivity.com/opc-ua/

Jin, Y., Vonderembse, M., & Ragau-Nathan, T.S. (2013). Proprietary technologies: building a manufacturer’s flexibility and competitive advantage. International Journal of Production Research, 51(19). P. 5711-5727. http://dx.doi.org/10.1080/00207543.2013.784407.

May, M.M. & Elliott, D. (2001). Consortium for Research on Information Security and Policy. Stanford.edu. Retrieved from: http://fsi.stanford.edu/research/consortium_for_research_on_information_security_and_policy

Cybersecurity Standards 21

Microsoft. (2014). Cyberspace 2025: Today's Decisions, Tomorrow's Terrain. Microsoft.com. Retrieved from: https://www.microsoft.com/security/cybersecurity/cyberspace2025/#chapter-1

National Academy of Sciences. (2014). Cybersecurity Dilemmas: Technology, Policy, and Incentives. NAP.edu. Retrieved from: http://www.nap.edu/read/21833/chapter/1#ii

OPC Foundation. (2016). Unified Architecture. OPCFoundation.org. Retrieved from: https://opcfoundation.org/about/opc-technologies/opc-ua/

Paganini, P. (2013). Improving SCADA System Security. Infosecinstitute.com. Retrieved from: http://resources.infosecinstitute.com/improving-scada-system-security/

PwC. (2014). Why You Should Adopt the NIST Cybersecurity Framework. PWC.org. Retrieved from: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=23&ved=0ahUKEwimnsjdmtfLAhXESiYKHVDfAME4FBAWCCYwAg&url=https%3A%2F%2Fwww.pwc.com%2Fus%2Fen%2Fincreasing-it-effectiveness%2Fpublications%2Fassets%2Fadopt-the-nist.pdf&usg=AFQjCNHNw-BCoTXT3faCbv5hYg4qaMjroQ&sig2=jG7zFTRnpcyzBE_0n2UHfg&cad=rjt

Rao, P.M., Klein, J.A., & Chandra, R. (2011). Innovation Without Property Rights and Property Rights Without Innovation: Recent Developments in the ICT Sector. Advances in Competitiveness Research, 19 (1/2). P. 83-99.

Rouse, M. (2010). ISO 27001. Techtarget.com. Retrieved from: http://searchsecurity.techtarget.co.uk/definition/ISO-27001

Rouse, M. (2010). Stuxnet. Techtarget.com. Retrieved from: http://searchsecurity.techtarget.in/definition/Stuxnet.

Shackleford, S.J., Proia, A.A., Martell, B., & Craig, A.N. (2015). Toward a Global Cybersecurity Standard of Care? Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices. Texas International Law Journal, 50(2). P. 303-353

Tzu, S. (2009). The Art of War: Translated by Daniel Gillies. Classics.mit.edu. Retrieved from: http://classics.mit.edu/Tzu/artwar.html

U.S. Government Accountability Office. (2012). Cybersecurity: Challenges in Securing the Electricity Grid. GAO.org. Retrieved from: http://www.gao.gov/assets/600/592508.pdf

Von Clausewitz, C. (1989). On War. Princeton, NJ: Princeton University Press.Weidman, G. (2014). Penetration Testing: A Hands on Introduction to Hacking. San Francisco,

CA: No Starch Press, Inc.