Two cybersecurity experts â€” Alan Paller of the SANS Institute, and former Energy and Air Force CIO John Gilligan â€” are presenting what they call a new approach to security at a conference this morning.
Gilligan said the current approach is too focused on compliance with hundreds of pages of NIST regulations. He said the next administration should focus on “letting offense inform defense”:
We should leverage experts from across the hacker-defender communities to help us determine, as we did in the Air Force… where should we be focusing our investments?
He was referring to an exercise the Air Force did with hackers from the National Security Agency, who found that 80 percent of the service’s vulnerabilities came from poorly-configured commercial software. That exercise led to what eventually became the Federal Desktop Core Configuration.
Gilligan said the government should do more of those exercises, and focus on fixing the vulnerabilities they identify.
Or, as Paller put it, the focus should be on “trying to secure systems, rather than securing compliance.”