By the time the Internet age fully took hold in the late 1990s, Chief Information Officers were already dealing with a mounting wave of viruses, worms, and targeted cyber intrusions into their systems. Though most attacks exploited known vulnerabilities, patching those vulnerabilities and turning off vulnerable services was burdensome. The resulting lack of cyber hygiene made the myriad unpatched systems easy to exploit.
During that period, Sandia National Labs, First Union Bank (now part of the Bank of America), and several other organizations came up with a new approach to cyber hygiene that proved remarkably effective. Instead of asking users to configure their systems securely, these pioneering organizations did it for them by pre-configuring systems before the user received the computer. Adding automated patching to a more secure configuration made the systems much more difficult to penetrate.
The CIO Institute used these case studies to convene a 1999 meeting of CIOs and top cyber leaders in government and industry who agreed to jointly support the creation of the Center for Internet Security (CIS). The center’s mission was to reach a broad consensus on what constituted secure configurations of popular operating systems and applications, and then use the combined buying power of its members to encourage vendors to deliver systems with the safer configurations baked in.
With start-up support from the SANS Institute, the CIS developed secure configurations of common operating systems along with scoring systems that told organizations how close their systems were to having a secure configuration. A partnership between the CIS and the National Security Agency facilitated consensus on secure configurations of Windows across commercial and government organizations.
Led by its Chief Information Officer John Gilligan, the U.S. Air Force purchased more than 450,000 computers with those baked-in secure configurations. The NSA reported that the secure configurations used by the Air Force blocked more than 85 percent of the same attacks that were successfully gaining control of systems at other agencies. The Air Force reported that the new approach reduced patching time from 57 to 3 days and, at the same time, saved $100 million annually in procurement costs and an equal amount in patching and cleanup costs. Best of all, users reported being much more satisfied and using much less help-desk time because their systems had common configurations that could be centrally managed.
In 2007 and 2008, the U.S. Office of Management and Budget (OMB) established mandates requiring all computers purchased by the federal government to have secure configurations baked in. OMB also required application vendors to take responsibility for ensuring that their applications ran effectively on the secure configurations. Not all federal agencies followed OMB’s mandate, but nearly 800 government and commercial organizations have become members of the CIS in large part to use the center’s benchmark secure configurations. Today, millions of system images pre-configured with the CIS hardened configurations are delivered by Amazon Web Services, Microsoft Azure, Google Cloud.