Across four decades, Archefact Group’s founders have advanced cybersecurity practices, policy and education through consequential actions. Highlights include:
Raising the bar on cybersecurity protection
In our 1984 analysis of candidate replacement systems for one of NSA’s most important intelligence collection missions, we concluded that one company’s solution was incapable of meeting NSA’s high standards for protecting classified information. While cybersecurity requirements had previously been waived in favor of operational capabilities, we advised the NSA Director to stand firm. He agreed and for the first time in NSA’s history, a contractor was disqualified for failing to meet NSA’s cybersecurity requirements.
NIST’s Cybersecurity Beginnings
Contributing to the first Special Publication
The influence of NIST’s cybersecurity publications and standards extends across the globe. NIST published its first comprehensive guide in 1995. We wrote several chapters in this work, An Introduction to Computer Security: The NIST Handbook. The topics addressed here still form the core of cybersecurity’s body of knowledge over 20 years later.
Protecting critical infrastructure from cyber attack
President Clinton formed a Commission on Critical Infrastructure Protection to examine, among other topics, protection from physical and cyber attacks. At the request of the commission’s chairman, we proposed cybersecurity research topics, including a systematic approach to identifying the underlying systems whose cyber protection forms the basis for trust in the ongoing operation of the critical infrastructure.
Encryption Export Controls
Expanding the protection of business and personal information
Over the course of five Congressional hearings, we testified about the ramifications of encryption export controls on global competitiveness, national security, law enforcement and personal privacy. Our testimony concerning the New Zealand Ministry of Health directly influenced a change in regulations that permitted the export of strong encryption to protect medical information. More broadly, it contributed to the modernization of United States encryption policy.
Providing independent validation of national investments
Since 1959, the National Academy of Sciences’ National Research Council has assessed the technical merit, relevance, and quality of NIST's activities on behalf of Congress. Starting in 1999, we served a three-year term on the board examining NIST’s cybersecurity initiatives which at that time included development of the Advanced Encryption Standard.
Leading the conversation on cyber as a business issue
Since the late 1980s, we have been educating the commercial world on the fundamental importance of strategically aligning security technologies with a company's overall mission. In collaboration with Harvard Business School, we introduced The Trust Framework which is based on two core principles: 1) every technology choice must be linked to a company's specific business activities; and 2) a company needs to prove to its partners and customers that every electronic business transaction can be trusted.
Medical Information Protection
Transferring responsibility from clinicians to cybersecurity staff
The Hong Kong Hospital Authority asked us to provide technical recommendations for improving medical information cyber protections in the aftermath of multiple patient data loss incidents. Our approach shifted the burden of protecting patient information from end users to system designers who assumed responsibility for taking health care providers work patterns into account, and minimizing the inconvenience that some cybersecurity technologies can impose.
Cyber Regulations Deciphered
Practical guidance on protecting individual privacy
The Hong Kong Computer Society and Office of the Privacy Commissioner developed a guide for compliance with Hong Kong’s Personal Data (Privacy) Ordinance. We developed the cybersecurity recommendations for the security of personal data. Our recommendations focused on practicable steps to protect personal data against unauthorized access, without expanding into an exhaustive set of cybersecurity requirements.
Making cybersecurity governance effective
In collaboration with Harvard Business Review we introduced Digital Stewardship: a cohesive, practical and concrete framework that demonstrates why boards are in a unique position to lead where markets forces have failed and provides a straightforward approach for cyber risk oversight and management that changes the focus of conversation from technology to the business that the technology supports.