paulmudgett.com

In an effort to be a focal point of “cybersecurity”, legislation was introduced that would allow the DHS to levy fines and other civil penalties against any companies the government decides is “critical”.  I agree that the need to protect critical infrastructure is important, but this effort by legislators creates a slippery slope and a recipe for internal conflict.

First, what is “critical”?  The use of this broad term makes me nervous.   It’s an open-ended path to abuse in my opinion.

Second, this is nothing more than an added layer of bureaucracy that adds no value to information security other than the costs associated with complying with yet one more check box.  In the long run, more money will be dumped into information security but the large bureaucracy will negate the benefits.  The last thing that should be done is inserting a slow moving beast into an environment that requires agile response to defend against new attacks.

Third, what becomes of Howard Schmidt, the Presidential appointed U.S. Cybersecurity Coordinator.  Does this role go away?  If not, what type of conflict does the appointing of a DHS Cybersecurity guru create?

This is simply a bad idea.

A recent eWeek article “Cyber-security Hurts Federal Government Productivity, Survey Says” clearly demonstrates the significant security issues related to perception and communication.   There seems to be a significant disconnect between what is thought to be needed to perform an agency’s mission and doing so without compromising computer systems.

“Surveyed federal executives believe that cyber-security policies and procedures should be modified to provide more emphasis on the importance of allowing federal managers to achieve their agency’s mission,” said Bryan Klopack, GBC’s director of research.

I get a two-for-one with this comment.  First, it is apparent that federal managers don’t understand that a compromise of their agency’s computer systems will prevent them from delivering or performing their mission.  Second, it seems as though policies and procedures are written in a vacuum without discussion with those the policy impacts.

There is no doubt that over-restrictive policies exist when it comes to web-site and e-mail access.  Knee-jerk reaction usually leads to common sense being thrown out the window.   That said, the threatscape has changed and there is real potential for systems to be compromised because of “choice failure” with e-mail and website use.   Some system-wide protections simply need to be in place and inconvenience, by itself, is not a good enough reason to abandon good security practices.

In an editors note in SANS NewsBites, John Pescatore put it into perspective:

The blade guard on my power saw hampers my productivity in cutting wood, but chopping off my hand or even just a few fingers tends to also have an impact on my productivity.

The problem seems to stem from an over-reaction to a Presidential “mandate”.

President Obama signaled early in his administration that cyber-security in the federal government, especially in communications, and coordination, was a priority. “This status quo is no longer acceptable—not when there’s so much at stake. We can and we must do better,” he said.

Various agencies have responded to Obama’s mandate with their own rules.

Unilateral response to a “do better” mandate usually generates bad outcomes for everybody.   This is what appears to have happened here.  No communication.  No requirements definition.  Just a policy that is enforced through technology.  Damn the torpedoes… full speed ahead!

What should be happening here?

First, business leaders (aka management) need to step up and gain some understanding that the threats they face could essentially grind productivity, and subsequently their mission, to a halt.   It is no longer okay to say “this is the security group’s problem” and then walk away.  Participation, horizontally and vertically throughout an organization, is required.  Second, the security team needs to understand how people work, what they need to get their job done, and then work with them to find solutions.

It’s easier said than done but the status quo is indeed unacceptable.  There is no such thing as 100% secure.  There is, however, the potential to reduce risk while providing for business (or agency) needs.   Without business, there is no need for security.  Without security, business will fall victim to attack and fail.   Contribution and collaboration is required to bridge this gap.

Based on this survey, I’m afraid we’re trying to cross Alaska’s Bridge to Nowhere.

Once again I find myself liking White House Cybersecurity Coordinator Howard Schmidt’s approach even if I think his position is weakened based on placement, authority, etc.  In a Bill Brenner article today on CSOonline, Schmidt points to the defense against the wide range of threats, including coordinated attacks, to be best lead from the private sector.

“You guys have been carrying the water,” Schmidt told attendees at CSO Perspectives 2010 Tuesday. The government can do a lot to improve the nation’s cyber defenses. But ultimately, he said, the key to warding off attacks like the one Google experienced remains private-sector vigilance.

The information security community cannot expect a government bailout when it comes to defending infrastructure and information.  The private sector not only is the key to defense but also is the problem.  Too many organizations have created a Cyber-Maginot line that merely creates the illusion of security while the more agile attackers circumvent stale and slow moving defensive positions.  The private sector needs to participate in an active defense against multiple threats and have a solid response plan should the defenses fail.

Schmidt is right.  The threats and motivations for attacks are varied and we must be in a position to defend against them all.  This is a day-to-day fight.

But the lack of state-against-state warfare shouldn’t keep IT security practitioners from serious concern, Schmidt said. The attacks undermine global infrastructure and endanger our way of life, he said, adding that this is a battle every IT security professional must fight from the foxholes.

What have you done today to improve security for your organization?  Are you an agile defender or are you hunkered down behind your own cyber-Maginot line using the “hope” method as a security strategy?

The more I read about Howard Schmidt, the new cybersecurity czar for the Obama administration, the more I tend to like what I’m hearing.  I still think the position is limited because he has no budegtary authority but he appears to be quite capable of delivering the message of information security without resorting to FUD.  I like that.

There continues to be an overuse of terms such as “cyberwar”.  I hope we can end the movie hype and get down to business.  I don’t disagree that there is a persistent threat from state sponsored attackers.  I believe there is a rise in targeted attacks that are designed to steal sensitive information and perhaps disrupt business as usual.  The government and the private sector need to address our information security needs and be agile in development of defenses against new threats.

In an interview with Wired.com, Schmidt had this to say:

“There is no cyberwar,” Schmidt told Wired.com in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.”

Instead, Schmidt said the government needs to focus its cybersecurity efforts to fight online crime and espionage.

- Ryan Singel, “White House Cyber Czar: There Is No Cyberwar“, Wired.com Threat Level, March 4, 2010

This is in direct contrast to Michael McConnell, former director of national intelligence who continues to ramp up the rhetoric about a cyberwar.  Let’s look at McConnell’s history.

• McConnell convinced President Bush to provide funds to the NSA to lock down the government’s classified networks.   Of course, McConnell’s position placed him in charge of that effort.
• McConnell now calls for a “re-engineering” of the Internet.  Of course, the company he works with stands to profit incredibly from this type of effort.

You can decide for yourself McConnell’s motivation.

Schmidt doesn’t appear to turn a blind eye to the need for government to protect classified information and the NSA has a role in this.  The government certainly has an eye on things that just aren’t visible to the private sector.    The private sector has a big dog in this fight as well, especially in regards to financial transactions and the use of personally identifiable information.

“A pessimist is an optimist with experience” (unknown).  I share in McConnell’s call to action but not his drastic, doom and gloom approach where excessive government control over the Internet is the only solution.  His passion is admirable, if not misguided.

Schmidt, on the other hand,  isn’t ignoring the need for government to bolster its defenses, he appears to simply approach the necessity for action without inciting knee-jerk reactions from ignorant politicians.  I like this approach rather than the call for citizens to put their head in the sand and let Uncle Sam take over.

“We can’t sit there and be waiting for the next intrusion attempts to take place,” Schmidt said. “We need to become stronger in what we are doing so we are better able to resist the things that are being thrown at us.”

That’s a call to action.  This isn’t a problem that is owned exclusively by the government nor does the solution reside entirely in that realm.  However, if the private sector doesn’t step up and be proactive in the way we protect our infrastructure and information, then we deserve to have government do it for us.

CNN recently broadcast a cyber-attack simulation meant to demonstrate the potential cascading effects of a widespread attack on our nation’s infrastructure.  The exercise included former federal officials who played the role of key positions in the executive branch to show how the government would respond to the escalating incident.  They even had a flashy headline:

“Cyber Shockwave”

As much as I hoped that this would be a worthwhile simulation with good discussion, this really came across as propaganda wrapped in FUD.   It seemed like a sales pitch for more government control, especially with the catchphrase “We Warned You” included in the program.  We all should be concerned when government officials talk about “nationalizing Telco and Power”, “quarantine cell phones”, and “giving the option of unilateral disconnect”.

There is no doubt the threatscape is changing with the way we use technology.  Mobile devices certainly will see their share of malware.  Both public and private sector have lapses in their information security practices.  As we’ve seen with the latest attacks from China, there is a rise in targeted attacks.   That said, I have my doubts about a mobile botnet that wipes out cell phone communications, creates widespread power outages, and takes down Wall Street.

Cyber security is not a unilateral issue with government alone stepping in to save the day.  The private sector is particularly good at finding solutions to problems and they too have a dog in this fight.  Let’s bring the right players to the table to find a solution other than marshal law.

Bottom line:  Simulations are useful if they are appropriately scoped and are meaningful.  We could learn a lot from a good simulation that includes government and private sector participation.  In this case, CNN used the script from “Live Free or Die Hard” and wasted a lot of time and money.

I may as well get on the 2010 prediction bandwagon.

1.  With the rush to get into the “cloud” businesses will sacrifice security for the promise of efficiencies.  Attacks will be focused on the applications placed in the cloud, not necessarily the underlying OS infrastructure.  I predict there will be a large compromise of information stored in the cloud this year that will disrupt business processes for several businesses.

2.  The big talk about “cybersecurity” that comes from the Obama administration will be nothing more than talk.  Action taken will have little impact as the new Cybersecurity Czar/Coordinator has little authority to implement necessary changes in national information security.  This is most likely because of the pure volume of important “initiatives” being taken on by this Administration that will result in some areas, cybersecurity in this case, receiving less attention than required.  This isn’t a dig on the Administration, merely an observation that issues in terrorism, healthcare, economy, etc. will take precedence over fixing the cybersecurity issues facing the U.S.

3.  I predict there will be an even larger breach than what we saw with Heartland Payment Systems last year.  The financial motivations and organization surrounding cybercrime makes this type of criminal activity very profitable.  Attacks are being perfected while the resources to defend against such attacks continue to be too thin in most organizations.

4.  Mobile platforms will be the target of attacks this year.  The proliferation of iPhone/Blackberry and availability of mobile applications will prove a fertile environment for malware writers.  As more of these mobile devices are integrated into both business and personal worlds, the target will simply get too big to pass up.  Expect 2010 to be a big year for mobile attacks.

5.    With major attacks taking place in 2010 and hopefully and improving economy, the investment in information security will improve.  Specifically, there will be some growth in the need for both skilled technical staff and leadership positions where the ability to understand the business environment are emphasized.

I’ll be interested in seeing the twists and turns that are inevitable in the cybersecurity world and how organizations adapt to such a dynamic environment to protect sensitive information.  Good luck in 2010.

I’ve been mulling on the appointment of Howard Schmidt as U.S. Cybersecurity Coordinator for several days.  This is the appointment that has been 10-months in the coming since President Obama vowed to create the post.   This is the role that was previously filled (at least functionally) by Melissa Hathaway who left over frustration with the way the U.S. government works.  Before her, it was Amit Yoran who was the cybersecurity czar for DHS.  He was dessimated by bureaucrats and lasted only a year.

Schmidt had a previous run as a cybersecurity advisor for the G.W. Bush presidency.  From all accounts he is a skilled man with an impressive resume.  Unfortunately, the position itself has been designed with so many obstacles that success is unlikely.  Though he is supposed to have access to the President, the position is several steps down the organization ladder.  As I’ve seen in the private sector, when you place security out-of-sight it quickly becomes out-of-mind.

The mission of the position has been set by President Obama but with executive-level focus on so many different arenas, I’m afraid the cyber-security talk will be just that… talk.  This position is one with a lot of responsibility without the authority needed to accomplish the goals.  A recipe for failure in any organization.  This nation needs information security leadership.  Howard Schmidt is the right man but the position will limit his ability to succeed.   Best of luck!  I hope I’m wrong.

Articles regarding this appointment:

Rotella, Sebastian.  “Howard Schmidt named cyber-security czar“.  LA Times, 12/23/2009

Nakashima, Ellen.  “Obama to name Howard Schmidt as cybersecurity coordinator“.  Washington Post, 12/22/2009

October is National Cyber Security Awarness Month.  Unfortunately, only a fraction of business and community leaders know that such a labeled month exists.  How can the message of information security be considered important if those in positions of influence do not support, sponsor, or encourage that message?

I just went out to the White House web site.  Not even a link to the DHS site that relates to National Cyber Security Awareness month.  I guess this lack of executive level support for information security, as evidenced by the still unfilled National CyberSecurity position, is contagious.

Heck, maybe the US Congress may post something in regards to this month.  Nope.  Nothing on either the House or the Senate page.

In your organization, is there any awareness effort whatsoever done in collaboration with this month long focus on cyber security?  Why not?  Is there no desire to develop appropriate security-conscious behavior within our workforce?  Is there no value to focusing attention on the protection of personally identifiable information that customers have entrusted us with?  Does security only matter after a breach?  Is reactive measures the best we can do?

There are a number of organizations and websites that have taken an active role in spreading the word during this Cyber Security Month.  Kudos to them.  Their efforts are clearly needed and appreciated by those who take information security seriously.  While the technical side of security is certainly illustrated we need to do a better job of driving the message into the non-technical, business-minded side of the house.  We need to drive home identity protection to our school children so that information security is a habit, not a chore and something that is carried with them into their future careers and endeavors.

When we can walk down the street and see banners related to National Cyber Security Month, when television programming starts with security reminders, when there are news segments throughout the month related to different aspects of information security, when security is part of the curriculum in schools when using computers and technology, then perhaps this whole National Cyber Security Month will have found its place.  I hope we someday get there.

What a cool idea.   This type of approach drives kids into technical fields and really interesting careers.

A new consortium of U.S. government and private organizations has set out to find tech-minded youngsters, divert them from video games and set them on a course to become cybersecurity “top guns.”

The U.S. Department of Defense Cyber Crime Center, the Center for Strategic and International Studies (CSIS), the Air Force Association and the SANS Institute this week launched the U.S. Cyber Challenge.

The only troubling piece to this is kids who have been engaged in malicious activity have a significant head start in the capture the flag game.  I don’t think we want to have the bad eggs included in the information security profession.

Finally!  The U.S. makes a conscious decision to consider the digital roadways that carry the information of citizens, business, and government as a “strategic national asset”.  Acknowledging the importance is certainly a step, albeit a late one, in the right direction.  Let there be no mistake, it’s a difficult task to defend a nation in the modern day wild west and quite frankly, as a nation we’ve been asleep at the wheel as criminal activity runs rampant across this unprotected thoroughfare.

As if it were scripted,  right after the announcement of a new White House cyber security position, a document with information about our nuclear facilities was inappropriately disclosed to the public.  This provides empahsis to the sad but true statement that technology doesn’t cure dumb.  Never has, never will.  This is why security must be built around the triad of people, process and technology.  One without the others is fairly useless.