paulmudgett.com

In an effort to be a focal point of “cybersecurity”, legislation was introduced that would allow the DHS to levy fines and other civil penalties against any companies the government decides is “critical”.  I agree that the need to protect critical infrastructure is important, but this effort by legislators creates a slippery slope and a recipe for internal conflict.

First, what is “critical”?  The use of this broad term makes me nervous.   It’s an open-ended path to abuse in my opinion.

Second, this is nothing more than an added layer of bureaucracy that adds no value to information security other than the costs associated with complying with yet one more check box.  In the long run, more money will be dumped into information security but the large bureaucracy will negate the benefits.  The last thing that should be done is inserting a slow moving beast into an environment that requires agile response to defend against new attacks.

Third, what becomes of Howard Schmidt, the Presidential appointed U.S. Cybersecurity Coordinator.  Does this role go away?  If not, what type of conflict does the appointing of a DHS Cybersecurity guru create?

This is simply a bad idea.

One of the deficiencies that came to light in the aftermath of the 9/11 terrorist attacks was the communication failure between competing intelligence agencies.  A report released this past Monday from the Government Accountability Office shows that the same failure to communicate is happening in the cybersecurity arena.  The breakdown in this arena is between the government who has the cyberthreat information and the private sector that manages critical infrastructure that is susceptible to cyber attack.   Ah yes… history repeats itself… at least that appears to be the direction.

“Auditors pointed to recent reports of cyberattacks — such as a denial-of-service attack in Estonia in May 2007, which created mass outages of government and commercial websites in that country, as well as breaches at technology companies, many in California, in January — as examples of the debilitating impact a cybersecurity breach could have on national and economic security.”

- Kalish, Brian, “Spotty coordination on cyberthreats is recipe for disaster:  GAO Study“, NextGov, August 18, 2010

The planets are coming into alignment when considering the quality of attacks, the advanced persistent threat, and the unstable world climate identified easily by reading recent headlines.  The failure to leverage lessons learned in communicating threats to those in position to take action seems to be lost.  Unless the so-called public-private partnership learns how to talk to each other our cyber-connected critical infrastructure may be primed for a rude awakening .

By the way…. where is the CyberSecurity Coordinator Howard Schmidt and all his talk about private sector solutions?

Once again I find myself liking White House Cybersecurity Coordinator Howard Schmidt’s approach even if I think his position is weakened based on placement, authority, etc.  In a Bill Brenner article today on CSOonline, Schmidt points to the defense against the wide range of threats, including coordinated attacks, to be best lead from the private sector.

“You guys have been carrying the water,” Schmidt told attendees at CSO Perspectives 2010 Tuesday. The government can do a lot to improve the nation’s cyber defenses. But ultimately, he said, the key to warding off attacks like the one Google experienced remains private-sector vigilance.

The information security community cannot expect a government bailout when it comes to defending infrastructure and information.  The private sector not only is the key to defense but also is the problem.  Too many organizations have created a Cyber-Maginot line that merely creates the illusion of security while the more agile attackers circumvent stale and slow moving defensive positions.  The private sector needs to participate in an active defense against multiple threats and have a solid response plan should the defenses fail.

Schmidt is right.  The threats and motivations for attacks are varied and we must be in a position to defend against them all.  This is a day-to-day fight.

But the lack of state-against-state warfare shouldn’t keep IT security practitioners from serious concern, Schmidt said. The attacks undermine global infrastructure and endanger our way of life, he said, adding that this is a battle every IT security professional must fight from the foxholes.

What have you done today to improve security for your organization?  Are you an agile defender or are you hunkered down behind your own cyber-Maginot line using the “hope” method as a security strategy?

The more I read about Howard Schmidt, the new cybersecurity czar for the Obama administration, the more I tend to like what I’m hearing.  I still think the position is limited because he has no budegtary authority but he appears to be quite capable of delivering the message of information security without resorting to FUD.  I like that.

There continues to be an overuse of terms such as “cyberwar”.  I hope we can end the movie hype and get down to business.  I don’t disagree that there is a persistent threat from state sponsored attackers.  I believe there is a rise in targeted attacks that are designed to steal sensitive information and perhaps disrupt business as usual.  The government and the private sector need to address our information security needs and be agile in development of defenses against new threats.

In an interview with Wired.com, Schmidt had this to say:

“There is no cyberwar,” Schmidt told Wired.com in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.”

Instead, Schmidt said the government needs to focus its cybersecurity efforts to fight online crime and espionage.

- Ryan Singel, “White House Cyber Czar: There Is No Cyberwar“, Wired.com Threat Level, March 4, 2010

This is in direct contrast to Michael McConnell, former director of national intelligence who continues to ramp up the rhetoric about a cyberwar.  Let’s look at McConnell’s history.

• McConnell convinced President Bush to provide funds to the NSA to lock down the government’s classified networks.   Of course, McConnell’s position placed him in charge of that effort.
• McConnell now calls for a “re-engineering” of the Internet.  Of course, the company he works with stands to profit incredibly from this type of effort.

You can decide for yourself McConnell’s motivation.

Schmidt doesn’t appear to turn a blind eye to the need for government to protect classified information and the NSA has a role in this.  The government certainly has an eye on things that just aren’t visible to the private sector.    The private sector has a big dog in this fight as well, especially in regards to financial transactions and the use of personally identifiable information.

“A pessimist is an optimist with experience” (unknown).  I share in McConnell’s call to action but not his drastic, doom and gloom approach where excessive government control over the Internet is the only solution.  His passion is admirable, if not misguided.

Schmidt, on the other hand,  isn’t ignoring the need for government to bolster its defenses, he appears to simply approach the necessity for action without inciting knee-jerk reactions from ignorant politicians.  I like this approach rather than the call for citizens to put their head in the sand and let Uncle Sam take over.

“We can’t sit there and be waiting for the next intrusion attempts to take place,” Schmidt said. “We need to become stronger in what we are doing so we are better able to resist the things that are being thrown at us.”

That’s a call to action.  This isn’t a problem that is owned exclusively by the government nor does the solution reside entirely in that realm.  However, if the private sector doesn’t step up and be proactive in the way we protect our infrastructure and information, then we deserve to have government do it for us.

CNN recently broadcast a cyber-attack simulation meant to demonstrate the potential cascading effects of a widespread attack on our nation’s infrastructure.  The exercise included former federal officials who played the role of key positions in the executive branch to show how the government would respond to the escalating incident.  They even had a flashy headline:

“Cyber Shockwave”

As much as I hoped that this would be a worthwhile simulation with good discussion, this really came across as propaganda wrapped in FUD.   It seemed like a sales pitch for more government control, especially with the catchphrase “We Warned You” included in the program.  We all should be concerned when government officials talk about “nationalizing Telco and Power”, “quarantine cell phones”, and “giving the option of unilateral disconnect”.

There is no doubt the threatscape is changing with the way we use technology.  Mobile devices certainly will see their share of malware.  Both public and private sector have lapses in their information security practices.  As we’ve seen with the latest attacks from China, there is a rise in targeted attacks.   That said, I have my doubts about a mobile botnet that wipes out cell phone communications, creates widespread power outages, and takes down Wall Street.

Cyber security is not a unilateral issue with government alone stepping in to save the day.  The private sector is particularly good at finding solutions to problems and they too have a dog in this fight.  Let’s bring the right players to the table to find a solution other than marshal law.

Bottom line:  Simulations are useful if they are appropriately scoped and are meaningful.  We could learn a lot from a good simulation that includes government and private sector participation.  In this case, CNN used the script from “Live Free or Die Hard” and wasted a lot of time and money.

I’ve been mulling on the appointment of Howard Schmidt as U.S. Cybersecurity Coordinator for several days.  This is the appointment that has been 10-months in the coming since President Obama vowed to create the post.   This is the role that was previously filled (at least functionally) by Melissa Hathaway who left over frustration with the way the U.S. government works.  Before her, it was Amit Yoran who was the cybersecurity czar for DHS.  He was dessimated by bureaucrats and lasted only a year.

Schmidt had a previous run as a cybersecurity advisor for the G.W. Bush presidency.  From all accounts he is a skilled man with an impressive resume.  Unfortunately, the position itself has been designed with so many obstacles that success is unlikely.  Though he is supposed to have access to the President, the position is several steps down the organization ladder.  As I’ve seen in the private sector, when you place security out-of-sight it quickly becomes out-of-mind.

The mission of the position has been set by President Obama but with executive-level focus on so many different arenas, I’m afraid the cyber-security talk will be just that… talk.  This position is one with a lot of responsibility without the authority needed to accomplish the goals.  A recipe for failure in any organization.  This nation needs information security leadership.  Howard Schmidt is the right man but the position will limit his ability to succeed.   Best of luck!  I hope I’m wrong.

Articles regarding this appointment:

Rotella, Sebastian.  “Howard Schmidt named cyber-security czar“.  LA Times, 12/23/2009

Nakashima, Ellen.  “Obama to name Howard Schmidt as cybersecurity coordinator“.  Washington Post, 12/22/2009

Finally!  The U.S. makes a conscious decision to consider the digital roadways that carry the information of citizens, business, and government as a “strategic national asset”.  Acknowledging the importance is certainly a step, albeit a late one, in the right direction.  Let there be no mistake, it’s a difficult task to defend a nation in the modern day wild west and quite frankly, as a nation we’ve been asleep at the wheel as criminal activity runs rampant across this unprotected thoroughfare.

As if it were scripted,  right after the announcement of a new White House cyber security position, a document with information about our nuclear facilities was inappropriately disclosed to the public.  This provides empahsis to the sad but true statement that technology doesn’t cure dumb.  Never has, never will.  This is why security must be built around the triad of people, process and technology.  One without the others is fairly useless.