paulmudgett.com

A recent eWeek article “Cyber-security Hurts Federal Government Productivity, Survey Says” clearly demonstrates the significant security issues related to perception and communication.   There seems to be a significant disconnect between what is thought to be needed to perform an agency’s mission and doing so without compromising computer systems.

“Surveyed federal executives believe that cyber-security policies and procedures should be modified to provide more emphasis on the importance of allowing federal managers to achieve their agency’s mission,” said Bryan Klopack, GBC’s director of research.

I get a two-for-one with this comment.  First, it is apparent that federal managers don’t understand that a compromise of their agency’s computer systems will prevent them from delivering or performing their mission.  Second, it seems as though policies and procedures are written in a vacuum without discussion with those the policy impacts.

There is no doubt that over-restrictive policies exist when it comes to web-site and e-mail access.  Knee-jerk reaction usually leads to common sense being thrown out the window.   That said, the threatscape has changed and there is real potential for systems to be compromised because of “choice failure” with e-mail and website use.   Some system-wide protections simply need to be in place and inconvenience, by itself, is not a good enough reason to abandon good security practices.

In an editors note in SANS NewsBites, John Pescatore put it into perspective:

The blade guard on my power saw hampers my productivity in cutting wood, but chopping off my hand or even just a few fingers tends to also have an impact on my productivity.

The problem seems to stem from an over-reaction to a Presidential “mandate”.

President Obama signaled early in his administration that cyber-security in the federal government, especially in communications, and coordination, was a priority. “This status quo is no longer acceptable—not when there’s so much at stake. We can and we must do better,” he said.

Various agencies have responded to Obama’s mandate with their own rules.

Unilateral response to a “do better” mandate usually generates bad outcomes for everybody.   This is what appears to have happened here.  No communication.  No requirements definition.  Just a policy that is enforced through technology.  Damn the torpedoes… full speed ahead!

What should be happening here?

First, business leaders (aka management) need to step up and gain some understanding that the threats they face could essentially grind productivity, and subsequently their mission, to a halt.   It is no longer okay to say “this is the security group’s problem” and then walk away.  Participation, horizontally and vertically throughout an organization, is required.  Second, the security team needs to understand how people work, what they need to get their job done, and then work with them to find solutions.

It’s easier said than done but the status quo is indeed unacceptable.  There is no such thing as 100% secure.  There is, however, the potential to reduce risk while providing for business (or agency) needs.   Without business, there is no need for security.  Without security, business will fall victim to attack and fail.   Contribution and collaboration is required to bridge this gap.

Based on this survey, I’m afraid we’re trying to cross Alaska’s Bridge to Nowhere.

One of the deficiencies that came to light in the aftermath of the 9/11 terrorist attacks was the communication failure between competing intelligence agencies.  A report released this past Monday from the Government Accountability Office shows that the same failure to communicate is happening in the cybersecurity arena.  The breakdown in this arena is between the government who has the cyberthreat information and the private sector that manages critical infrastructure that is susceptible to cyber attack.   Ah yes… history repeats itself… at least that appears to be the direction.

“Auditors pointed to recent reports of cyberattacks — such as a denial-of-service attack in Estonia in May 2007, which created mass outages of government and commercial websites in that country, as well as breaches at technology companies, many in California, in January — as examples of the debilitating impact a cybersecurity breach could have on national and economic security.”

- Kalish, Brian, “Spotty coordination on cyberthreats is recipe for disaster:  GAO Study“, NextGov, August 18, 2010

The planets are coming into alignment when considering the quality of attacks, the advanced persistent threat, and the unstable world climate identified easily by reading recent headlines.  The failure to leverage lessons learned in communicating threats to those in position to take action seems to be lost.  Unless the so-called public-private partnership learns how to talk to each other our cyber-connected critical infrastructure may be primed for a rude awakening .

By the way…. where is the CyberSecurity Coordinator Howard Schmidt and all his talk about private sector solutions?

Once again I find myself liking White House Cybersecurity Coordinator Howard Schmidt’s approach even if I think his position is weakened based on placement, authority, etc.  In a Bill Brenner article today on CSOonline, Schmidt points to the defense against the wide range of threats, including coordinated attacks, to be best lead from the private sector.

“You guys have been carrying the water,” Schmidt told attendees at CSO Perspectives 2010 Tuesday. The government can do a lot to improve the nation’s cyber defenses. But ultimately, he said, the key to warding off attacks like the one Google experienced remains private-sector vigilance.

The information security community cannot expect a government bailout when it comes to defending infrastructure and information.  The private sector not only is the key to defense but also is the problem.  Too many organizations have created a Cyber-Maginot line that merely creates the illusion of security while the more agile attackers circumvent stale and slow moving defensive positions.  The private sector needs to participate in an active defense against multiple threats and have a solid response plan should the defenses fail.

Schmidt is right.  The threats and motivations for attacks are varied and we must be in a position to defend against them all.  This is a day-to-day fight.

But the lack of state-against-state warfare shouldn’t keep IT security practitioners from serious concern, Schmidt said. The attacks undermine global infrastructure and endanger our way of life, he said, adding that this is a battle every IT security professional must fight from the foxholes.

What have you done today to improve security for your organization?  Are you an agile defender or are you hunkered down behind your own cyber-Maginot line using the “hope” method as a security strategy?

The more I read about Howard Schmidt, the new cybersecurity czar for the Obama administration, the more I tend to like what I’m hearing.  I still think the position is limited because he has no budegtary authority but he appears to be quite capable of delivering the message of information security without resorting to FUD.  I like that.

There continues to be an overuse of terms such as “cyberwar”.  I hope we can end the movie hype and get down to business.  I don’t disagree that there is a persistent threat from state sponsored attackers.  I believe there is a rise in targeted attacks that are designed to steal sensitive information and perhaps disrupt business as usual.  The government and the private sector need to address our information security needs and be agile in development of defenses against new threats.

In an interview with Wired.com, Schmidt had this to say:

“There is no cyberwar,” Schmidt told Wired.com in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.”

Instead, Schmidt said the government needs to focus its cybersecurity efforts to fight online crime and espionage.

- Ryan Singel, “White House Cyber Czar: There Is No Cyberwar“, Wired.com Threat Level, March 4, 2010

This is in direct contrast to Michael McConnell, former director of national intelligence who continues to ramp up the rhetoric about a cyberwar.  Let’s look at McConnell’s history.

• McConnell convinced President Bush to provide funds to the NSA to lock down the government’s classified networks.   Of course, McConnell’s position placed him in charge of that effort.
• McConnell now calls for a “re-engineering” of the Internet.  Of course, the company he works with stands to profit incredibly from this type of effort.

You can decide for yourself McConnell’s motivation.

Schmidt doesn’t appear to turn a blind eye to the need for government to protect classified information and the NSA has a role in this.  The government certainly has an eye on things that just aren’t visible to the private sector.    The private sector has a big dog in this fight as well, especially in regards to financial transactions and the use of personally identifiable information.

“A pessimist is an optimist with experience” (unknown).  I share in McConnell’s call to action but not his drastic, doom and gloom approach where excessive government control over the Internet is the only solution.  His passion is admirable, if not misguided.

Schmidt, on the other hand,  isn’t ignoring the need for government to bolster its defenses, he appears to simply approach the necessity for action without inciting knee-jerk reactions from ignorant politicians.  I like this approach rather than the call for citizens to put their head in the sand and let Uncle Sam take over.

“We can’t sit there and be waiting for the next intrusion attempts to take place,” Schmidt said. “We need to become stronger in what we are doing so we are better able to resist the things that are being thrown at us.”

That’s a call to action.  This isn’t a problem that is owned exclusively by the government nor does the solution reside entirely in that realm.  However, if the private sector doesn’t step up and be proactive in the way we protect our infrastructure and information, then we deserve to have government do it for us.

CNN recently broadcast a cyber-attack simulation meant to demonstrate the potential cascading effects of a widespread attack on our nation’s infrastructure.  The exercise included former federal officials who played the role of key positions in the executive branch to show how the government would respond to the escalating incident.  They even had a flashy headline:

“Cyber Shockwave”

As much as I hoped that this would be a worthwhile simulation with good discussion, this really came across as propaganda wrapped in FUD.   It seemed like a sales pitch for more government control, especially with the catchphrase “We Warned You” included in the program.  We all should be concerned when government officials talk about “nationalizing Telco and Power”, “quarantine cell phones”, and “giving the option of unilateral disconnect”.

There is no doubt the threatscape is changing with the way we use technology.  Mobile devices certainly will see their share of malware.  Both public and private sector have lapses in their information security practices.  As we’ve seen with the latest attacks from China, there is a rise in targeted attacks.   That said, I have my doubts about a mobile botnet that wipes out cell phone communications, creates widespread power outages, and takes down Wall Street.

Cyber security is not a unilateral issue with government alone stepping in to save the day.  The private sector is particularly good at finding solutions to problems and they too have a dog in this fight.  Let’s bring the right players to the table to find a solution other than marshal law.

Bottom line:  Simulations are useful if they are appropriately scoped and are meaningful.  We could learn a lot from a good simulation that includes government and private sector participation.  In this case, CNN used the script from “Live Free or Die Hard” and wasted a lot of time and money.

Between 1930 and 1940, France built a massive system  of defenses known as the Maginot Line.  Designed to stop a German invasion, history illustrates its failure.  The 1940 German invasion of France skirted the defensive Maginot Line as they swiftly penetrated through the Ardennes by way of Belgium.  I’m not a historian and there are many facts that played into this but clearly the fate of France was at least partly determined by a false sense of security rooted in the Maginot Line.

Have modern day corporations and public entities created their own version of Maginot Line when it comes to the protection of sensitive information?  I think the answer is clearly yes.  William J. Lynn III, the deputy defense secretary who oversaw a recent attack simulation pointed this out in “In Digital Combat, U.S. Finds No Easy Deterrent“.  An over-reliance on firewalls and anti-virus programs has created a false sense of security among those who store, transmit, and process sensitive information in the normal course of business.  The changing threatscape, such as the new complex zero-day exploits and state-sponsored targeted attacks, are sometimes ignored much like the French failed to take action when Belgium declared itself a neutral country severing their previous alliance with France.

Consider this comment made in a recent story:

“The new type of attack involves custom-made spyware that is virtually undetectable by antivirus and other electronic defenses traditionally used by corporations.”  US oil industry hit by cyberattacks:  Was China Involved? CS Monitor, January 25, 2010

We are not prepared.  The attackers have become more nimble, motivated, and tenacious while we have become slow moving and complacent.  Many organizations have been lulled to sleep.  We’ve already seen changes in the way attacks are organized and the creativity being designed into their exploits.  Collectively, we need to examine the new threatscape and actively develop new tactics that match the agility being demonstrated by the “bad guys”.

Let’s learn from the Maginot Line.  Let’s not get caught sitting behind our old walls hoping that we can sustain a direct assault when the real threat is making an end run.

I may as well get on the 2010 prediction bandwagon.

1.  With the rush to get into the “cloud” businesses will sacrifice security for the promise of efficiencies.  Attacks will be focused on the applications placed in the cloud, not necessarily the underlying OS infrastructure.  I predict there will be a large compromise of information stored in the cloud this year that will disrupt business processes for several businesses.

2.  The big talk about “cybersecurity” that comes from the Obama administration will be nothing more than talk.  Action taken will have little impact as the new Cybersecurity Czar/Coordinator has little authority to implement necessary changes in national information security.  This is most likely because of the pure volume of important “initiatives” being taken on by this Administration that will result in some areas, cybersecurity in this case, receiving less attention than required.  This isn’t a dig on the Administration, merely an observation that issues in terrorism, healthcare, economy, etc. will take precedence over fixing the cybersecurity issues facing the U.S.

3.  I predict there will be an even larger breach than what we saw with Heartland Payment Systems last year.  The financial motivations and organization surrounding cybercrime makes this type of criminal activity very profitable.  Attacks are being perfected while the resources to defend against such attacks continue to be too thin in most organizations.

4.  Mobile platforms will be the target of attacks this year.  The proliferation of iPhone/Blackberry and availability of mobile applications will prove a fertile environment for malware writers.  As more of these mobile devices are integrated into both business and personal worlds, the target will simply get too big to pass up.  Expect 2010 to be a big year for mobile attacks.

5.    With major attacks taking place in 2010 and hopefully and improving economy, the investment in information security will improve.  Specifically, there will be some growth in the need for both skilled technical staff and leadership positions where the ability to understand the business environment are emphasized.

I’ll be interested in seeing the twists and turns that are inevitable in the cybersecurity world and how organizations adapt to such a dynamic environment to protect sensitive information.  Good luck in 2010.

I’ve been mulling on the appointment of Howard Schmidt as U.S. Cybersecurity Coordinator for several days.  This is the appointment that has been 10-months in the coming since President Obama vowed to create the post.   This is the role that was previously filled (at least functionally) by Melissa Hathaway who left over frustration with the way the U.S. government works.  Before her, it was Amit Yoran who was the cybersecurity czar for DHS.  He was dessimated by bureaucrats and lasted only a year.

Schmidt had a previous run as a cybersecurity advisor for the G.W. Bush presidency.  From all accounts he is a skilled man with an impressive resume.  Unfortunately, the position itself has been designed with so many obstacles that success is unlikely.  Though he is supposed to have access to the President, the position is several steps down the organization ladder.  As I’ve seen in the private sector, when you place security out-of-sight it quickly becomes out-of-mind.

The mission of the position has been set by President Obama but with executive-level focus on so many different arenas, I’m afraid the cyber-security talk will be just that… talk.  This position is one with a lot of responsibility without the authority needed to accomplish the goals.  A recipe for failure in any organization.  This nation needs information security leadership.  Howard Schmidt is the right man but the position will limit his ability to succeed.   Best of luck!  I hope I’m wrong.

Articles regarding this appointment:

Rotella, Sebastian.  “Howard Schmidt named cyber-security czar“.  LA Times, 12/23/2009

Nakashima, Ellen.  “Obama to name Howard Schmidt as cybersecurity coordinator“.  Washington Post, 12/22/2009

The U.S. House of Representatives has passed HR 2221, the Data Accountability and Trust Act.  This sets nationwide breach notification requirements that trump the patchwork of State laws that have been in effect with California leading the way in 2002.   The passage was written about in a Federal Computer Week article “House passes bill to require data breach notifications“.

Overall, standardizing the definition of Personally Identifiable Information will help in protecting the data.  This is a good thing as some states have more stringent definitions than others.   Data brokers have greater requirements.  Also a good thing.

The problem I see comes from the FTC having jurisdiction over the new law.  The FTC does not have authority to enforce regulations on government, banks, savings and loans, insurance industry and non-profits which would include higher education and some healthcare environments.  These industries are often the victims of data breaches yet they aren’t covered by this new federal law.

We’ve seen the FTC extend its reach with the Red Flags rule and perhaps they will follow suit with the new data breach notification legislation.  If they let some industries with known disclosure issues slip through the cracks then the overall effectiveness of the legislation is diminished.

Finally!  The U.S. makes a conscious decision to consider the digital roadways that carry the information of citizens, business, and government as a “strategic national asset”.  Acknowledging the importance is certainly a step, albeit a late one, in the right direction.  Let there be no mistake, it’s a difficult task to defend a nation in the modern day wild west and quite frankly, as a nation we’ve been asleep at the wheel as criminal activity runs rampant across this unprotected thoroughfare.

As if it were scripted,  right after the announcement of a new White House cyber security position, a document with information about our nuclear facilities was inappropriately disclosed to the public.  This provides empahsis to the sad but true statement that technology doesn’t cure dumb.  Never has, never will.  This is why security must be built around the triad of people, process and technology.  One without the others is fairly useless.