Priority Rules

Their voices have finally been heard. Maybe it is because one Eastern European country was practically “taken down” due to cyber attacks or maybe because government networks are being hacked relentlessly (e.g. FAA).

Whatever was the trigger, they are finally being taken seriously. After years where some have said government has only paid “lip service” to CyberSecurity, big money -- $7.3 billion proposed for FYO9 – is being invested in CyberSecurity – making it a government priority.

So what are some of these cyber priorities?

For Darren Ash, CIO at the Nuclear Regulatory Commission, the first job is getting organized. “We had a lack of a true cyber security organization”, explained Ash, “so some of the things that we’ve done over the last couple of months is establish a security organization.”

Priority 1 according to Ash is staffing. “We need to have the right people on board to really take us to the next level in terms of addressing material weaknesses and correcting some of the deficiencies.”

Then there is the continuing the maturity of NRC’s program. “I don’t think that’s something that is unique to the NRC”, said Ash. “It’s probably something that’s common to the agencies across the federal space. It’s just continuing to focus on not the requirements, not just the paper, but really the root activities that we should be doing to protect the enterprise.”

Intrusions Top The List

“At the top of our list of priorities, computer intrusions,” declared Jim E. Finch, Assistant Director, Cyber Division at the FBI. “That’s the number one priority within the cyber division, and primarily those computer intrusions with a counter terrorism nexus, and then those computer intrusions with a counter intelligence nexus, and then finally all other intrusions.”

Counterterrorism tops the FBI’s priorities, but it is not the only one.

Finch says they spend a lot of time investigating the online sexual exploitation of children, going after those predators. They investigate intellectual property crime, the theft of trade secrets by foreign powers and intellectual property violations where there are counterfeit parts being made for airplanes, autos; those things that actually affect health and safety.

The FBI also deals with counterfeit pharmaceuticals, copyright violations for the recording industry, the video industry and Internet fraud. “After that we look at identity theft”, says Finch. “I say identity theft last, but identity theft is actually an inherent part of computer intrusion where the theft of an entire database. So I put it last but it falls in our top priority.”

Davie Bowen, FAA CIO has different priorities. For him, it is continuing to build out our security infrastructure. “We are looking at various detection technologies to be deployed around wireless, PBX and some of the other stuff,” said Bowen.

But Bowen is looking for his staff to step-it-up as well. “I’ve challenged my security organization to really move up a notch and look at how we become the best in class at providing security services,” said Bowen. “Our goal is to take our cyber security management center and make it a center of excellence and move to a position where we can actually provide security services for other civilian agencies in the federal government.”

Bowen is looking at benchmarking practices within the NSA, best practices from the corporate world and is seeking strategies to incorporate those practices and those technologies into what FAA is doing.

Knuckleheads Versus Zealots

Navy CIO Rob Carey is smack dab in the middle of the “information sharing versus security” tug of war.

“The Internet is an open place but at the same time you have to ensure that only certain information goes to only the intended recipients,” says Carey. “As we try to raise the security bar while affording access, we deploy technologies such as additional firewall tools, additional detection systems and our tech based PKI that is attached to our Blackberries which allows us to sign in and get things while we are on the move.”

Carey is trying to minimize the impacts of network attacks by deploying encryption on data at rest, which helps in the privacy domain because the impact of something that’s been encrypted.

“It takes a lot of resources to get into something that’s been encrypted at the right level, so we are going to move out on that this year and start the deployment of that across the enterprise, a consistent solution,” said Carey.

Carey says the Navy is also working hand-in-hand with contractors that hold a lot of Navy information on their network to ensure that the information that they hold on our behalf is secure.

“W are also streamlining (and strengthening) our certification and accreditation process,” adds Carey. “The issue is how do we get something on the network quickly and rapidly to afford what the combatant commander may want, but yet is secure; so we have confidence and comfort that this thing has met the security bar and we can put it on the network without any intrusions.”

Painkiller Security

Symantec is one of the nation’s leading security software providers. So it comes as no surprise that Dean Turner, Director, Global Intelligence Networks would say that “first and foremost it is ensuring that we are staying on top of the threat landscape.”

Turner explains that means Symantec is looking at the current types of attacks that are taking place. They are trying to anticipate what is coming down the pike whether that is new forms of attacks, new targets or new areas.

“But we’re also working around increasing private and public sector cooperation through things like education, the sharing information, talking about threats,” said Turner. “That includes Safecode, a non-profit organization that Symantec is co-founder of are what we are talking about.”

Dr. Eric Cole, Chief Scientist at Lockheed Martin says his organization has two main priority areas -- redefining cyber security today and creating the future of cyber security.

“One of the huge problems today as we get so caught up on what I call “pain killer security”, lamented Cole, “where organizations go in and they are just throwing money at a problem.”

Cole urges organizations to step back and realize that security is all about risk to your critical assets. “We have to understand what those critical assets are and what are the steps we are going to take to reduce those risks,” Cole explained.

“So instead of focusing on buying a product we have to say how does that solution reduce and appropriate risk? One of the key things that we do is make sure that we practice what we preach. We have a program called I-save where we make sure that everyone in our organization and their families are properly protected.”

In terms of the future, Cole says the goal is “if there is a solution out there we try to adapt or buy solutions that already exist.”

But in those cases where there is a problem, but no solution has been found, Cole says “we are actually investing millions of dollars in advanced internal research and development on cyber security. We are going in and creating that intellectual property that our nation is going to need to be able to solve those problems that are going to come down in the future.”

###

Justifying The Investment

Justifying the resources and the ROI; these are two issues that plague cyber experts. Because the best thing that can happen is nothing; and sometimes that doesn’t show up on a balance sheet.

As a society we tend to have a hard time getting out in front of the threats and vulnerabilities. We are always trying catch up; coming up with the fix after the bad thing happens. Is that mindset changing?

Symantec’s Dean Turner thinks it is, but with caution.

“In terms of ROI, security often is insurance and the unfortunate aspect of this is some people don’t purchase insurance until after the incident takes place,” explains Turner. “It’s very hard to quantify when you can’t actually show numbers of metrics especially when you are talking about responding to shareholders telling them that it was necessary for this particular expenditure but nothing happened. I would argue that that’s probably a job well done.”

Jim E. Finch, Assistant Director, Cyber Division at the FBI agrees with Turner.

“I think we are getting much better, just by virtue of the fact that there was a time when security was relegated to the IT department and they struggled for funding,” said Finch. “With the threat to data and the liability associated with not exercising due care in protecting that data, I think the security posture in both the government, in industry, has clearly been enhanced. Now they realize cyber security should be afforded the same level of dedication that we pay to our brick and mortar society.”

The results according to Finch are more companies investing in security; more companies taking those basic steps such as configuring firewalls properly, setting up IDSs properly and reorganizing their security departments.

“They are paying much closer attention to this because a lot of personal identification information is being lost,” noted Finch, “and there is liability associated with that so the security posture is a lot higher now. So I think we are being proactive just by virtue of necessity.”

Half The Equation

“The problem is if security is done correctly, nothing happens. The problem with that statement is that it’s only half of the equation,” said Lockheed’s Dr. Eric Cole.

“From an executive’s perspective, if security is done correctly, nothing happens,” explained Cole. “But we all know that to get to that point we all had to work like crazy, spend a lot of money and spend a lot of resources. The problem is that we are not communicating that up to our executives so they don’t understand what the real problem is.”

As the perfect example Cole says if you go into your top executives and ask them how many attempted attacks are we having against our network a month, you would be  you’d be surprised at how low a number they’d give. The reason: we haven’t communicated how bad the problem is.

Cole’s recommendation is that every organization runs a script that calculates on a single graph the number of attempted attacks that are occurring and show based on past history what the amount of impact an attack had on a government agency or a commercial organization.  

Cole put it this way. “Now when you show them we have 3000 attempted attacks that we are stopping every month; and here’s the damage or the money we save, now all of a sudden they’ll understand what the problem is. Instead of focusing on threats, which leads to reactive security, we will start to focus on vulnerabilities which will lead to proactive security solutions.”

14 Million

“My number at the FAA is 14 million,” said FAA’s Dave Bowen. “There are 14 million attempts to access our network we deny approximately every month. This gets reported to our management team.”

With proactive CyberSecurity postures, FAA’s incidence of personal identity theft has been cut in half over the last couple of years, so we are tracking that.

“I heard a great comment,” said Bowen, “ease of use trumps security but embarrassment trumps ease of use.”

Navy CIO Rob Carey echoed the need to educate the very senior decision-makers on these issues.

“Once you have their buy in you can then afford yourself the opportunity to work their budget issues,” Carey said. “I would tell you five, seven years ago it was not a front burner issue for the Department of the Navy, it was an important issue, but it wasn’t at the front. Now it has gotten everyone’s attention, they focus on it, which allows people to deliver the solutions that we all need.”

“We have built things into our Navy-Marine Corps Internet to make security the cost of doing business, not something that was debated like it was a feature or a function that you wanted, but it is part of the cost of doing business,” Carey said.

All of these efforts demonstrate that you must inculcate security into the programs when they are created. When the Clinger-Cohen act came out, security was an afterthought, even though with FISMA, it was Congress’s attempt to get security to the forefront. So now the watchword for security is “built in, not bolted on”. And it is all the more reason why FISMA should not be just a paperwork drill, but be used to raise the bar for the system or application.

###

The Challenges We Face

Forum panelists described the challenges they face daily.

Dave Bowen, FAA

As we look forward to see what the next generation of air traffic control is going to look like, we know it’s going to be increasingly digital, we know it will probably use pieces of the Internet, and we know that the entities operating in that, specifically the aircraft, are going to be more and more digitally enabled.

When you get customers on the aircraft being able to access the internet, you’ve got an increasing level of automation within the aircraft itself and obviously we have a concern about how that is going to operate in the airspace. So participating with the folks who are developing the next generation air traffic control system is something that will take more and more of our time.

Darren Ash, NRC

One is simply the concept of getting past the concept that the C&A process is just a paperwork process. You are dealing with risk; you want to get to that point of continuous monitoring. Getting people to recognize that it’s more than just developing a C&A package, but really tied into that is really ensuring that the business side of the house really understands and sees the value of what we do as security professionals, as CIOs.

A hot button issue is ensuring that we have cadres of folks within the agency and in industry that are qualified, that have the skills. Be it the folks that are doing software development, for the folks that are doing software development, they  understand what the NIST requirements are, the FIPS requirements are, that they understand some of the techniques, some of the risks, some of the vulnerabilities and they address these as part of the software development process.

Rob Carey, Navy

The overall challenge is balancing this access to information with the appropriate level of security. There’s a really good book out there called Polarity Management; and this dynamic balancing is a polarity, it is a problem to be managed, so when you face security and access, you have to say security and access, security with access, not one or the other.

My biggest challenge is it is very easy to go one or the other directions. It is very difficult to manage the balance and deploy tools like identity management and role based access tools to allow you to afford access to those who need it but do it securely.

Jim Finch, FBI

Because of the global nature of the Internet I am constantly employing resources outside of this country to address the threats to the U.S. interests. As a matter of fact I set up a task force in Romania to address all of the crime targeting the U.S. on a daily basis.

And as a result of that I see a need for some uniformity in the global laws to address those perpetrators of crime over the Internet. I train a lot of officers from overseas because they have the same problems we have. The Internet has made the world’s criminals our criminals here in the U.S. and vice versa. So there is need for uniform global laws to address Internet crimes.

The other challenge I see is quicker turnaround by those companies that analyze malicious code with quicker turnaround in terms of getting those digital signatures out to the public. It’s very challenging, especially with the number of malicious code writers globally, but it’s one of the many ways we can defend our systems better if we have a quicker turnaround and certainly they’ve made great strides, but I’d like to see that time shortened considerably.

Dr. Eric Cole, Lockheed

Based on the fact that security is all about reducing the risk to critical assets, it’s all on data portability. The internet allows global connectivity which means our data is now more accessible and in many more places.

Instead of in the past when your data was just on a server, now think of all the locations it’s on – a server, a PDA, a Blackberry, laptop computer and the problem is if you look at where organizations have put most of their security effort, it’s in firewalls, IBSs and sound network architecture design and the reason for all of that was to protect their servers but really to protect the data on their servers.

Now that same exact data is put on a laptop, that laptop leaves an organization and is plugged into a hotel location or an airport and where’s all your firewalls and IBSs? They are all gone. We really need to make sure that end point security is becoming a priority.

Everybody is afraid of identity theft and all of these issues, but a lot of organizations and people still don’t really understand what that means. They wait for the fire to start before they do anything because functionality is still driving the train.

We have to realize that while functionality is important, there’s a balance between functionality and security and we have to make sure it’s incorporated from the beginning and we train our individuals so that they have knowledge and expertise.

One of the things we are doing at Lockheed Martin is we are teaming up with SANS, one of the leading security training providers, and we will actually be one of their first partners to be able to make sure that everyone inside has the proper skills and expertise needed to be able to go in and apply that to our customers, because our hope is that every organization does what we do at Lockheed, which is make security a way of life and apply it in everything that we do.

JF: Well said. And I like the comment about reducing risk. I think that’s a key here and when we talk about some of the other questions here about return on investment and so forth, I think the message is about reducing risk, is something that the top managers can relate to better than we need better information, period.

Dean Turner, Symantec

Definitely risk assessment and risk analysis; security is about a trade-off between what we need to do, what we can do and what we want to do and we can’t take that in. We focus a fair amount on the sharp end. We focus on firewalls, we focus on IBSs and we don’t necessarily focus on the business practices and risks associated with the collection and retention of data.

I think that one of the other challenges that we face is we’ve seen a very, very large increase in the amount of data theft and data leakages taking place. When we take a look at the numbers we see that government and education and financial services are responsible for the vast majority of the data theft and data leakage that takes place.

So we have to spend more time when we are doing our risk assessments on classifying the types of data. Not all data is necessarily worth protecting, some data is more valuable than others and we have to apply the appropriate resources at the appropriate locations taking into account that risk assessment.

Another challenge is simply the volume of threats. I know that Jim was talking about vendors being a little more responsive in terms of the time it takes to roll out definitions. I can tell you now that in 2006 we saw a little over 125,000 new malicious code threats. That has increased by over 600% in the past year.

So the sheer volume of the number of threats that are coming out there has meant that there needs to be a change and there is a challenge within the industry, and for us in particular, where we have to look at technologies that aren’t necessarily so reactive.

I think the industry as a whole has been reactive around things like purely antivirus definition. It’s a combination of things. So we have to look at technologies and one of the things Symantec is investing quite heavily in is looking at technologies that are not only proactive but also predictive in nature.

I think another area for us is cyber crime. It’s all about the money. And depending on what report you read, we are talking about billions and billions of dollars worldwide. It is a global decentralized network.

We are not talking about the cyber Sopranos, but we are talking about a level of sophistication and organization that’s been brought to this realm that sort of mirrors in a lot of ways professional software development. We’ve seen criminal attack tool kits that go to market strategies and support and all of these things, and that has really made it a pretty serious challenge not only for vendors, but also for the community at large.

###

A Digital Pearl Harbor: Hype or Reality?

High on the list of cyber security professionals is whether there is the possibility of a concerted, unprovoked cyber attack on networks worldwide; a “digital Pearl Harbor” that would damage or destroy much of our communications capabilities.

Opinions vary. Just read what Forum panelists had to say about this frightening prospect.

Darren Ash NRC

“My own personal opinion is it is hype. I think we are doing a much better job, not just in the government but in the private sector too in terms of being more vigilant, becoming more aware, being more proactive. Ultimately I have confidence in what the agencies are doing in terms of putting the protective measures in place. Keeping us informed, keeping us active and ensuring that we are doing the right things.”

Jim E. Finch, FBI

“I have some concerns. I don’t believe it’s possible, but I do believe that multi- pronged, multi-vectored attacks could cause some problems but certainly not bring this country to its knees as depicted in Live Free, Die Hard with Bruce Willis.”

“Let’s take the attack on New York on 9/11, where cell phone services were flooded and as a result it brought down several services. People there in New York were without telephone service and the stock exchange was not operating as a result for a couple of days. I believe we’ve even gone beyond that with our current security posture and I don’t see a failure like that being very possible because of the security posture awareness. We are certainly learning, so I don’t have great concerns about that being possible. But it makes for great stories.”

Dave Bowen, FAA

“We know that there are nation states out there that have a doctrine around the use of cyber techniques for causing disruption to other entities. I just don’t think that we would be doing our job if we weren’t actively all the time considering the potential for some sort of focused attack against a segment or entire chunks of our critical infrastructure.”

Dean Turner, Symantec Corporation

“I think we need to be very careful when we use terms like digital Pearl Harbor, I think they are loaded but I also think that we do need to be concerned about critical infrastructure. “We know that sensitive government information is targeted. 85% of all critical infrastructures are in the public sector.

I think awareness is much more heightened today than it was 10 years ago and I think that in turn has increased scrutiny and forced companies into devoting more time and energy into protecting those assets. Do I think that the digital Pearl Harbor or something like that is likely? No, but I do think they are targets and that’s something that we need to pay attention to.”

Dr. Eric Cole, Lockheed Martin

“I’m going to agree with the other panelists by disagreeing with them. I think a single event that takes down the whole internet, which is what most people think of as a digital Pearl Harbor is possible but not very probable. I don’t think that is going to occur.

“But what I think is going to happen is a less dramatic digital Pearl Harbor that slowly targets our country and other countries for one or two years. A simple example is if I broke into a bank and stole $20 billion that would have a major impact on our economy and Wall Street.

What if I went in over the next three years and stole $10 from every human on the planet. That would add up to a $300 billion loss which is much more devastating, but because it’s a much slower drain, most people won’t recognize it until it’s too late and going back to the point, that’s why we’ve got to be proactive because we are not going to know that this is occurring because it’s such a low and slow attack until we wake up one morning and realize we have a major problem.”

Rob Carey, Navy

“I’m going to take the position that while I think the term digital Pearl Harbor is a little dramatic, I would say, and I would agree that an incident of major proportions could in fact occur.

I think how you define that is up to you, but our continued vigilance with what we do with network defense, allowing us to trust information that comes out of our networks to make decisions upon, we treat this very seriously because we commit lives to it every day, so we actually operate as if this could occur.

Taking down the Internet I think is virtually impossible but I also think that certain incidents could occur that could cause us to question our information and therefore drives us further into becoming proactive and staying ahead of this threat.”

###