Cyber Initiative
New Command to Focus on Cybersecurity for DoD and IC
The Wall Street Journal just ran an article titled: “New Military Command to Focus on Cybersecurity.” In it they indicate “current and former officials familiar with the plans” say a new military command will be established to coordinate the defense of Pentagon computer networks and improve US offensive capabilities in cyberwar.
WSJ also reports that Defense Secretary Gates plans to announce the creation of a new military cyber command after the rollout of the White House review.
My opinion: This WSJ article seems more balanced and accurate than the article I discussed in my post “NYT wants cyber security to be a divisive issue.”
The WSJ article is in consonance with what is going on and what should be going on. I believe NSA should be formally given the lead for defending DoD/IC systems, but defense remains a team sport, and DHS should be given the lead for defending the rest of .gov networks (while still leaning on NSA/DoD/DNI as required). And all players need to work well with industry and allies in a coordinated, fast moving way.
What does this mean for enterprise technologists? For the most part it is good news. But for day to day security operations in most enterprises, the relationships you have with other organizations will remain the same as before– for now. And the current body of best practices remains in place. You still need to understand and implement and follow the Common Audit Guidelines, for example. Doing that is going to help you and will help others too.
Triumfant real-time malware detection and remediation
As I’ve previously noted I’m on the advisory board for Trimufant (I’m at this page). I’m hoping all CTO types will check out this company (and I’m also hoping you don’t mind me blogging about a company I’m advising. After all, I’m associated with them because I believe they are a world-class outfit with a great capability).
In this post I want to bring your attention to a Triumfant press release . It is an announcement that Triumfant now provides real-time malware detection and remediation. Triumfant has long been the leading capability for discovering unexpected changes to computer endpoints, but with their new Triumfant Resolution Manager they build on their ability to deliver zero-day malware protection. Read the rest of this entry »
My Opinion: NYT wants cyber security to be a divisive issue.
I just read an article that seems designed to keep spreading FUD (Fear, Uncertainty, Doubt) about the US government and the NSA. The article is titled “Control of Cybersecurity Becomes Divisive Issue “. It starts with an assertion stated as if it were a fact that says “The National Security Agency has been campaigning to lead the government’s rapidly growing cybersecurity programs”.
I bump into all sorts of people in the beltway, and there is a huge amount of buzz regarding cyber. There is also a huge amount of pontification and rumor and hype, and I think Risen and Lichtblau have fallen for some of that. Read the rest of this entry »
The Number One Reason To Move To Open Source: Security
I just read Bill Vass’s latest blog entry titled: “The No. 1 Reason to Move to Open Source is to IMPROVE Security”
Bill opens this article with:
If you are like me, and you have been involved in cryptography and Cyber Security for a long time, it’s obvious to you that commercial open source code is more secure. As a matter of fact, in the late 90s, many of the Intelligence agencies mission systems and the DoD tactical systems moved to open source ONLY to improve security. Today, the majority of the critical systems in the Intelligence agencies (the people that care most about Cyber Security) run on open source operating systems like Solaris and Linux. The same is true of places like the FAA, IRS, and a whole lot of other organizations that care
about security.We have a saying in the world of Cyber Security: Security through obscurity, isn’t.
Responding Strategically to Cyber Attacks
The last 12 months has seen a significant amount of progress in our
nation’s awareness of cyber threats and in our collective actions to
address the security of our IT systems. However, a huge amount of work remains
to be done.
In a cyber context, the situation is a little like the one Winston Churchill described when he said: “This is not the end. It is not even the beginning of the
end. But it is, perhaps, the end of the beginning.” We in the cyber world have taken some serious blows, and we are shoring up our defenses. But there is a long long way to go before our
objectives are met.
With this post I want to provide a snapshot of some of the progress of late.
1) CNCI: The Comprehensive National Cybersecurity Initiative provided a kickstart to many elements of the federal enterprise and facilitated coordination action by multiple agencies. It was also an important evolution for Congress. The changes to the federal budget and the intentions of agencies was very positive. It is my opinion that the CNCI made a lasting positive difference in reducing unauthorized access into the federal enterprise and in enhancing resiliency of our systems. For more info see:
2) The CSIS report and related actions/studies: This 8 Dec 2008 report is the result of hard work and collective study by some of the best brains in the cyber security world. Commissioners on the study are a who’s-who of security and the quality of this report is a direct reflection of this fact. The report offers recommendations on multiple hard areas and should be referenced by anyone making decisions in the IT arena. A recent related development is the posting by SANS of the Common Audit Guidelines. This is a fantastic step towards providing guidelines to enhancing security and functionality. Read the rest of this entry »
White House Conducting Review of Cyber
Followers of the cyber initiative and its related work have been strongly encouraged by the kickoff of a 60 day study tasked by the White House and led by Melissa Hathaway. Melissa was named by President Obama to conduct this review. As has been reported here in previous posts Melissa is one of the most effective, efficient senior executives in public service, and I have no doubt she will execute this task in a way that benefits the nation.
As an update, the White House blog posted an entry on this study today. It reads as follows:
QUOTE:
<!–
WhiteHouse.gov Blog
–>
Monday, March 2nd, 2009 at 11:14 am
Cyber review underway
John
Brennan, Assistant to the President for Homeland Security and
Counterterrorism, passed along this update about the ongoing review of
our nation’s communications and information infrastructure.
In response to President Obama’s
direction, the National Security Council and Homeland Security Council
are presently conducting a 60-day review of the plans, programs, and
activities underway throughout the government that address our
communications and information infrastructure (i.e., cyberspace). The
purpose of the review is to develop a strategic framework to ensure
that our initiatives in this area are appropriately integrated,
resourced and coordinated both within the Executive Branch and with
Congress and the private sector.
Our nation’s security and economic
prosperity depend on the security, stability, and integrity of
communications and information infrastructure that are largely
privately-owned and globally-operated. Safeguarding these important
interests will require balanced decision making that integrates and
harmonizes our national and economic security objectives with enduring
respect for the rule of law. Guided by this principle, the review will
build upon existing policies and structures to formulate a new vision
for a national public-private partnership and an action plan to:
enhance economic prosperity and facilitate market leadership for the
U.S. information and communications industry; deter, prevent, detect,
defend against, respond to, and remediate disruptions and damage to
U.S. communications and information infrastructure; ensure U.S.
capabilities to operate in cyberspace in support of national goals; and
safeguard the privacy rights and civil liberties of our citizens.
The review will be completed by the end
of April 2009. At that time, the review team will present its
recommendations to the President regarding an optimal White House
organizational construct to address issues related to U.S. and global
information and communications infrastructure and capabilities. The
recommendations also will include an action plan on identifying and
prioritizing further work in this area.
Learn more about the administration’s Homeland Security priorities.
UNQUOTE
The fact of this White House blog entry is a huge signal that something has changed. Openness on this topic was unthinkable just months ago. We have also seen more direct work with industry groups on cyber, another positive step.
There is a great deal of work to be done in a very short amount of time. What ever the result of this review is I’m sure it will be first rate and I’m ready to support it fully. It is not often that I endorse something before it is done, but in this case I think it is the right thing to do. There are too many bad things happening because of poor security, and too much of the economy is hurting because of it.
For more on related topics see:
Foreign Spies Make Recession Worse and Steal Part of Our Future
and
The Future of Cyber Security and Cyber Conflict
Enhancing Security and Functionality At The Same Time
Have you ever been sucked into the false debate over how much IT spending should be spent on security? I used to all the time. Some folks point to a rule of thumb that goes something like “ten percent of the IT budget should be applied to security.” That old school formula may well be part of the reason we got into the mess we are currently in. It contributes to thoughts that lead you to think security can be separated. By my way of thinking, 100% of the budget goes to security and functionality and that is the calculus.
Really, security is about ensuring information confidentiality, availability and integrity. And those constructs are totally connected to functionality of IT. I try whenever possible to use the term security and functionality in the same context just to underscore that point.
For example, the goal I continually push regarding security in the federal space is not just one dealing with security. I put it this way: “Security and functionality of all federal IT will be increased by two orders of magnitude in the next 24 months.” Putting the goal this ways also underscores that it is not security vs. functionality. Both need to increase.
This goal also cries out for the need for metrics in security and functionality. For functionality there are many customer focused survey methods that can help collect the right metrics. For security, I think one metric stands out above all others: Detected unauthorized intrusions. There are many other important metrics for other dimensions of the security problem, but that one is key. So, a goal that expects both security and functionality of federal enterprise IT to improve by two orders of magnitude will expect customer survey satisfaction to go through the roof, and will expect detected intrusions to drop significantly. If there were 50,000 detected intrusions in 2008, there should be less than 5000 in 2010.
That is a dramatic goal. What makes me think it is achievable? In part the dramatic action being put in place today in the federal space. And in part by dramatic new technologies and approaches like private clouds and thin client computing and enhanced identity management and authorization methods. But of more importance and more relevance than all of that, in my opinion, is the coordinated action and leadership underway by CIOs and CISOs and the security experts in the federal space today.
As evidence of this incredible positive action I’d like to bring your attention to a release by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines. Details of this effort are at http://www.sans.org/cag/
The Consensus Audit Guidelines provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance. These controls and metrics include:
Critical Controls Subject to Automated Measurement and Validation:
-
Inventory of Authorized and Unauthorized Hardware.
-
Inventory of Authorized and Unauthorized Software.
-
Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
-
Secure Configurations of Network Devices Such as Firewalls and Routers.
-
Boundary Defense
-
Maintenance and Analysis of Complete Security Audit Logs
-
Application Software Security
-
Controlled Use of Administrative Privileges
-
Controlled Access Based On Need to Know
-
Continuous Vulnerability Testing and Remediation
-
Dormant Account Monitoring and Control
-
Anti-Malware Defenses
-
Limitation and Control of Ports, Protocols and Services
-
Wireless Device Control
-
Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
-
Secure Network Engineering
-
Red Team Exercises
-
Incident Response Capability
-
Data Recovery Capability
-
Security Skills Assessment and Training to Fill Gaps
The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them. The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.
What should CTOs think about this guidance? As for me, I most strongly endorse it. In my mind the appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise.
The deeply respected community leader Alan Paller said it this way:
“This is the best example of risk-based security I have ever seen,” said
Alan Paller, director of research at the SANS Institute. “The team that was
brought together represents the nation’s most complete understanding of
the risk faced by our systems. In the past cybersecurity was driven by
people who had no clue of how the attacks are carried out. They created an
illusion of security. The CAG will turn that illusion to reality.”
Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.
A Blog I Like: Haft of the Spear
Michael Tanji brings a perspective forged in years of intelligence work and a successful stint protecting information in the financial sector. He is a well published author who focuses on national security issues and is also a thought leader in the computer security domain.
At Haft of the Spear he writes primarily about technology related/enabled national security issues, which includes a heavy dose of information warfare.
Read HOTS at: http://haftofthespear.com/
Next week I write about Nicholas Carr and his Rough Type blog.
Foreign Spies Make Recession Worse and Steal Part of Our Future
Foreign spies are in our country for many bad reasons. Spies target defense secrets and seek to penetrate the
decision-making process of our government leaders. They also gain unauthorized access to information held by our nation’s corporations. In this time of
serious economic crisis this aspect of the threat from foreign spies is particularly troublesome. Spies contribute to the problem’s we face in the economy.
Today one of the most damaging things spies do is steal the trade secrets and intellectual property of our corporations and research labs. The intellectual property they steal is moved overseas where other countries (and companies inside those countries) can benefit from the investments we make in research and development. This hurts our economy in many ways. It causes the value of our research and development to be significantly sub-optimized. It hurts the ability of our companies to compete in the global market place. It causes more jobs to go overseas. It can threaten the survival of companies which of course hurts both investors and employees. This is all bad for the economy. And its all WRONG! Our country needs to invest enough in our counterintelligence capabilities to find foreign spies and get them out of here.
A particularly insidious threat is one where a country might couple the power of spies in our borders with cyber attacks and cyber espionage to extract information from companies while at the same time monitoring the response to those attacks. Humans can enable cyber attacks in many ways that make them far more damaging. In fact the most feared type of data theft if one where a trusted insider moves data. With modern high capacity thumb drives large quantities of data can be moved in moments.
I just read an article by an authoritative source on this topic, Michelle Van Cleave. Michelle served as the hed of U.S. counterintelligence from July 2003 through March 2006 and was in a position to observe firsthand some of the damage being done by foreign spies. The article outlines examples and gives a firsthand account of some of the challenges we face in this area. It concludes with:
How important is all of this, really? Cynics will scoff and say, “There
will always be spies.” But I have read the file drawers full of damage
assessments; I have catalogued the enormous losses in lives, treasure
and crucial secrets that foreign intelligence work has caused. The
memory of what’s in those files — and the thought of the people and
the operations still in harm’s way — can keep me awake at night.So we have to choose. We can handle these threats piecemeal, or we
can pull together a strategic program — one team, one plan, one goal
— to reduce the overall danger. We can chase individual spies case by
case, or we can target the services that send them here. The next
devastating spy case is just around the bend. I fear that when it
comes, we will all ask ourselves why we didn’t stop it. I suspect I
already know the answer.
I recommend this article to all, especially enterprise technologists. If you are a CTO, a CISO, a CISO it is especially important for you to understand the nature of the threat to your systems and to your intellectual property. If you are a citizen it is important for you to know as well. We must collectively address this challenge to our intellectual property and to our economic recovery.
For more on these topics please see:
http://www.ctovision.com/cyber-war/
and
http://www.ctovision.com/information-warfare/
CTOvision Blog 