CyberTrust
New Command to Focus on Cybersecurity for DoD and IC
The Wall Street Journal just ran an article titled: “New Military Command to Focus on Cybersecurity.” In it they indicate “current and former officials familiar with the plans” say a new military command will be established to coordinate the defense of Pentagon computer networks and improve US offensive capabilities in cyberwar.
WSJ also reports that Defense Secretary Gates plans to announce the creation of a new military cyber command after the rollout of the White House review.
My opinion: This WSJ article seems more balanced and accurate than the article I discussed in my post “NYT wants cyber security to be a divisive issue.”
The WSJ article is in consonance with what is going on and what should be going on. I believe NSA should be formally given the lead for defending DoD/IC systems, but defense remains a team sport, and DHS should be given the lead for defending the rest of .gov networks (while still leaning on NSA/DoD/DNI as required). And all players need to work well with industry and allies in a coordinated, fast moving way.
What does this mean for enterprise technologists? For the most part it is good news. But for day to day security operations in most enterprises, the relationships you have with other organizations will remain the same as before– for now. And the current body of best practices remains in place. You still need to understand and implement and follow the Common Audit Guidelines, for example. Doing that is going to help you and will help others too.
Triumfant real-time malware detection and remediation
As I’ve previously noted I’m on the advisory board for Trimufant (I’m at this page). I’m hoping all CTO types will check out this company (and I’m also hoping you don’t mind me blogging about a company I’m advising. After all, I’m associated with them because I believe they are a world-class outfit with a great capability).
In this post I want to bring your attention to a Triumfant press release . It is an announcement that Triumfant now provides real-time malware detection and remediation. Triumfant has long been the leading capability for discovering unexpected changes to computer endpoints, but with their new Triumfant Resolution Manager they build on their ability to deliver zero-day malware protection. Read the rest of this entry »
My Opinion: NYT wants cyber security to be a divisive issue.
I just read an article that seems designed to keep spreading FUD (Fear, Uncertainty, Doubt) about the US government and the NSA. The article is titled “Control of Cybersecurity Becomes Divisive Issue “. It starts with an assertion stated as if it were a fact that says “The National Security Agency has been campaigning to lead the government’s rapidly growing cybersecurity programs”.
I bump into all sorts of people in the beltway, and there is a huge amount of buzz regarding cyber. There is also a huge amount of pontification and rumor and hype, and I think Risen and Lichtblau have fallen for some of that. Read the rest of this entry »
Enhancing Security and Functionality At The Same Time
Have you ever been sucked into the false debate over how much IT spending should be spent on security? I used to all the time. Some folks point to a rule of thumb that goes something like “ten percent of the IT budget should be applied to security.” That old school formula may well be part of the reason we got into the mess we are currently in. It contributes to thoughts that lead you to think security can be separated. By my way of thinking, 100% of the budget goes to security and functionality and that is the calculus.
Really, security is about ensuring information confidentiality, availability and integrity. And those constructs are totally connected to functionality of IT. I try whenever possible to use the term security and functionality in the same context just to underscore that point.
For example, the goal I continually push regarding security in the federal space is not just one dealing with security. I put it this way: “Security and functionality of all federal IT will be increased by two orders of magnitude in the next 24 months.” Putting the goal this ways also underscores that it is not security vs. functionality. Both need to increase.
This goal also cries out for the need for metrics in security and functionality. For functionality there are many customer focused survey methods that can help collect the right metrics. For security, I think one metric stands out above all others: Detected unauthorized intrusions. There are many other important metrics for other dimensions of the security problem, but that one is key. So, a goal that expects both security and functionality of federal enterprise IT to improve by two orders of magnitude will expect customer survey satisfaction to go through the roof, and will expect detected intrusions to drop significantly. If there were 50,000 detected intrusions in 2008, there should be less than 5000 in 2010.
That is a dramatic goal. What makes me think it is achievable? In part the dramatic action being put in place today in the federal space. And in part by dramatic new technologies and approaches like private clouds and thin client computing and enhanced identity management and authorization methods. But of more importance and more relevance than all of that, in my opinion, is the coordinated action and leadership underway by CIOs and CISOs and the security experts in the federal space today.
As evidence of this incredible positive action I’d like to bring your attention to a release by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines. Details of this effort are at http://www.sans.org/cag/
The Consensus Audit Guidelines provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance. These controls and metrics include:
Critical Controls Subject to Automated Measurement and Validation:
-
Inventory of Authorized and Unauthorized Hardware.
-
Inventory of Authorized and Unauthorized Software.
-
Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
-
Secure Configurations of Network Devices Such as Firewalls and Routers.
-
Boundary Defense
-
Maintenance and Analysis of Complete Security Audit Logs
-
Application Software Security
-
Controlled Use of Administrative Privileges
-
Controlled Access Based On Need to Know
-
Continuous Vulnerability Testing and Remediation
-
Dormant Account Monitoring and Control
-
Anti-Malware Defenses
-
Limitation and Control of Ports, Protocols and Services
-
Wireless Device Control
-
Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
-
Secure Network Engineering
-
Red Team Exercises
-
Incident Response Capability
-
Data Recovery Capability
-
Security Skills Assessment and Training to Fill Gaps
The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them. The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.
What should CTOs think about this guidance? As for me, I most strongly endorse it. In my mind the appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise.
The deeply respected community leader Alan Paller said it this way:
“This is the best example of risk-based security I have ever seen,” said
Alan Paller, director of research at the SANS Institute. “The team that was
brought together represents the nation’s most complete understanding of
the risk faced by our systems. In the past cybersecurity was driven by
people who had no clue of how the attacks are carried out. They created an
illusion of security. The CAG will turn that illusion to reality.”
Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.
We Have A Cyber Czar, and He Has Spoken
A debate has been running for months both among government thought
leaders and the technical literati on whether or not the US should appoint a
“Cyber Czar” who can exert authority over IT security in the federal space or perhaps even
aspects of the nation’s IT defenses. This is a complex discussion
that has had some of the greatest thinkers in and out of government
involved. A great snapshot of issues and the opinions of many well
reasoned experts are expressed in the CSIS report “Securing Cyberspace for the 44th Presidency” and other
thoughts are here: The Future of Cyber Security and here: Threats In the Age of Obama .
Unfortunately for those who would like to still debate and discuss this
issue, there is already a Cyber Czar who can accomplish most all his
objectives in our networks. His name is Russian Prime Minister
Vladimir Putin. This former KGB operative now controls Russia with an
iron fist and has shown others again and again he will exert influence
anywhere he needs to in order to accomplish his objectives. He will
use tanks when required and cyber when desired and combinations when it
suits him. There are indications his agents are also in our networks
now. If our objectives are to keep players like him out, we cannot say
we are accomplishing them. If his objectives are to get in, then we
can say he is accomplishing them. Till this situation changes, we
need to confront then this new reality: Vladimir Putin is the Cyber
Czar.
We have our own great technologists and wizards of cyber, of course.
And we have great hero entrepreneurs of technology who have built the
cyber world we all use today. One of those greats is Michael Dell,
creator of an idea and corporation that develops, manufactures, sells
and distributes personal computers we all depend on.
But he is someone who will now think twice before thinking he can
interact as a peer to Cyber Czar Putin. After listening to Putin’s speech at the World Economic Forum in Davos, Michael Dell
praised Russia’s technical and scientific prowess and asked a nice,
friendly question: “How can we help.” As a former govie CTO I would
get asked that type of question all the time from industry and really
appreciated it whenever a senior thought leader would ask that. But
not Czar Putin. He did not appreciate that at all. Putin was
offended by the assertion that the mighty Russia might need help in anything Cyber.
The exchange is captured here on YouTube:
Fortune: described the exchange this way:
“Putin’s withering reply to Dell: “We don’t need help. We are not
invalids. We don’t have limited mental capacity.” The slapdown took
many of the people in the audience by surprise. Putin then went on to
outline some of the steps the Russian government has taken to wire up
the country, including remote villages in Siberia. And, in a final dig
at Dell, he talked about how Russian scientists were rightly respected
not for their hardware, but for their software. The implication: Any
old fool can build a PC outfit.”
Clearly cyber domination is personal with Putin. He is the Cyber Czar.
I think I should end with a plea to all who care about cyber freedom and all who know the potential positive contributions of IT: Please don’t be
pleased with this current situation. Please don’t just think the title
of Cyber Czar I’ve now used to describe Putin is something we should be
proud of. It is not. We should continue to act till we are able to
assert that we are masters of our own networks. Our nation’s
intellectual property, including the intellectual property of all our
companies and citizens, is too important to let it be given away
without at least a cyber fight.
CTOs, Global Cyberwar and Our Collective Future
If you are a technologist, please take a moment to download the PDF of the report by the U.S. Commission on Cybersecurity. This report, titled Securing Cyberspace for the 44th Presidency, is the best proclamation of the challenges of cyber I have read. It is also a roadmap that will help any trying to navigate these very tough issues.
I've been involved in things cyber for a long time. My deepest
involvement began in December 1998, almost 10 years ago to the day.
In all that time I've seen lots of studies and lots of papers and many
treatments of the issues. But I've never seen one that captures the
complexities and the need for specific actions as well as this one.
I'd really recommend you read every word, if you want to be considered literate in this field. But if it will be a little while till you get to it, here are some key points:
The three major findings are: 1) Cybersecurity is now a major national security problem for the U.S., 2) Decisions and actins must respect privacy and civil liberties, and 3) only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will make us more secure.
The report makes a few points about the Bush Administration's Comprehensive National Cybersecurity Initiative (CNCI). In general the give credit to that initiative, and call it good. I agree, it is a great activity I've previously written about that is led by one of the most effective people in government today and has done great work. But as the comission points out, the work of the CNCI is good but not sufficient.
The biggest shock for me in this study: The amount of funding on R&D for cyber security. I have been looking into the many activities underway, and maybe that look made me deceive myself into thinking it was a well funded effort. According to the comission, however, they estimate that the total R&D funding in the federal government for cybersecurity is about $300million. Less than two-tenths of one percent of the total federal R&D.
The report has a great section on identity manangement.
I am convinced the organizational approaches outlined in the study are the right ones as well. There is only one place in our government where we can lead solutions to this challenge. Where is that? Hey read the report!
What else do I recommend CTOs do besides read the report? I think one way we can all help the cybersecurity effort is to think through which standards bodies are the most important to engage with regarding security. A few are here:
http://www.ctovision.com/2008/05/standards-organizations-ctos-should-track.html
Melissa Hathaway Op-Ed on Cyber Security
I wanted to post this in totality for a couple reasons. One is it is something all of us should read. Although I believe most readers of this blog will find no surprises in this op-ed, Melissa has a real talent for capturing information in easy to understand ways and I think we can all borrow lessons from the way she explains things.
Performance Management In Organizations and Computers
There are some interesting analogies between performance management applied to organizations and performance management applied to computers.
In both cases, performance metrics are crucial to success. In organizations, what we reward gets measured, and what gets measured can be more efficiently and effectively done. In our computers, what we decide is important gets measured, and those measurements can help us drive to increasingly effective and efficient performance.
Automated Resolution of IT Problems
In January 2008 I was named to the advisory board of Triumfant, a
company who has mastered the automated detection and resolution of IT
problems. Of all the IT firms I’ve seen, they are the ones with the
most comprehensive approach to automated resolution management and the
only one I’ve seen that can automate the entire lifecycle of IT problem
management, from identification to resolution.
I recently read some very exciting news about Triumfant. They have
just signed a partnership agreement with one of the largest suppliers
of computers to the federal government: computer giant Dell Inc.
Triumfant software will be sold pre-installed on Dell computers to
federal customers running Microsoft Windows XP and Vista.
I take this as a huge endorsement of the Triumfant approach of
automated process monitoring and IT compliance enforcement. This agreement between Triumfant and Dell is
also great news for enterprise CTOs and other technologists who must
meet the mandate of the OMB’s Federal Desktop Core Configuration
(FDCC).
CTOvision Blog 