CyLab
We Have A Cyber Czar, and He Has Spoken
A debate has been running for months both among government thought
leaders and the technical literati on whether or not the US should appoint a
“Cyber Czar” who can exert authority over IT security in the federal space or perhaps even
aspects of the nation’s IT defenses. This is a complex discussion
that has had some of the greatest thinkers in and out of government
involved. A great snapshot of issues and the opinions of many well
reasoned experts are expressed in the CSIS report “Securing Cyberspace for the 44th Presidency” and other
thoughts are here: The Future of Cyber Security and here: Threats In the Age of Obama .
Unfortunately for those who would like to still debate and discuss this
issue, there is already a Cyber Czar who can accomplish most all his
objectives in our networks. His name is Russian Prime Minister
Vladimir Putin. This former KGB operative now controls Russia with an
iron fist and has shown others again and again he will exert influence
anywhere he needs to in order to accomplish his objectives. He will
use tanks when required and cyber when desired and combinations when it
suits him. There are indications his agents are also in our networks
now. If our objectives are to keep players like him out, we cannot say
we are accomplishing them. If his objectives are to get in, then we
can say he is accomplishing them. Till this situation changes, we
need to confront then this new reality: Vladimir Putin is the Cyber
Czar.
We have our own great technologists and wizards of cyber, of course.
And we have great hero entrepreneurs of technology who have built the
cyber world we all use today. One of those greats is Michael Dell,
creator of an idea and corporation that develops, manufactures, sells
and distributes personal computers we all depend on.
But he is someone who will now think twice before thinking he can
interact as a peer to Cyber Czar Putin. After listening to Putin’s speech at the World Economic Forum in Davos, Michael Dell
praised Russia’s technical and scientific prowess and asked a nice,
friendly question: “How can we help.” As a former govie CTO I would
get asked that type of question all the time from industry and really
appreciated it whenever a senior thought leader would ask that. But
not Czar Putin. He did not appreciate that at all. Putin was
offended by the assertion that the mighty Russia might need help in anything Cyber.
The exchange is captured here on YouTube:
Fortune: described the exchange this way:
“Putin’s withering reply to Dell: “We don’t need help. We are not
invalids. We don’t have limited mental capacity.” The slapdown took
many of the people in the audience by surprise. Putin then went on to
outline some of the steps the Russian government has taken to wire up
the country, including remote villages in Siberia. And, in a final dig
at Dell, he talked about how Russian scientists were rightly respected
not for their hardware, but for their software. The implication: Any
old fool can build a PC outfit.”
Clearly cyber domination is personal with Putin. He is the Cyber Czar.
I think I should end with a plea to all who care about cyber freedom and all who know the potential positive contributions of IT: Please don’t be
pleased with this current situation. Please don’t just think the title
of Cyber Czar I’ve now used to describe Putin is something we should be
proud of. It is not. We should continue to act till we are able to
assert that we are masters of our own networks. Our nation’s
intellectual property, including the intellectual property of all our
companies and citizens, is too important to let it be given away
without at least a cyber fight.
CTOs, Global Cyberwar and Our Collective Future
If you are a technologist, please take a moment to download the PDF of the report by the U.S. Commission on Cybersecurity. This report, titled Securing Cyberspace for the 44th Presidency, is the best proclamation of the challenges of cyber I have read. It is also a roadmap that will help any trying to navigate these very tough issues.
I've been involved in things cyber for a long time. My deepest
involvement began in December 1998, almost 10 years ago to the day.
In all that time I've seen lots of studies and lots of papers and many
treatments of the issues. But I've never seen one that captures the
complexities and the need for specific actions as well as this one.
I'd really recommend you read every word, if you want to be considered literate in this field. But if it will be a little while till you get to it, here are some key points:
The three major findings are: 1) Cybersecurity is now a major national security problem for the U.S., 2) Decisions and actins must respect privacy and civil liberties, and 3) only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will make us more secure.
The report makes a few points about the Bush Administration's Comprehensive National Cybersecurity Initiative (CNCI). In general the give credit to that initiative, and call it good. I agree, it is a great activity I've previously written about that is led by one of the most effective people in government today and has done great work. But as the comission points out, the work of the CNCI is good but not sufficient.
The biggest shock for me in this study: The amount of funding on R&D for cyber security. I have been looking into the many activities underway, and maybe that look made me deceive myself into thinking it was a well funded effort. According to the comission, however, they estimate that the total R&D funding in the federal government for cybersecurity is about $300million. Less than two-tenths of one percent of the total federal R&D.
The report has a great section on identity manangement.
I am convinced the organizational approaches outlined in the study are the right ones as well. There is only one place in our government where we can lead solutions to this challenge. Where is that? Hey read the report!
What else do I recommend CTOs do besides read the report? I think one way we can all help the cybersecurity effort is to think through which standards bodies are the most important to engage with regarding security. A few are here:
http://www.ctovision.com/2008/05/standards-organizations-ctos-should-track.html
Melissa Hathaway Op-Ed on Cyber Security
I wanted to post this in totality for a couple reasons. One is it is something all of us should read. Although I believe most readers of this blog will find no surprises in this op-ed, Melissa has a real talent for capturing information in easy to understand ways and I think we can all borrow lessons from the way she explains things.
Automated Resolution of IT Problems
In January 2008 I was named to the advisory board of Triumfant, a
company who has mastered the automated detection and resolution of IT
problems. Of all the IT firms I’ve seen, they are the ones with the
most comprehensive approach to automated resolution management and the
only one I’ve seen that can automate the entire lifecycle of IT problem
management, from identification to resolution.
I recently read some very exciting news about Triumfant. They have
just signed a partnership agreement with one of the largest suppliers
of computers to the federal government: computer giant Dell Inc.
Triumfant software will be sold pre-installed on Dell computers to
federal customers running Microsoft Windows XP and Vista.
I take this as a huge endorsement of the Triumfant approach of
automated process monitoring and IT compliance enforcement. This agreement between Triumfant and Dell is
also great news for enterprise CTOs and other technologists who must
meet the mandate of the OMB’s Federal Desktop Core Configuration
(FDCC).
CMU: An impressive resource
I recently finished a visit to one of our nation's greatest intellectual resources, the school of computer science at Carnegie Mellon University. The incredible work being accomplished at the university includes the globally famous Software Engineering Institute and the equally renowned CERT/CC. CMU also serves the nation by hosting and supporting Cylab. More on each of these is below.
SEI is a Federally Funded Research and Development Center (FFRDC). SEI processes and practices, which are almost certainly familiar to readers of this blog, are now being taught at universities everywhere. Their comprehensive approach to quality is being used today by development organizations around the world and is producing fantastic results. There are many reasons for this, but the short version is that SEI processes like the Capability Maturity Model Integration (CMMI), the Team Software Process (TSP) and the Software Engineering Measurement and Analysis (SEMA) have proven to enhance the quality and performance of software activities while reducing cost and development time. Read more at: http://www.sei.cmu.edu.
The CERT/CC is a group I first stared working with in December 1998 when I was one of the startup grew of the JTF-CND. I've been a big fan of them sever since, and have tried to track what was going on there, but frankly I lost touch and am really glad I got the in person update. The CERT/CC is a critical enabler of hte IT industry's ability to detect and remediate vulnerabilities, conduct computer forensics, visualize cyber information, and respond to incidents of every scale. For more on the CERT read more at: http://cert.org.
The Cylab is the nation's largest university based research and education program focused on cyber security, dependability and privacy. Cylab conducts sponsored research as one of the NSF CyberTrust centers. According to the CyLab website:
The CyLab Strategy is to integrate response, prediction, research
and development, and education both nationally and internationally and
build capacity in:
- Technology – by pursuing an aggressive, highly
interdisciplinary research and development agenda that integrates
technology, policy, and management- Human Resources – by educating professionals in Information Technologies, Business, and Policy, and by creating “cyber-aware” citizens worldwide
- Industry – by transitioning technologies to large, medium, and small companies and by creating start-ups
For more on the Cylab read more at: http://www.cylab.cmu.edu/.
Thanks to all at CMU for doing what you do, it is really appreciated by computer scientists, CTOs and leaders everywhere. Please keep it up.
CTOvision Blog 