DHS

Former cyber czar describes cybersecurity policy-making, faults FISMA

How did the first U.S. “cyber czar” describe his time as the nation’s assistant secretary for Cybersecurity and Communications (CS&C)? Quoting Mark Twain, Greg Garcia observed that “a man who carries a cat by a tail learns something he can learn in no other way.”

It was “like a paintball fight in an Escher painting” at the Department of Homeland Security (DHS), Garcia described, “with great affection.”

Jokes aside, Garcia, who spoke at the CA IT Government Expo this week in Washington, was clear in describing what it was like in the crucible of the DHS making cybersecurity policy. “Our adversaries right now are better organized and better motivated than we are,” he said. “We, as a nation, are at an inflection point in this national cybersecurity challenge. We have a foundation for organizational structure in the private sector. We need to build a trust framework. If you don’t have an affirmation of trust, even with the same team, you’re not going to be able to get to an effective real-time response.”

Garcia, who served as assistant secretary for CS&C from 2006 to 2008, broke down the components of the Comprehensive National Cyber Security Initiative (CNCI) that President Bush signed in January 2008. The CNCI consists of 12 elements aimed at improving cybersecurity on federal networks. “We were seeing terabytes of data flowing out of .gov networks,” said Garcia.

CNCI components include intrusion detection and prevention, research and development into so-called “leap ahead” technologies and better situational awareness, coordinated through the National Cybersecurity Center.

Garcia advocated for better counterintelligence for cybersecurity, “classified network security,” perhaps referring to the Einstein monitoring tool and improved cybereducation and training.

Echoing the NERC CSO’s remarks last month, Garcia has had to think through how deterrence strategy changes in cyberwar, especially when other nation states are in the electric grid or government networks. “What point does a cyberattack become an act of war?” he asked. “How do you make it more dangerous for our adversaries to attack us? A lot of it has to do with attribution.”

Garcia affirmed the need for a Federal Information Security Management Act (FISMA) for ISPs, but said that “it needs to be market-driven, at least for now, until we can determine if there’s market failure. Every infrastructure sector has different business models and risk models.” Garcia provided what may be a controversial example: an initiative where major investment banks came together and “designed their own FISMA, if you will,” with auditors to assess financial network security.

When it came to the utility of FISMA in assessing cybersecurity readiness, however, Garcia had few kind words. “FISMA has not been successful, primarily because it has been a box-checking exercise,” he said. “It is not evaluating security. That’s a very hard thing to do, because you have different threat models and vulnerability environments.”

New rules for cyberwar being defined as cybersecurity risks grow

James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, soberly assessed the risks to national security that lie ahead in cyberspace. “It’s primarily an espionage problem,” he said. “This is the easiest way to be a spy that has ever been invented … there’s zero chance of being caught and prosecuted if you’re smart about it.”

Lewis made that observation speaking on a panel at the International Spy Museum in Washington, D.C., held to draw attention to the growing dangers online as National Cybersecurity Month drew to a close.

Citing cyberattacks on Estonia, Lewis, the project director for the Commission on Cybersecurity for President Obama, said he anticipated more advanced attacks in future cyberwars, either by militaries or by non-state entities in the distant future.“All advanced militaries now include cyberattack capabilities.” As he put it, “you can send missiles, commando teams — or you can send hackers. And hackers are much cheaper.”

Lewis believes that those “attacks are not what we have to worry about,” however – it’s “those that disrupt critical infrastructure” that keep him up at night. “The challenge is that the Internet was built for scientists,” he said, which meant that it was built to assume trust. The U.S. has “built an exceptionally insecure environment that our military and economy now depend on.” As a result, Lewis said, “the U.S. is more vulnerable than any other country” because it has put the Internet to the best use for its economy, politics, research and military.

A central challenge in this new operational environment is that “the old Cold War notion of deterrence doesn’t work,” Lewis said. “We’ve put a lot of effort into the offensive side, but it hasn’t helped us on the cybersecurity side.” Moving forward with improving the nation’s exposure to cybersecurity risks is also challenging because of the traditional approaches to solving problems on a national scale in the U.S. “Do we wait for the market or wait for something that has a larger role for government,” asked Lewis. It’s difficult to discuss, he said, because “our ideology is to talk about a market solution, but we’re facing competitors who aren’t bound by that.”

There are also legal boundaries that must be considered in the context of new threat vectors and technologies. “The laws that we have to protect civil liberties and privacy were written 20 to 30 years ago,” said Lewis. “In the old days, you couldn’t look at traffic without understanding the content.”

Now, as he observed, the question is “How do you involve DHS? Or NSA? Some of this leads back to the FISA debate. To really defend cyberspace, you need better situational awareness. What we need to know for cybersecurity, you need to look at all the traffic coming into the U.S.” When Lewis, however, asked how many in the audience supported such a move from DHS, few hands went up, reflecting the complexity of such electronic filtering.

A certified security professional is not a compliance guarantee

Compliance and security consultant and TechTarget contributor Kevin Beaver checked in about the Cybersecurity Act of 2009, aka the kill-switch bill.

He agrees with some other experts I’ve talked to about some key points in the proposed legislation that would mandate that only certified security professionals be allowed to work on critical cyber infrastructure.

In addition, the increased regulation of security professionals is spreading, with a few unintended consequences. As he wrote in a recent email:

The same thing is being debated in the computer forensics field right now. Just like any other degree (i.e., M.D.), license (i.e., P.I. [private investigator], cybersecurity wizard, etc.), or certification (i.e., CISSP) — not a single one of them mean you’re all of a sudden going to know your stuff and provide quality services.

What it’ll end up doing is limiting the amount of professionals in the field. The politicians will then have more “control.” But, the law of unintended consequences has shown time and again that, long term, this will likely serve to create nothing more than a monopoly consisting of substandard security professionals. Everyone suffers.

Ironically, several government agencies are vying for control of cybersecurity, or rather not to control cybersecurity, as it is too big a job for one agency. By my count, four agencies — the Department of Defense, the National Security Agency, the Department of Homeland Security and the Commerce Department — are in the mix, and now we have the proposed White House cyber office that would be created under the Internet Communications Enhancement Act.

Who is cyberspace director Melissa Hathaway, and why should we care?

April 17 is the deadline for Melissa Hathaway to put on the president’s desk the comprehensive 60-day U.S. cybersecurity review Obama mandated on Feb. 8. That was the day he also invented her current title, “Acting Senior Director for Cyberspace” for the National Security and Homeland Security councils.

Hathaway is a person about whom we will be hearing a lot more, due to the seriousness with which the Oval office is taking cybersecurity threats. We care because, in addition to new requirements stemming from the soon-to-be-released report, her policies could influence the implementation of the new Massachusetts data protection law and existing data breach regulation. Both may have significant compliance effects on your business. A former consultant with Booz Allen Hamilton, Hathaway has a reputation for concern about privacy. That was not a popular position under the Bush administration, where she had been working until Inauguration Day. Greater concern for privacy is good news, in general. How far she goes in mandating controls over data to ensure privacy will be the big question for organizations that must implement those controls.

Within the Bush administration, she was senior advisor to the director of National Intelligence and cyber coordination executive. She chairs the National Cyber Study Group, a senior-level interagency body that was instrumental in developing the Comprehensive National Cybersecurity Initiative (CNCI), aimed at improving the ability of the country to secure and defend its cyber infrastructure. In January 2008, Hathaway was appointed the director of the Joint Interagency Cyber Task Force, which coordinates and monitors the implementation of the broad portfolio of activities and programs that comprise the CNCI.