A Profound Moment in Cybersecurity

The moment is a profound one.

A new administration is in the process of taking over the reins of the vast realm of the U.S. federal government. The nation is confronted with serious threats both global and domestic: economic and financial crisis, terrorism, nuclear proliferation, organized crime, climate change and even potential pandemics.

And then there is ever-broader scope of cyber-related risks and threats, significant on its own, and exponentially significant when interwoven with all of the others, as it is well on its way to becoming.

What direction will this new administration take?

Will it show it has learned the lessons of the last decade?

Will it lead? And if it leads will it take the country in the right direction?

These questions of leadership, of course, are predicated on another question, a much more disturbing one, i.e., even if it decides to lead in a meaningful and substantive way, and even if it chooses the right direction to go, will anyone in the commercial sector or even the public sector really follow, in any reciprocally meaningful and substantive way?

Recently, at the height of the 2009 RSA Conference in San Francisco, I found myself ensconced on the second floor of the XYZ Lounge of the W Hotel, across the street from the Moscone Center, attempting to escape these daunting ruminations by engaging young German executive and his happy client talking about the problem of spam.

Talking with Gerhard Eschelbeck, CTO of Webroot (www.webroot.com), and Michael Skaff, CIO of San Francisco Symphony, I could put the following two blockbuster stories, and their implications, out of my mind for the better part of an hour:

"Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials. The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war." Siobhan Gorman, Wall Street Journal, 4-8-09

"Nearly 1,300 computers in more than 100 countries have been attacked and have become part of a computer espionage network apparently based in China, security experts alleged in two reports Sunday. The network was discovered after computers at the Dalai Lama's office were hacked, researchers say. Computers -- including machines at NATO, governments and embassies -- are infected with software that lets attackers gain complete control of them, according to the reports. Reports: Cyberspy network targets governments, CNN, 3-29-09

Page Break

I do not usually schedule talks with vendors and their customers, but in the shadow of these two stories, the e-mail problems of the San Francisco Symphony and how a SaaS solution might actually have solves them appealed to me in a new and endearing way. Instead of indulging my preoccupation with critical infrastructure attacks, and my personal concern for the security and confidentiality of the Dalai Lama's communications, I found myself listening to a practical tale, with a happy ending, about people who bring Beethoven and Berlioz to the atmosphere of a major metropolis, and how technology had been applied to enhance their security and improve the productivity in an economical way.

Skaff offered me some background on the e-mail problems SF Symphony was facing before implementing Webroot.

"We had two issues: one concerned functionality (old anti-spam was not performing well, and not effectively screening spam), and the other was simply one of volume, i.e., we had roughly 1.4 million spam e-mails/month versus roughly 70,000 valid emails, which was congesting our internet pipe and overwhelming the older server the anti-spam software was running on."

He also articulated significant cost-savings and productivity gains that resulted from implementing the solution.

"We saw immediate (i.e., in a matter of days) productivity gains that were immediately noticed, and commented on by the staff here. I had folks stop me in the hall to let me know how much time the new solution was saving them. We also re-gained a significant portion of our internet bandwidth back from the spam that had been clogging it. Deployment was simple, and allowed us to achieve immediate benefits (primarily system performance and availability, in addition to the staff productivity) while we updated other components of our e-mail infrastructure."

And how did Webroot solve these problems for Skaff and the Symphony?

"By accepting our inbound mail flow via re-directed MX records, and giving us back the valid mail, and a significantly decongested pipe. On average, they have removed ~97% of the total volume as spam, and they provide an enterprise console to tune white lists, release any false positives, check logs, run reports, etc."

What is the message from this story for small and medium-sized businesses who can't afford information security expertise in-house?

"No matter what the company size, I advocate outsourcing where the numbers make sense, where the benefits are clear-cut, and where the risks are both well-defined and manageable. In this case, in the short term, it was less about infosec expertise, and more about solving a pressing business problem. Longer term, it helps me optimize our use of resources - both preserving our modest internet pipe for valid traffic rather than screening out spam, and allowing my staff to focus on supporting other areas of the business. Additionally, while we still 'own' the service delivery to our users, it makes sense to outsource this piece to a company that specializes in this particular service, and thus has more depth of knowledge than I can afford, and delivers economies of scale that are passed along to me in the form of cost savings, better support, and more features than I could achieve locally for the same cost."

Page Break

It was charming to hear a happy customer extol the rewards of an economical solution to a nasty problem. But, as refreshing as that exercise was, at the end of the conversation, I had to return to the Moscone Center, to continue this long day's journey into night.

As I reported in my coverage of the RSA Conference 2009 for CyLab's Cyblog, at the general sessions, in panel discussion after panel discussion, and on the threshing floor of the exhibit hall, almost everyone was babbling on about the "Cloud computing."

Whitfield Diffie, Vice President, Fellow and Chief Security Officer of Sun Microsystems, said he is "bullish on Cloud computing" and that it is the type of challenge "seen not more than twice before" in the space.

But Adi Shamir, Professor of Computer Science at the Weizmann Institute of Science in Israel, is "very worried about it." According to Shamir, we risk trading in "many small disasters for one big catastrophe."

"Now that we are possibly moving into the cloud," he elaborated, "we are facing a real danger of a hacker taking out one data center to catastrophic effect."

Bruce Schneier, Chief Technology Officer, BT Counterpane, said he is "bored with cloud computing." Although it is presented as new paradigm, Schneier explained, "fundamentally, I do not see many differences, it is still about trust, it is a continuation of what we have been seeing."

And although Ron Rivest, Viterbi Professor of Electrical Engineering and Computer Science at MIT, described himself as "enthusiatic" over "Cloud computing," he quipped that "Swamp computing" might be more a appropriate term. Rivest also encouraged the attendees to consider the possible analogy with the differentials craze that led to the current global financial crisis; in both instances, CEOs are deriving benefits while off-loading risks, but that there could be similarly severe consequences.

But perhaps the most important insight on "the Cloud" came from Gary McGraw, CTO for Cigital (www.cigital.com), and author of several worthy tomes.

His latest book, Exploiting On-Line Games (Addison-Wesley, 2007), was also the subject of a panel McGraw led at RSA 2009. [McGraw discusses the issue in this podcast as well.]

In his opening remarks, McGraw welcomed the scattering of attendees to the "edge of technology," and declared "what we are talking about is the future of software security." There are so many people out on the exhibit hall floor hawking the so-called Cloud, "even though they have no idea what it means." But online games are massively distributed systems. "They put nine gigabyte globs in everybody's box."

Page Break

After the conference I followed up by interviewing McGraw for the CyLab Business Risks Forum, and asked him to expand on his comment.

"Online games, like World of Warcraft (WoW), are massively distributed. They have fat clients, millions of them, and server farms that are all over the planet. And it is what, in marketing land, we are calling Web 2.0, or 'Cloud computing,' or flavor of the day. So if we want a case study of the future, we need look no father than on-line games. If we understand what is going on with security, and cheating, and economics, and the law, and the technology concerns, all at the same time, we have a very small but important crystal ball."

Poignantly, McGraw's fascinating panel discussion on this "edge of technology" was held in a half empty room; while next store, there standing room only for a session on "Seven Most Dangerous New Attack Techniques and What's Coming Next."

Yes, we are at a profound moment.

But how can we meet the challenge of this profound moment if we are constantly scrambling to catch up, and always in reactive mode?

This is one three big problems that seriously impede our best efforts to optimize cyber security, and all that I saw, heard and discussed at the RSA Conference 2009 put these three big problems into stark relief:

First, in the realm of cyber security one of the most glaring and persistent problems is that the "good guys" always seem to be way behind the "bad guys," and scrambling desperately to keep up. Cyber security as a field has been mostly reactive. It is always at best a few steps behind the adversary. Plugging holes after they are revealed, developing defenses after attacks are carried out successfully, designing technologies around what attackers have already done, instead of what they will do in the future, articulating security programs that are always looking backward, instead of forward, etc. To achieve the lofty goals of securing the US government's information systems in the 21st Century, and to increase the odds of success for the economic stimulus package, we must change this dynamic, we must put the good guys ahead of the bad guys in cyberspace.

Nothing is more worthy of stimulus funding than academic research into cyber security, bold research that plants our flag upstream of the nefarious and the ill-willed, and takes sovereignty over the future by building industrial and personnel capacity, i.e., dazzling security technology transfers and sophisticated cadres of security technologists. (And don't think I am stressing this issue because of my affiliation with such a program, I was stressing the importance of it over a decade ago, in the US Senate "Nunn" hearings on Cyber Security, at which I testified in my role as Editorial Director of the Computer Security Institute.)

Page Break

Second, arguably the greatest threat to cyber security of the nation does not arise from the dark side of the human psyche or some fatal flaw in some dominant operating system or application; it comes, instead, from our own inability in both government and business to address the organizational issues which hamstring our best intentioned effort to secure the nation's quadrant of cyberspace. Cyber security in both government and business has suffered from a lack of leadership at the top, a lack of meaningful mandate from the top, and in government particularly from a lack of continuity and unity of vision across departments, agencies and administrations.

No, Melissa Hathaway did not disclose the findings of the 60-day review of US national cyber security ordered by President Obama and delivered to him just prior to her keynote remarks at RSA 2009. Although from the influx of media in the hour or so before her hastily scheduled remarks during today's afternoon keynote session, it is clear that many expected that she would. But Hathaway did seem to more than hint at one important finding, i.e., that the White House must lead. Because cyber security is a national security issue, and no single agency in government could possibly oversee it for the whole of the government, the leadership must be centered in the White House.

That is (or hopefully shall be) as it should be.

If only more corporate leadership would recognize the need for robustness in the governance of enterprise security. (For more on this vital issue, see To Govern or Not to Govern in CSO Online, 12-2-08)

Third, and most important, cyber security suffers from lack of a great transformative metaphor. We need to find a 21st Century vision worthy of this 21st Century challenge. Cyber security suffers from being conceptualized as an architecture, and indeed as merely a subset of IT architecture, i.e., on the white board, all that an IT architecture is a orderly representation of networks, hubs, servers, workstations and clouds, and cyber security is simply another layer within that representation, i.e., a strata of firewalls, authentication servers, intrusion detection devices, etc. positioned strategically throughout the greater IT architecture. This view of cyber security as simply flat, technology-centric and wholly subservient to the general IT environment limits and distorts the role of cyber security. A truly 21st Century cyber security architecture for the enterprise would not take as its model the blueprint of a building, or present itself as a simply a sub-set of IT. A truly 21st Century cyber security architecture would take into account the physical space and the psychological space as well as the digital space; it will be informed not only by technology, but also by economics, psychology, anthropology, criminology, and other disciplines. The vision of cyber security as a web, an organic structure, would be more useful than that of cyber security as a blueprint. After all, in the 21st Century, the web of life has become interdependent and intertwined with the web of digital information; therefore, we envision the web of security as a third dimension, one that also becomes interdependent and intertwined and serves to strengthen and enhance the vibrancy, resiliency and health of the other two webs.

Richard Power is a Distinguished Fellow at Carnegie Mellon CyLab and a frequent contributor to CSO Magazine. He writes, speaks and consults on security, risk and intelligence issues. He has conducted executive briefings and led professional training in forty countries. Power is the author of five books. Prior to joining Carnegie Mellon, Power served as Director of Security Management and Security Intelligence for the Global Security Office (GSO) of Deloitte Touche Tomatsu and Editorial Director of the Computer Security Institute.