Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘Cybersecurity coordinator’

Why Are There Still So Many Problems with The Federal Cybersecurity Effort?

Thursday, April 15th, 2010

On May 29th of 2009, President Obama declared: “It’s now clear that this cyber threat is one of the most serious economic and national security challenges we face as a nation.” At FOSE this year, FBI Deputy Assistant Director, Stephen Chabinsky gave this ominous statement, “Cybercrime and cyber terrorism could be a game changer and thus represent an existential threat to our nation.”

With such strong words, you’d think that the Feds would have their act together on all things cybersecurity. Unfortunately, you’d be wrong. Speaking at the Interagency Resource Management Conference this week, Cybersecurity Coordinator Howard Schmidt reinforced this bad news. Schmidt’s wake up call pointed to the fact that the Federal government:

  1. Is way behind on intrusion detection. Schmidt stated, “as far as enterprise-wide intrusion detection goes, it falls under the category of, ‘Why haven’t we done that already?’”
  2. Has not put its money where its mouth is. The federal government hasn’t done enough to fund cybersecurity training programs or scholarships.
  3. Has so far failed to coordinate Cybersecurity efforts across federal agencies.

If you aren’t scared and angry right now, you should be. Since 2001, the Federal government has spent billions of dollars on cybersecurity yet these basic problems remain. Heck, we’ve spent hundreds of millions on the Einstein project, an uber network security monitoring technology effort, yet we aren’t doing basic intrusion detection. Ay, ay, ay!

Schmidt, a security veteran is clearly frustrated by what he is finding. The rest of us should be outraged.

Let’s hope that the President, Congress, DHS, DOD, and NSA can get its act together and fix these problems under Schmidt’s capable leadership. If not, we may be in serious trouble.

Feds Change Cybersecurity Strategy — Again

Friday, February 12th, 2010

Yesterday the Office of Management and Budget (OMB) announced that it will no longer pursue the Trusted Internet Connect (TIC) initiative first announced in November 2007. TIC was considered one of the cybersecurity efforts making up the Comprehensive National Cybersecurity Initiative (CNCI) which was born out of National Security Presidential Directive (NSPD) 54 and Homeland Security Presidential Directive (HSPD) 23 in January 2008.

Unless you are somewhere between Foggy Bottom and Independence Ave. SE you are probably confused by all of these acronyms so allow me to explain.

Back in 2007 there were thousands of Internet connections across the Federal government. This was viewed as a tremendous problem since each connection was a potential ingress point for malicious code and hacker attacks. TIC proposed a simple solution to the problem — decrease the number of Internet connections to as few as possible and then secure the heck out of the remaining connections.

I believe the ultimate goal was to reduce the thousands of Internet connections to something like 50. Throughout 2008 and 2009 the Feds boasted about the tremendous progress they were making.

Okay now fast forward to yesterday. OMB throws the TIC baby out with the bath water and announces that it will no longer reduce the number of Internet connections but rather improve security requirements at all Internet ingress/egress points. OMB goes on further to say that the number of Internet connections in 2010 was roughly the same as in 2007. Diane Gowen, SVP of Qwest Government Services summed this up as follows: “Despite the whole TIC Initiative, there are probably as many points of Internet connection as there used to be. The new administration is less concerned with the number, and more concerned about getting them protected.”

Back in 2007, many security professionals (including me) thought that TIC was completely misguided because:

  1. It was never linked to network engineering or architecture. Those internet connections aren’t there by accident. Yes, it is smart to minimize the number but reducing thousands to 50 would have to mean a “rip and replace” of the whole Federal network.
  2. It ignores network evolution. Data center consolidation, web-based apps, and cloud computing demands network flexibility and Internet connectivity. Reducing the number of Internet connections could be counter-productive here.
  3. It wouldn’t work. Did OMB really think that DOD, NSA, or homeland security would go along with this? My guess is that these agencies thumbed their noses and other civilian agencies followed.

The crime here is that it took 3 years and tens, if not hundreds, of millions of taxpayer dollars to ramp up TIC — and then totally reverse course. Someone should be held accountable.

I predict that the next shoe to drop will be some type of pull-back from the Einstein Project — a DHS/US Cert/Carnegie Mellon science project that could have easily been built with commercially available software from ArcSight, NetWitness, Nitro Security, Q1 Labs, RSA or dozens of others.

I’m sure President Obama’s Cybersecurity Coordinator, Howard Schmidt, is rolling his eyes at these recent events and the demise of TIC. Let’s hope he introduces some pragmatism into high priced Federal cybersecurity plans before we waste another few hundred million.

House Cybersecurity Bill Passes. What’s Next?

Wednesday, February 10th, 2010

There is little doubt that President Obama and the 111th congress are prioritizing cybersecurity initiatives.

The President outlined his plan last May and appointed Howard Schmidt as his Cybersecurity Coordinator late last year. As for the 111 congress, it passed the Federal Data Breach Bill (H.R. 2221) earlier this year and just last week the House passed the Cybersecurity Enhancement Act (H.R. 4061) by an overwhelming vote of 422 to 5.

Just what is the Cybersecurity Enhancement Act? The bill is really focused on cybersecurity research, development, and training. Agencies participating in the National High-Performance Computing Program must provide the congress with a cybersecurity research plan, update an R&D implementation plan annually, and create new plans every three years. Additionally, the bill funds NSF cybersecurity scholarships in exchange for post graduation government service. The bill also seeks to build cybersecurity collaboration between academic, government, and International institutions and pushes the development of technology standards for cybersecurity.

On balance, this is a good bill that certainly heads in the right direction. That said, I have a few suggestions for fine-tuning this bill as it moves along:

  1. Start earlier. In South Korea, 2nd graders receive training on how to be a good Internet citizen. A cybersecurity bill (either this one or a follow-on) should fund K-12 cybersecurity programs as well. Young children on the network are at least as vulnerable as adults.
  2. Push for continuing education. It is ironic that with the unemployment rate as high as it is, many security positions remain unfilled. Unemployed or underemployed adults with mortgages and children would enthusiastically participate in cybersecurity training if it were available. Note to the President: This should be a funding priority as it is all about 21st century job creation.
  3. Broaden cybersecurity training. Yes, we need firewall administrators and security researchers but we also need security professionals who also have strong business, legal, and social sciences skills. This position was well articulated to Congress in June of 2009 by Cornell Professor Fred B. Schneider. We need to create a holistic security program like Dr. Schneider suggests who understand security technologies and its implication on business, law, and society.

One other note about the legislation: The stipulation that calls for a new R&D plan every 3 years is misguided. Security threats change on a weekly basis so three years is far too long a timeframe.

With all of my suggestions aside, I applaud the 111th congress for truly collaborating on this important legislation. I strongly urge the Senate and President to fast track this bill.

Howard Schmidt Appointed as New Cybersecurity Coordinator

Tuesday, December 22nd, 2009

To quote former President Gerald Ford,”our long national nightmare is over.” After his famous Cybersecurity policy speech in late May, President Obama has finally tapped Howard Schmidt to become the nation’s first Cybersecurity Coordinator. Schmidt will report to the National Security Council (NSC) and National Economic Council (NEC).

Is Schmidt the right person for this job? No question. Schmidt has a perfect public/private sector resume with experience at US-CERT, DHS, the U.S. Air Force, the White House, Microsoft, and eBay. He is also a well respected father figure in the security industry.

Schmidt’s appointment makes sense though it did come as a bit of a surprise. One would have assumed that Schmidt’s name was on the short list back in May. My guess is that Schmidt turned down the job at first but when the President struggled to fill this position (rumor has it that RSA’s Art Coviello, Symantec’s John Thompson, and Microsoft’s Scott Charney turned it down), Schmidt decided to take the job out of a sense of duty and service to the country.

The President is scheduled to formally introduce Schmidt today and my hope is that Howard starts his new gig tomorrow. Believe me, I’m not joking here. On day one, Schmidt must begin to address several major challenges such as:

  1. Sophisticated adversaries. On the day that Schmidt was announced, the major security story centered on a multi-million dollar cybersecurity attack of Citigroup last summer. Citigroup is no security lightweight so if its systems can be compromised there are a lot of sitting ducks out there. Cyberwar is a real threat in the next decade.
  2. A cybersecurity hot potato. As of this writing, there are a number of cybersecurity bills in committee and a lot of rhetoric on the Hill. Meanwhile, DHS, DOD, and NSA have complementary and competitive cybersecurity roles that need to be ironed out. There has also been massive spending on cybersecurity — some useful and some wasteful. We desperately need a non-elected leader to separate cybersecurity needs from politics and pork.
  3. A real lack of knowledge. Cybersecurity knowledge is in short supply. Business guys know they need to do something but are unsure what to do. Technologists often look at security in myopic terms related to IT. Consumers haven’t a clue. We need a federally-driven education program that spans public awareness campaigns all the way through scholarships and continuing education.

This is just the proverbial tip of the iceberg, Schmidt deserves kudos for taking on this nearly impossible job. Have a happy holiday Howard and thank you for stepping up to this challenge.

Cybersecurity Coordinator Political Hot Potato

Friday, November 6th, 2009

President Obama had it right when he said that he would make cybersecurity a priority of his administration. That was back in May and things have progressed since then. For example, just last week, DHS Secretary Janet Napolitano cut the ribbon on the new the National Cybersecurity and Communications Integration Center (NCCIC), a new cybersecurity command-and-control data center in Arlington, VA.

That said, a visible gap in the President’s plan remains. At his press event in May, the President promised to appoint a cybersecurity coordinator as a member of the National Security Council (NSC) and National Economic Council (NEC). Unfortunately, this position remains open.

Over the past few months, the cybersecurity coordinator position has become a proverbial political football. First, the Bipartisan House Cybersecurity Caucus sent a letter to the President urging him to fill this role as soon as possible. This advice has since been echoed by Representative Yvette Clark (D-NY) and the tech industry group TechAmerica.

While the pressure on the President mounts, others on Capitol Hill are also chiming in. Senator Joseph Lieberman (I-CT) agrees that the cybersecurity coordinator role should reside in the White House, but the Senator plans to introduce a bill that specifies the cybersecurity coordinator’s role and wants to require a Senate confirmation for the individual. Meanwhile, Lieberman’s colleague Senator Susan Collins (R-ME) has been extremely vocal in her opposition to this plan. She believes that the cybersecurity coordinator should report into DHS and not the White House.

Note to Washington: Political wrangling like this is exactly why most Americans remain cynical–it seems like Washington is the place where critical issues go to die.

Personally, I believe that the cybersecurity coordinator needs to be in the White House and extremely visible to the president — not buried in the biggest bureaucracy in the land — but that’s my opinion. Aside from this, however, I believe we need to appoint a cybersecurity coordinator ASAP and then make adjustments to this person’s responsibilities, relationships, and reporting structure over time. Cybersecurity is a critical issue that needs immediate attention, not more debate and analysis.

Two other notes to Washington:

  1. Cybercriminals are not waiting around for you guys to make up your collective minds. Every day you delay is costing American citizens and businesses a lot more money.
  2. If there is a major cybersecurity attack soon, these delays will mean that Washington will be held accountable. Must we learn this way again?
Search
© 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site