Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘DOD’

Apple and Google Make the Department of Defense Jump Through Hoops for Mobile Device Security

Thursday, December 9th, 2010

Despite the unseasonably cold weather, I participated in a mobile security event yesterday at the historic Willard hotel in Washington DC. I set the stage and presented a bunch of ESG Research data on mobile device use, security, and management. Other organizations presenting included the Defense Information Systems Agency (DISA), the (NRC), the US Patent and Trademark Office, and Juniper Networks.

It turns out that DISA is doing some very interesting things around mobile computing. For example, members of the US military can access an information portal called Defense Knowledge Online from their mobile phones. DISA also talked about a program called Go Mobile meant to provide numerous communications, training, and collaboration applications to mobile soldiers.

Since we are talking about the US Department of Defense, mobile device security is a critical requirement for this program so Go Mobile includes user authentication, secure data storage and transfer, secure device management, etc.

Initially Go Mobile was built for Blackberry devices but DISA is now adding support for Apple iPhones and Android phones because of high demand from users. Unfortunately, adding iPhone and Android support is more difficult than DISA anticipated. Why? Because both Apple and Google refuse to give DISA access to their security APIs so DISA had to do a series of workarounds to meet its security requirements. For example, DISA had to add an external Bluetooth device to provide secure personal networking capabilities because Apple wouldn’t provide API access to its iPhone security stack.

Hold the phone here! Apple and Google aren’t willing to provide additional technical support to the United States Department of Defense? Nope. One person I spoke with from DOD said that Apple flat out refused to play ball, telling DOD to “talk to our integrators and carriers.”

I understand that Apple and Google want to control their technology. If Citi or GE asked for API access, perhaps it would make technical sense to refuse but we are talking about the Department of Defense here.

Apple and Google have a market advantage and they know it — Androids and iPhones are so popular that Apple and Google can thumb their noses at DOD. In most cases, DOD would exercise cyber supply chain security best practice and refuse to purchase insecure Androids or iPhones at all. The fact that DOD is going the extra mile and developing workarounds demonstrates that it is willing to do the right thing for American troops in spite of this lack of industry cooperation.

It seems to me that Apple and Google are making self-centered bad decisions here that won’t play well with the American public. Clearly, Apple and Google should re-think these myopic and selfish policies. Providing API access to DOD is the patriotic and moral thing to do, especially since DOD is opening the door to lots of sales opportunities for both companies.

Corporate Executives Remain Lukewarm on Cyber Security

Thursday, December 2nd, 2010

What’s needed for strong cyber security? Good security policies, processes, and technology safeguards, of course, but highly-secure organizations also integrate security into their corporate culture — from new employees to the corner office. Since the proverbial buck stops at the CEO’s desk, cyber security-conscious and proactive CEOs are a security professional’s best friend.

In its recent research report, “Assessing Cyber Supply Chain Vulnerabilities Within The US Critical Infrastructure” (Note: The report is available for download at www.enterprisestrategygroup.com), ESG Research asked security professionals working at critical infrastructure organizations (i.e., electric power, financial services, health care, etc.) to respond to the following question: “How would you rate your organization’s management team on its willingness to invest in and support cyber security initiatives?” The responses were as follows:

  • 25% selected: “Excellent, executive management is providing an optimal level of investment and support”
  • 49% selected: “Good, executive management is providing an adequate level of investment and support but we could use more”
  • 21% selected: “Fair, executive management is providing some level of investment and support but we could use much more”
  • 2% selected: “Poor, executive management is providing little to no investment and support”
  • 3% selected: “Don’t know/No opinion”

Obviously, executives need to sort through a maze of costs and spend shareholder dollars judiciously. Furthermore, security professionals are paid to be paranoid and will usually want more funding. That said, nearly one-fourth of respondents rated executive management support for cyber security as “fair” or “poor.” Remember too that we are talking about critical infrastructure here — our money, our power, our food, our health care, etc. Yikes! Even more frightening, 38% of survey respondents working at telecommunications companies rated their executive management’s support for cyber security initiatives as “fair” or “poor.” If your cell phone stops working soon, don’t be surprised.

I believe there are several problems here:

  1. Executive management doesn’t understand the risks and thus simply eschews cyber security investment.
  2. Security professionals speak in a geeky dialect that executives can’t understand, creating a communications gap.
  3. Many executives believe that a security incident would result in an inconvenience and slap on the wrist rather than a major service outage

It’s time to address these issues. Business managers must realize that automation, digitization, and new applications come with a cyber security cost — period. Security professionals need better communications skills and tools to translate nerdy technospeak into more pedestrian language. Legislators need carrots and sticks to entice technically-challenged 60 year old CEOs to invest in cyber security. It’s that simple. Either we do these things or we wake up one day to darkness. It is our choice.

Are IT Vendors Getting a “Free Pass” On Cyber Security?

Wednesday, December 1st, 2010

Before buying an old house, most people do a thorough home inspection to make sure that plumbing, heating, and electricity infrastructure is safe and stable. When purchasing a car for a new driver, many parents check the vehicle’s crash test rating. These actions are simply common sense due diligence since we want to make sure that our homes and children are safe.

Along the same line of reasoning, one would assume that critical infrastructure organizations (i.e., electric utilities, financial services, health care, food processing/agriculture, etc.) do the same type of due diligence on IT equipment and their IT vendors. After all, these IT systems are the underpinning of their services and thus the backbone of the critical infrastructure at large. One would assume that critical infrastructure organizations do this type of security due diligence, but unfortunately this is usually not true.

According to the new ESG Research Report, “Assessing Cyber Supply Chain Security Within the US Critical Infrastructure” (the report is available for free download at www.enterprisestrategygroup.com), IT product and vendor security audits are performed in a random and haphazard fashion. For example:

  1. Only 31% of the critical infrastructure organizations surveyed always audit the security processes of their strategic software vendors (i.e., business applications, productivity applications, databases, operating systems, etc.). As bad as this is, even fewer organizations always audit their strategic infrastructure vendors (i.e., servers, storage, networking, security devices, etc.), professional services vendors, or VARS/distributors.
  2. When critical infrastructure organizations do conduct security audits, the audits tend to vary by vendor. Only 33% say that “all vendor security audits follow the same standard processes and procedures.” This means that some vendors get put through the proverbial grinder while others get a superficial inspection.
  3. In many cases, vendor audits seem to be a “check box” activity rather than a true security requirement. Forty-seven percent of critical organizations say that they “prioritize vendors that achieve a desired security profile but still may buy from other vendors.” In other words, a secure product/vendor may be pushed aside and substituted with an insecure alternative.

Why are many vendors getting a security free pass? I’m not sure. It may be that vendor and product security was no big deal in the past when cyber security was composed of network firewalls and desktop antivirus software. It could be that vendors wow their customers with speeds, feeds, and functionality to keep them from digging into geeky security issues. Perhaps they schmooze customers with sporting event tickets and golf outings to take their minds off of product security.

In any case, this behavior should be unacceptable henceforth. The threat landscape is getting more and more sophisticated each day, so each product’s security must stand out on its own.

Note to critical infrastructure organizations: Many IT vendors virtually ignore security in their product design and development. You should be doing a heck of a lot more security due diligence on IT products, vendors, and services, and institute procurement rules that mandate specific security metrics. Vendors should no longer have security–or insecurity–carte blanche.

Critical Infrastructure Organizations Want Cyber Security Help From the Government

Tuesday, November 30th, 2010

ESG Recently Published a new Research Report titled “Cyber Supply Chain Security Vulnerabilities Within The U.S. Critical Infrastructure.” The report can be downloaded here.

As part of the survey, we asked respondents whether the U.S. Federal Government should be more active with cyber security strategies and defenses. Most respondents believe that the answer is “yes;” 31% said that the U.S. Federal Government should be “significantly more active with cyber security strategies and defenses” while 40% believe that the feds should be “somewhat more active with cyber security strategies and defenses.”

Okay, but what exactly should the government do? ESG asked this question as well–here are the results:

  • 42% said, “create and publicize a ‘black list’ of vendors with poor product security”
  • 42% said, “create better ways to share security information with the private sector”
  • 39% said, “enact more stringent cyber security legislation along the lines of PCI”
  • 39% said, “provide incentives (i.e., tax breaks, matching funds, etc.) to organizations that improve cyber security”
  • 36% said, “amend existing laws to hold IT vendors liable for security problems associated with their products”
  • 32% said, “enact legislation with higher fines for data breaches”
  • 26% said, “limit government IT purchases to vendors that demonstrate a superior level of security in their products and processes”
  • 23% said, “promote the use of FIPS-140 and common criteria certified products in the private sector”
  • 23% said, “provide funding for cyber security funding and education”
  • 22% said, “adopt and fund a public service campaign around cyber security education”

Interesting mix of carrot and stick suggestions. I don’t think the IT industry would be too thrilled with “black lists” or changes in liability laws, so expect lobbyists to push for federal incentives and programs.

One other interesting note here: Heavily regulated critical infrastructure organizations with the highest levels of security were most likely to push for more stringent regulations. It appears that something is lacking in current cyber security legislation that heavily regulated organizations recognize and want to change.

New ESG Research Report Points To Security Vulnerabilities In the US Critical Infrastructure

Monday, November 29th, 2010

In 1998, then President Bill Clinton recognized that the United States was especially vulnerable to a cyber attack to its critical infrastructure. Clinton addressed Critical Infrastructure Protection (CIP) by issuing Presidential Directive 63 (PDD-63).

Soon after PDD-63, Deputy Defense Secretary John Harme cautioned the US Congress about the importance of CIP by warning of a potential “cyber Pearl Harbor.” Harme stated that a devastating cyber attack “is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure.”

It’s been 12 years since this dire warning and the general consensus is that US cyber security vulnerabilities are worse, not better. Barack Obama recognized this problem as a candidate and then as President. Upon taking the oath of office, the President called for a 60-day security review, and then addressed the media in May 2009. The President stated, “it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation. . . we’re not as prepared as we should be, as a government or as a country.”

The fundamental assumption here is that the US critical infrastructure is vulnerable to a cyber attack, but is this truly the case or just empty Washington rhetoric? Unfortunately, a recently published ESG Research Report reveals that the US critical infrastructure is vulnerable today and could become more vulnerable in the future without decisive near-term action.

ESG surveyed 285 security professionals working at organizations considered as “Critical Infrastructure and Key Resources” (CIKR) by the US Department of Homeland Security. Here are some key research findings:

  1. Sixty-eight percent of the CIKR organizations surveyed suffered at least 1 security breach in the last 24 months. Alarmingly, the organizations with the strongest security policies, procedures, and defenses suffered the highest number of security breaches. It is possible that security-challenged CIKR organizations are under attack but lack the security skills and tools to remediate security incidents.
  2. Twenty percent of those surveyed rated their CIKR organization’s security policies, procedures, and technology safeguards as “fair” or “poor.”
  3. Seventy-one percent of survey respondents believe that the threat landscape will get worse in the next 24-36 months (26% believe it will be “much worse”).
  4. Almost one-third of respondents (31%) believe that the US Federal Government “should be significantly more active with cyber security strategies and defenses.”

Most of the report focused on cyber supply chain security. Simply stated, cyber supply chain security extends cyber security policies, processes, and controls to all parties that touch IT–technology vendors, software developers, business partners, etc. Most CIKR organizations are way behind here. Technology vendor security gets little oversight. Secure software development processes are immature. External IT relationships are secured through informal agreements and security data sharing.

In aggregate, the report provides real data quantifying these and other cyber security issues. The entire report is available for free download here.

Critical infrastructure protection and cyber security have been part of the lexicon in Washington since at least 1998. It is about time for less talk or more action. Hopefully, this report helps accelerate this activity.

DISA, Cloud Computing, and The Last Mile in Afghanistan

Thursday, October 28th, 2010

If you’re interested in cloud computing, you should look into the activities at the Defense Information Systems Agency (DISA). DISA provides complex IT services for DoD including network services, computing services, and complex application development services. DISA is also a leading example of cloud computing in the U.S. Federal government. For example, it has created its Rapid Access Computing Environment (RACE) to automatically provision resources for application testing and development. RACE is complemented by FORGE.mil, a series of open source collaborative development components. DISA will also lead the effort to consolidate thousands of e-mail and Sharepoint domains across the military into global enterprise services.

I participated in the Virtualization, Cloud, and Green Computing summit in Washington DC for the past few days and heard a review of DISA’s cloud progress from its CIO, Henry Sienkiewicz. Henry was talking leading edge stuff and as a geeky analyst, I was all ears.

When it came to the Q&A portion of his presentation however, I was quickly brought back to earth by the reality of DISA’s mission. The first question came from an Air Force officer who was leaving Washington DC that evening headed back to the Middle East. In contrast to the whiz-bang cloud computing efforts in Washington, the officer asked what DISA could do to help with network communications in Afghanistan. Both the Army and Air Force are responsible for IT activities in theater and they go about their business in different ways. Army people tend to go in and set up quickly, ready to move IT assets at any time. The Air Force on the other hand takes a more strategic view and sets up for longer engagements. Neither approach is right or wrong–the problem is that Army and Air Force troops don’t really coordinate their efforts leading to redundancy, inefficiency, and IT downtime.

The second real problem is bandwidth. While we here in the States have a choice between fiber providers, there isn’t any glass in the ground in Afghanistan. Army guys may run fiber and then leave it in the ground when they leave, but most communication is based upon satellites. This makes for a very thin pipe–not nearly enough to take advantage of rich DISA cloud applications running in Ft. Meade, MD.

CIO Sienkiewicz said he was aware of the problems and responded to the requests in general terms. When I spoke to the Air Force officer later, he told me that Sienkiewicz approached him after his talk to reassure him that he understood his plight. It seems that DISA’s CIO started his career in the Army infantry so he was extremely empathetic. Sienkiewicz really doesn’t own this problem, but my guess is that he will try and work with others at DoD to fix it.

There is a lesson to be learned in this dialogue. We in IT love to work on vision and hate to fix the mundane things that are broken. The Air Force officer’s issue is nothing new–telecommunications carriers have been struggling with the “last mile” of the network forever. In this case however, the last mile isn’t between a telecom CO and a residential neighborhood demanding HDTV, it is between “boots on the ground” and command-and-control units engaged in life-and-death communications. Cloud computing rapid deployment, resource optimization, and burstable capacity-on-demand are extremely beneficial, assuming we have the networks in place to take advantage of these resources. For the sake of our troops, let’s all hope that these prosaic yet critical network issues are addressed ASAP.

Dell Warns of Malicious Code on Server Motherboards

Thursday, July 22nd, 2010

A recent Network World article stated that is warning customers that a small number of PowerEdge server motherboards sent out through service dispatches may contain malware.

Dell is doing the right thing by alerting potentially impacted customers, but questions remain:

  1. How did the malware get there?
  2. Were the motherboards assembled in a certain place or by a specific manufacturer?
  3. What processes does Dell (and other server vendors) have in place to ensure that this doesn’t happen?

I could go on and on.

To me, the Dell incident demonstrates an important but relatively unknown concept called cyber supply chain assurance. Servers, software, and other IT equipment are made up of millions of lines of code, a potpourri of components, and hundreds or even thousands of specialized electronic gear. If any one of these elements is compromised, the whole enchilada could be a ticking time bomb. Malware on a server motherboard is just the beginning.

A bit of a tangent: back in 2004, the U.S. federal government issued a report stating that only 21% of semiconductor manufacturing remained in the United States while the bulk of capacity was migrating to China. This caused great concern in the Department of Defense as most our weapons systems, communications, and logistics all depend upon IT. This led to the creation of the Trusted Foundry program, a DOD/industry initiative to ensure microprocessor domestic microprocessor design and manufacturing capabilities.

I bring up this example to illustrate a point. DOD realized that it was dependent upon technology and thus vulnerable to a breach of the cyber supply chain. Outside of the defense community, however, cyber supply chain risk management is nearly invisible. While the Dell incident is minor and seems contained, it is a further warning about the risk we all face. Let’s hope it wakes up some security professionals outside of the Pentagon.

Interesting Audience Data from the Symantec Government Symposium

Friday, June 25th, 2010

Earlier this week, I participated in the Symantec Government Symposium, an event dedicated to IT and security professionals in the U.S. Federal government. As part of her kickoff presentation, Symantec Federal GM, Gigi Schaum, asked for audience responses to three questions. Here are the questions and the interesting responses:

  1. Has the state of cybersecurity improved over the last 12 months?
    55% of the audience responded “no”
    45% responded “yes”

    • Which of the following represents the biggest cybersecurity threat?
      40% responded “hostile foreign nations”
      39% responded “lack of federal security standards”
      21% responded “organized crime”

      • Who has the most impact on cybersecurity?
        38% responded “industry”
        26% responded “DHS/DOD”
        21% responded “the white house”
        15% responded “congress”

        My take is as follows: Cybersecurity is worse than it was 12 years ago — there are more threats and the threats have become more sophisticated. The nation has been effectively treading water in that time frame so the gap continues to grow. President Obama’s focus on cybersecurity and his appointment of Howard Schmidt were positive moves but not enough.

        I agree that hostile foreign nations represent the biggest potential threat but on a day-to-day basis, organized crime is picking our pockets. To some extent, this response concerns me because it casts security into a military category. It is also interesting that 39% said “lack of federal security standards.” These people were either looking myopically at the Federal space alone, or believe that the Feds haven’t stepped up with cybersecurity leadership. The former answer reflects insular Washington, the latter is absolutely true.

        As for the final question, I couldn’t agree more. If 80% of the critical infrastructure is in the private sector as the President suggests, then industry must be a major part of the solution. This “public/private” partnership has also been lagging.

        In total, these answers tell me that things are getting worse and we aren’t doing enough. Pretty scary stuff.

        Cyber Stowaways

        Wednesday, April 21st, 2010

        Here is another must read New York Times article providing more details about the cyber attack at :

        Apparently the bad guys became cyber stowaways — unwelcome and undetected network occupants. Once network access was secured, the cyber stowaways fished around until they found the source code to Google’s password system that controls access by millions of users to Google services. While Google has since added new layers of security, it is still possible that the attackers inserted a Trojan Horse/back door in the password system or studied the code to discover other software vulnerabilities.

        Google has some of the smartest software engineers in the world so it is likely that they can stay one step ahead of the bad guys, but the lessons of the Google breach should send up a red flag elsewhere for several reasons:

        1. The actual incursion occurred well before the actual attack making the attackers cyber stowaways as described above. This was also true elsewhere (Heartland, TJX, etc.). The scary thing is that if Google can’t detect and remediate an attack, what hope do more pedestrian organizations have?
        2. Once inside, the bad guys have carte blanche to poke around and find anything of value. In fact, the longer a cyber stowaway remains undetected, the more value each incursion reaps. Did cyber criminals penetrate Google to steal the Gaia (i.e., password management) software or did they stumble upon it as they scanned the network? I can’t answer that question but I know the results are pretty bad either way.
        3. This event makes you wonder what other source code has been stolen by cyber stowaways. Heck, some of these attacks may still be underway. Imagine the impact if cyber criminals stole the password system at Bank of America. Yikes!

        The bad guys are extremely good at what they do and in many cases, we are several steps behind. There could be cyber stowaways on lots of major commercial, government, and military networks just sitting there, biding their time, and waiting for the right opportunity or target. I hope this realization is now emanating in corporate boardrooms, congress, DHS, DOD, and NSA.

        Venture Capitalists MUST Invest More in Cybersecurity

        Friday, April 16th, 2010

        There is a glimmer of good news on the venture capital front. In Q1 2010, venture funding rose 38% from a year ago to $4.7. What’s more, the pool of VC money is spread over 681 companies–a 7% increase from Q1 2009.

        Good, but not great news. Most of the dough is going to biotech companies while investment in clean technology tripled.

        The bad news? Investment in software declined 1% year over year. Remember that in Q1 2009, we were preparing for runs on banks and Hoovervilles.

        While I have no data, there is anecdotal evidence suggesting additional bad news. I speak with security companies all the time and I simply don’t see VCs investing heavily in this space.

        Perhaps they got burned investing in the 5th NAC, anti-spyware, or UTM vendor. Maybe they think that Cisco, Check Point, Juniper, McAfee, Symantec, and Trend Micro have everything covered. It could be that many believe that the whole tech space is mature, so they are chasing the new new thing in other technical areas.

        I’m not sure why the VCs are eschewing security investments, but I do know that this is a problem. Why? At a time when attack volume is steadily increasing, cybercriminals operate like Fortune 500 companies, and FBI directors characterize cybersecurity attacks as “an existential threat to our nation,” the VCs are moving on to perceived greener pastures. In other words, there is serious demand for next-generation security skills and technology, but the supply-side continues to invest elsewhere. Bad economics and bad for the digital assets we all depend upon.

        Okay, I understand that the VCs are in it for the money and nothing else, but something is wrong with this picture. It seems to me that when demand exceeds supply, there is money to be made. I’d like to see the VCs invest in security as a patriotic act, but I’m not optimistic. Therefore, I have a few ideas for the “smartest guys in the valley” on Sand Hill Rd.

        1. Co-invest with In-Q-Tel. In-Q-Tel is a VC firm that came directly out of the CIA. On its web site, the firm’s mission statement reads as follows, “In-Q-Tel identifies and partners with companies developing cutting-edge technologies to help deliver these solutions to the Central Intelligence Agency and the broader U.S. Intelligence Community (IC) to further their missions.” The key here is to find the smartest security firms whose technology is good enough for the CIA, DOD, and NSA and can be adapted for commercial use. Given the recent string of private attacks, the private sector would welcome military-grade protection.
        2. Explore other direct federal funding. It’s likely that DARPA, NSF, DOE, and other agencies will have money to spend on cybersecurity research and development. Smart VCs will figure out ways to hedge their risks by getting these agencies involved.
        3. Partner with Universities. UC-Berkeley, Carnegie-Mellon, MIT, Purdue, Johns Hopkins, and Cornell are all doing advanced research in various security disciplines. The VCs need to buddy up to these prestigious institutions and find investments that provide mutual benefits.
        4. Seek out Israeli money. Educated at Tel Aviv University and Technion and then saturated in security in the IDF, Israel produces some of the smartest security minds in the world. I’d like to see more American investment in Israel and more outreach to Israeli VCs from Sand Hill Rd.

        The lack of VC investment in security could have broad implications moving forward, so the VCs can’t sit on the sidelines. It’s time for the rich guys to get more involved and proactively champion security innovation and investment rather than sit back, drink Merlot, and wait for business plans to come in. Our digital security may depend upon this.

        Search
        © 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

        Switch to our mobile site