What’s needed for strong cyber security? Good security policies, processes, and technology safeguards, of course, but highly-secure organizations also integrate security into their corporate culture — from new employees to the corner office. Since the proverbial buck stops at the CEO’s desk, cyber security-conscious and proactive CEOs are a security professional’s best friend.
In its recent research report, “Assessing Cyber Supply Chain Vulnerabilities Within The US Critical Infrastructure” (Note: The report is available for download at www.enterprisestrategygroup.com), ESG Research asked security professionals working at critical infrastructure organizations (i.e., electric power, financial services, health care, etc.) to respond to the following question: “How would you rate your organization’s management team on its willingness to invest in and support cyber security initiatives?” The responses were as follows:
Obviously, executives need to sort through a maze of costs and spend shareholder dollars judiciously. Furthermore, security professionals are paid to be paranoid and will usually want more funding. That said, nearly one-fourth of respondents rated executive management support for cyber security as “fair” or “poor.” Remember too that we are talking about critical infrastructure here — our money, our power, our food, our health care, etc. Yikes! Even more frightening, 38% of survey respondents working at telecommunications companies rated their executive management’s support for cyber security initiatives as “fair” or “poor.” If your cell phone stops working soon, don’t be surprised.
I believe there are several problems here:
It’s time to address these issues. Business managers must realize that automation, digitization, and new applications come with a cyber security cost — period. Security professionals need better communications skills and tools to translate nerdy technospeak into more pedestrian language. Legislators need carrots and sticks to entice technically-challenged 60 year old CEOs to invest in cyber security. It’s that simple. Either we do these things or we wake up one day to darkness. It is our choice.
Tags: Barack Obama, CIP, Critical Infrastructure Protection, Cyber Coordinator, cyber security, cyber supply chain, Cyber supply chain assurance, cyber supply chain security, DHS, DOD, Enterprise Strategy Group, ESG, Howard Schmidt Posted in Uncategorized | No Comments »
Before buying an old house, most people do a thorough home inspection to make sure that plumbing, heating, and electricity infrastructure is safe and stable. When purchasing a car for a new driver, many parents check the vehicle’s crash test rating. These actions are simply common sense due diligence since we want to make sure that our homes and children are safe.
Along the same line of reasoning, one would assume that critical infrastructure organizations (i.e., electric utilities, financial services, health care, food processing/agriculture, etc.) do the same type of due diligence on IT equipment and their IT vendors. After all, these IT systems are the underpinning of their services and thus the backbone of the critical infrastructure at large. One would assume that critical infrastructure organizations do this type of security due diligence, but unfortunately this is usually not true.
According to the new ESG Research Report, “Assessing Cyber Supply Chain Security Within the US Critical Infrastructure” (the report is available for free download at www.enterprisestrategygroup.com), IT product and vendor security audits are performed in a random and haphazard fashion. For example:
Why are many vendors getting a security free pass? I’m not sure. It may be that vendor and product security was no big deal in the past when cyber security was composed of network firewalls and desktop antivirus software. It could be that vendors wow their customers with speeds, feeds, and functionality to keep them from digging into geeky security issues. Perhaps they schmooze customers with sporting event tickets and golf outings to take their minds off of product security.
In any case, this behavior should be unacceptable henceforth. The threat landscape is getting more and more sophisticated each day, so each product’s security must stand out on its own.
Note to critical infrastructure organizations: Many IT vendors virtually ignore security in their product design and development. You should be doing a heck of a lot more security due diligence on IT products, vendors, and services, and institute procurement rules that mandate specific security metrics. Vendors should no longer have security–or insecurity–carte blanche.
Tags: Barack Obama, CIP, Critical Infrastructure Protection, cyber security, cyber supply chain, Cyber supply chain assurance, cyber supply chain security, DHS, DOD, Enterprise Strategy Group, ESG, Howard Schmidt Posted in Uncategorized | No Comments »
ESG Recently Published a new Research Report titled “Cyber Supply Chain Security Vulnerabilities Within The U.S. Critical Infrastructure.” The report can be downloaded here.
As part of the survey, we asked respondents whether the U.S. Federal Government should be more active with cyber security strategies and defenses. Most respondents believe that the answer is “yes;” 31% said that the U.S. Federal Government should be “significantly more active with cyber security strategies and defenses” while 40% believe that the feds should be “somewhat more active with cyber security strategies and defenses.”
Okay, but what exactly should the government do? ESG asked this question as well–here are the results:
Interesting mix of carrot and stick suggestions. I don’t think the IT industry would be too thrilled with “black lists” or changes in liability laws, so expect lobbyists to push for federal incentives and programs.
One other interesting note here: Heavily regulated critical infrastructure organizations with the highest levels of security were most likely to push for more stringent regulations. It appears that something is lacking in current cyber security legislation that heavily regulated organizations recognize and want to change.
Tags: Barack Obama, Bill Clinton, CIP, Critical Infrastructure Protection, cyber security, cyber supply chain, Cyber supply chain assurance, cyber supply chain security, DHS, DOD, Enterprise Strategy Group, ESG, Howard Schmidt Posted in Uncategorized | 2 Comments »
In 1998, then President Bill Clinton recognized that the United States was especially vulnerable to a cyber attack to its critical infrastructure. Clinton addressed Critical Infrastructure Protection (CIP) by issuing Presidential Directive 63 (PDD-63).
Soon after PDD-63, Deputy Defense Secretary John Harme cautioned the US Congress about the importance of CIP by warning of a potential “cyber Pearl Harbor.” Harme stated that a devastating cyber attack “is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure.”
It’s been 12 years since this dire warning and the general consensus is that US cyber security vulnerabilities are worse, not better. Barack Obama recognized this problem as a candidate and then as President. Upon taking the oath of office, the President called for a 60-day security review, and then addressed the media in May 2009. The President stated, “it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation. . . we’re not as prepared as we should be, as a government or as a country.”
The fundamental assumption here is that the US critical infrastructure is vulnerable to a cyber attack, but is this truly the case or just empty Washington rhetoric? Unfortunately, a recently published ESG Research Report reveals that the US critical infrastructure is vulnerable today and could become more vulnerable in the future without decisive near-term action.
ESG surveyed 285 security professionals working at organizations considered as “Critical Infrastructure and Key Resources” (CIKR) by the US Department of Homeland Security. Here are some key research findings:
Most of the report focused on cyber supply chain security. Simply stated, cyber supply chain security extends cyber security policies, processes, and controls to all parties that touch IT–technology vendors, software developers, business partners, etc. Most CIKR organizations are way behind here. Technology vendor security gets little oversight. Secure software development processes are immature. External IT relationships are secured through informal agreements and security data sharing.
In aggregate, the report provides real data quantifying these and other cyber security issues. The entire report is available for free download here.
Critical infrastructure protection and cyber security have been part of the lexicon in Washington since at least 1998. It is about time for less talk or more action. Hopefully, this report helps accelerate this activity.
Tags: Barack Obama, Bill Clinton, CIP, Critical Infrastructure Protection, cyber security, cyber supply chain, Cyber supply chain assurance, cyber supply chain security, DHS, DOD, Howard Schmidt, John Harme, PDD-63 Posted in Uncategorized | No Comments »
If you watched any football games yesterday, you are well aware of the fact that October is National Breast Cancer Awareness Month. Kudos to the NFL for bringing national attention to this deadly disease and donating money to find a cure.
You are probably unaware, however, that October is also National Cybersecurity Awareness Month.
Over the course of the last year, we’ve witnessed visible cyber attacks on Google in January. We’ve seen the activation of the U.S. Cyber Command at Ft. Meade. At my last count, there were ten different bills in Congress related to cybersecurity, including, “The Protecting Cyberspace as a National Asset Act,” a comprehensive piece of legislation coming out of the Senate’s Homeland Security and Government Affairs Committee. Former “cyber czar” Richard Clarke published a new book titled, “Cyberwar.” Finally, we’ve recently witnessed the Stuxnet worm, a cyber weapon attacking the Iranian nuclear infrastructure.
I am providing this brief history to highlight a problem–if you aren’t a Washington cybersecurity insider, you would never know it is National Cybersecurity Awareness Month. Ironic? Yes, but also sad.
Now, I know it is early in the month and there is lots of further activity planned. I am also aware of the fantastic work driven by the National Cyber Security Alliance, an industry group spearheading the National Cybersecurity Awareness Month (www.staysafeonline.org). President Obama will step up and talk about cybersecurity and the indefatigable Howard Schmidt will be as vocal and visible as possible throughout October.
These folks deserve a lot of credit, but somehow the IT and security industries continue to offer lip service support for National Cybersecurity Awareness Month through their Federal offices alone. I did a quick website scan of leading IT and security companies this morning: only RSA Security mentioned National Cybersecurity Awareness Month on its website (Note: The acting NCSA President works at EMC/RSA).
My point here is that National Cybersecurity Awareness Month isn’t making enough people aware of cybersecurity vulnerabilities, education, or government initiatives. Why? It doesn’t appear to me like the industry really cares. Oh sure, there is a bit of token money to appease their clients in Washington, but where is the national spotlight? Beats me.
I was on this soap box last year and will continue to be until I’m proven wrong. I probably have 20 meetings scheduled with security industry insiders in October and I’ll ask each and every one of them if they know what month it is. My guess is that they will say National Breast Cancer Awareness Month.
Tags: EMC, Google, Howard Schmidt, National Cybersecurity Awareness Month, NCSA, President Obama, Richard Clarke, RSA, Stuxnet Worm, U.S. Cyber Command Posted in Uncategorized | No Comments »
Anyone remotely interested in identity management should definitely download a copy of the National Strategy for Trusted Identities in Cyberspace (NSTIC) document. It can be found at this link: .
A a very high level, the strategy calls for the formation of a standards-based interoperable identity ecosystem to establish trusted relationships between users, organizations, devices, and network services. The proposed identity ecosystem is composed of 3 layers: An execution layer for conducting transactions, a management layer for identity policy management and enforcement, and a governance layer that establishes and oversees the rules over the entire ecosystem.
There is way more detail that is far beyond this blog but suffice it to say the document is well thought out and pretty comprehensive in terms of its vision. This is exactly the kind of identity future we need to make cloud computing a reality. Kudos to Federal Cyber coordinator Howard Schmidt and his staff for kicking this off.
I will post my feedback on the official website, but a few of my suggestions are as follows:
There will be lots of other needs as well. The document recommends identity and trust up and down the technology stack but it doesn’t talk about the expense or complexity of implementing more global use of IPSEC, BGPSEC, and DNSSEC. There is also the need for rapid maturity in encryption, key management, and certificate management. Good news for RSA, PGP, nCipher (Thales), IBM, HP, Venafi, and others.
The key to me is building a federated, plug-and-play, distributed identity ecosystem that doesn’t rely on any central authority or massive identity repository. This is an ambitious goal but one that can be achieved — over time — if the Feds get the right players on board and push everyone in the same direction.
Tags: BGPSEC, CA, Cyber Coordinator, DNSSEC, Federal Government, Howard Schmidt, HP, IBM, IPSec, Liberty, Microsoft, Microsoft Geneva, National Strategy for Trusted Identities in Cyberspace. nCipher, Novell, NSTIC, Open ID, Oracle, PGP, PKI, Project Higgins, RSA, Shibboleth, Symantec, Thales, Venafi, Verisign, Web services Posted in Uncategorized |
Earlier this month, the House cybersecurity caucus launched a new website in order to “allow the public to have access to news and information in regard to cybersecurity policy.” The House cybersecurity caucus is chaired by Congressmen Jim Langevin (D, RI) and Mike McCaul (R, TX), and includes 18 other members. The site can be found at:
http://housecybersecuritycaucus.langevin.house.gov/
As of today, the site is a little light on content with the latest news being an August 2 press release announcing the new web presences. The “facts and figures” and “resources” tabs are full of standard information available on many other sites. There is also a link to the now famous Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th President. A very informative document albeit that is nearly 2 years old.
No, not much here yet, but it’s summertime so I’ll give the congressmen the benefit of the doubt. When the House returns to work, however, I am hopeful that this site will serve a valuable purpose — as an aggregation point for Federal cybersecurity efforts. This should include but not be limited to:
I’ve met Congressman Langevin several times and I truly believe he is sincere in his desire to rein in the endless Washington lobbying and champion real cybersecurity progress in the U.S. Federal government. The public has a right to demand action while staying informed. Those over 40 remember the infamous DOD “$500 hammers” in the 1980s and don’t want to see real cybersecurity concerns turn into spending boondoggles.
The House Cybersecurity Caucus site could provide a valuable public service if it helps aggregate disparate activities and acts as a Federal cybersecurity information hub. If this site is not intended to do this, then another one should — perhaps White House Cybersecurity Coordinator Howard Schmidt can work with the House Cybersecurity Caucus to make this happen.
Addressing cybersecurity issues demands real information sharing. Not just between security devices and SOCs, but between legislators and citizens. Let’s hope that the House Cybersecurity Caucus or some other Federal government site eschews political agendas and really educates and informs the American public
Tags: CSIS, House Cybersecurity Caucus, Howard Schmidt, Jim Langevin, Mike McCaul Posted in Uncategorized | No Comments »
I’m just back from participating in the Symantec Government Symposium held yesterday in Washington DC. The event was extremely informative, with keynote presentations by Cybercoordinator Howard Schmidt and Director of Plans and Policies for the U.S. Cyber Command Major General Suzanne M. Vautrinot. For my part, I sat on a cyber supply chain security panel with folks from DOD, DHS, and HHS.
On the plus side, the feds have a lot of good work going. There is a lot of government brainpower focused on scoping problems, evaluating funding priorities, changing cultural barriers, and defining security solutions. Kudos are well deserved.
With all of this effort, however, it is time to discuss a fundamental problem between the public and private sector: communications. The feds have a language all of their own, one chock full of agency-specific acronyms and a military flavor. Information security is called “cybersecurity” and there are lots of references to missions, objectives, command-and-control, etc. The word “assurance” is used constantly: software assurance, information assurance, cyber supply chain assurance, and so on. This is just the tip of the federal language iceberg.
In his famous May 2009 cybersecurity speech, the President proclaimed that:
For these things to happen, the federal government must realize that it needs to drop the inside-the-Beltway lingo and speak to the rest of us in common language. We don’t care which agency owns which initiative with acronym ABC. We don’t speak to each other about missions and battlefields and assurance. Many experienced IT and security professionals have no idea what NIST is or what it is doing. Like it, understand it or not, this is the truth.
The information security challenges we face are real and could be extremely damaging to the country, the economy, our way of life, and confidence in the government. We NEED the feds to step up, but we shouldn’t have to learn a new language or culture to make this happen. I already see the influence of this communications gap as most of the private sector has no clue about all the work going on in Washington–this is wasteful and a shame.
In his new book, Cyberwar, Richard Clarke does a great job of translating Washingtonese to common language. Good effort by Clarke, but the fact that he had to do this should be a red flag for all of us. If we can’t understand each other, we are doomed from the start.
Tags: Cybersecurity, Cyberwar, Howard Schmidt, President Obama, Richard Clarke Posted in Uncategorized | No Comments »
On May 29th of 2009, President Obama declared: “It’s now clear that this cyber threat is one of the most serious economic and national security challenges we face as a nation.” At FOSE this year, FBI Deputy Assistant Director, Stephen Chabinsky gave this ominous statement, “Cybercrime and cyber terrorism could be a game changer and thus represent an existential threat to our nation.”
With such strong words, you’d think that the Feds would have their act together on all things cybersecurity. Unfortunately, you’d be wrong. Speaking at the Interagency Resource Management Conference this week, Cybersecurity Coordinator Howard Schmidt reinforced this bad news. Schmidt’s wake up call pointed to the fact that the Federal government:
If you aren’t scared and angry right now, you should be. Since 2001, the Federal government has spent billions of dollars on cybersecurity yet these basic problems remain. Heck, we’ve spent hundreds of millions on the Einstein project, an uber network security monitoring technology effort, yet we aren’t doing basic intrusion detection. Ay, ay, ay!
Schmidt, a security veteran is clearly frustrated by what he is finding. The rest of us should be outraged.
Let’s hope that the President, Congress, DHS, DOD, and NSA can get its act together and fix these problems under Schmidt’s capable leadership. If not, we may be in serious trouble.
Tags: cybercrime, Cybersecurity, Cybersecurity coordinator, DHS, Federal Government, Howard Schmidt, President Obama, Stephen Chabinsky Posted in Uncategorized | 1 Comment »
Yesterday the Office of Management and Budget (OMB) announced that it will no longer pursue the Trusted Internet Connect (TIC) initiative first announced in November 2007. TIC was considered one of the cybersecurity efforts making up the Comprehensive National Cybersecurity Initiative (CNCI) which was born out of National Security Presidential Directive (NSPD) 54 and Homeland Security Presidential Directive (HSPD) 23 in January 2008.
Unless you are somewhere between Foggy Bottom and Independence Ave. SE you are probably confused by all of these acronyms so allow me to explain.
Back in 2007 there were thousands of Internet connections across the Federal government. This was viewed as a tremendous problem since each connection was a potential ingress point for malicious code and hacker attacks. TIC proposed a simple solution to the problem — decrease the number of Internet connections to as few as possible and then secure the heck out of the remaining connections.
I believe the ultimate goal was to reduce the thousands of Internet connections to something like 50. Throughout 2008 and 2009 the Feds boasted about the tremendous progress they were making.
Okay now fast forward to yesterday. OMB throws the TIC baby out with the bath water and announces that it will no longer reduce the number of Internet connections but rather improve security requirements at all Internet ingress/egress points. OMB goes on further to say that the number of Internet connections in 2010 was roughly the same as in 2007. Diane Gowen, SVP of Qwest Government Services summed this up as follows: “Despite the whole TIC Initiative, there are probably as many points of Internet connection as there used to be. The new administration is less concerned with the number, and more concerned about getting them protected.”
Back in 2007, many security professionals (including me) thought that TIC was completely misguided because:
The crime here is that it took 3 years and tens, if not hundreds, of millions of taxpayer dollars to ramp up TIC — and then totally reverse course. Someone should be held accountable.
I predict that the next shoe to drop will be some type of pull-back from the Einstein Project — a DHS/US Cert/Carnegie Mellon science project that could have easily been built with commercially available software from ArcSight, NetWitness, Nitro Security, Q1 Labs, RSA or dozens of others.
I’m sure President Obama’s Cybersecurity Coordinator, Howard Schmidt, is rolling his eyes at these recent events and the demise of TIC. Let’s hope he introduces some pragmatism into high priced Federal cybersecurity plans before we waste another few hundred million.
Tags: CNCI, Comprehensive National Cybersecurity Initiative, Cybersecurity, Cybersecurity coordinator, Federal Government, Howard Schmidt, OMB, President Obama, TIC, Trusted Internet Connect Posted in Uncategorized | 4 Comments »
Your email:
