Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘President Obama’

October is National Cybersecurity Awareness Month (Who Knew!)

Monday, October 4th, 2010

If you watched any football games yesterday, you are well aware of the fact that October is National Breast Cancer Awareness Month. Kudos to the NFL for bringing national attention to this deadly disease and donating money to find a cure.

You are probably unaware, however, that October is also National Cybersecurity Awareness Month.

Over the course of the last year, we’ve witnessed visible cyber attacks on Google in January. We’ve seen the activation of the U.S. Cyber Command at Ft. Meade. At my last count, there were ten different bills in Congress related to cybersecurity, including, “The Protecting Cyberspace as a National Asset Act,” a comprehensive piece of legislation coming out of the Senate’s Homeland Security and Government Affairs Committee. Former “cyber czar” Richard Clarke published a new book titled, “Cyberwar.” Finally, we’ve recently witnessed the Stuxnet worm, a cyber weapon attacking the Iranian nuclear infrastructure.

I am providing this brief history to highlight a problem–if you aren’t a Washington cybersecurity insider, you would never know it is National Cybersecurity Awareness Month. Ironic? Yes, but also sad.

Now, I know it is early in the month and there is lots of further activity planned. I am also aware of the fantastic work driven by the National Cyber Security Alliance, an industry group spearheading the National Cybersecurity Awareness Month (www.staysafeonline.org). President Obama will step up and talk about cybersecurity and the indefatigable Howard Schmidt will be as vocal and visible as possible throughout October.

These folks deserve a lot of credit, but somehow the IT and security industries continue to offer lip service support for National Cybersecurity Awareness Month through their Federal offices alone. I did a quick website scan of leading IT and security companies this morning: only RSA Security mentioned National Cybersecurity Awareness Month on its website (Note: The acting NCSA President works at EMC/RSA).

My point here is that National Cybersecurity Awareness Month isn’t making enough people aware of cybersecurity vulnerabilities, education, or government initiatives. Why? It doesn’t appear to me like the industry really cares. Oh sure, there is a bit of token money to appease their clients in Washington, but where is the national spotlight? Beats me.

I was on this soap box last year and will continue to be until I’m proven wrong. I probably have 20 meetings scheduled with security industry insiders in October and I’ll ask each and every one of them if they know what month it is. My guess is that they will say National Breast Cancer Awareness Month.

Interesting Audience Data from the Symantec Government Symposium

Friday, June 25th, 2010

Earlier this week, I participated in the Symantec Government Symposium, an event dedicated to IT and security professionals in the U.S. Federal government. As part of her kickoff presentation, Symantec Federal GM, Gigi Schaum, asked for audience responses to three questions. Here are the questions and the interesting responses:

  1. Has the state of cybersecurity improved over the last 12 months?
    55% of the audience responded “no”
    45% responded “yes”

    • Which of the following represents the biggest cybersecurity threat?
      40% responded “hostile foreign nations”
      39% responded “lack of federal security standards”
      21% responded “organized crime”

      • Who has the most impact on cybersecurity?
        38% responded “industry”
        26% responded “DHS/DOD”
        21% responded “the white house”
        15% responded “congress”

        My take is as follows: Cybersecurity is worse than it was 12 years ago — there are more threats and the threats have become more sophisticated. The nation has been effectively treading water in that time frame so the gap continues to grow. President Obama’s focus on cybersecurity and his appointment of Howard Schmidt were positive moves but not enough.

        I agree that hostile foreign nations represent the biggest potential threat but on a day-to-day basis, organized crime is picking our pockets. To some extent, this response concerns me because it casts security into a military category. It is also interesting that 39% said “lack of federal security standards.” These people were either looking myopically at the Federal space alone, or believe that the Feds haven’t stepped up with cybersecurity leadership. The former answer reflects insular Washington, the latter is absolutely true.

        As for the final question, I couldn’t agree more. If 80% of the critical infrastructure is in the private sector as the President suggests, then industry must be a major part of the solution. This “public/private” partnership has also been lagging.

        In total, these answers tell me that things are getting worse and we aren’t doing enough. Pretty scary stuff.

        Note to Washington: You Own the Information Security Communications Gap

        Wednesday, June 23rd, 2010

        I’m just back from participating in the Symantec Government Symposium held yesterday in Washington DC. The event was extremely informative, with keynote presentations by Cybercoordinator Howard Schmidt and Director of Plans and Policies for the U.S. Cyber Command Major General Suzanne M. Vautrinot. For my part, I sat on a cyber supply chain security panel with folks from DOD, DHS, and HHS.

        On the plus side, the feds have a lot of good work going. There is a lot of government brainpower focused on scoping problems, evaluating funding priorities, changing cultural barriers, and defining security solutions. Kudos are well deserved.

        With all of this effort, however, it is time to discuss a fundamental problem between the public and private sector: communications. The feds have a language all of their own, one chock full of agency-specific acronyms and a military flavor. Information security is called “cybersecurity” and there are lots of references to missions, objectives, command-and-control, etc. The word “assurance” is used constantly: software assurance, information assurance, cyber supply chain assurance, and so on. This is just the tip of the federal language iceberg.

        In his famous May 2009 cybersecurity speech, the President proclaimed that:

        1. Cybersecurity would be a top priority in his administration.
        2. 80% of the critical infrastructure is controlled by the private sector.
        3. We needed a stronger public/private partnership.

        For these things to happen, the federal government must realize that it needs to drop the inside-the-Beltway lingo and speak to the rest of us in common language. We don’t care which agency owns which initiative with acronym ABC. We don’t speak to each other about missions and battlefields and assurance. Many experienced IT and security professionals have no idea what NIST is or what it is doing. Like it, understand it or not, this is the truth.

        The information security challenges we face are real and could be extremely damaging to the country, the economy, our way of life, and confidence in the government. We NEED the feds to step up, but we shouldn’t have to learn a new language or culture to make this happen. I already see the influence of this communications gap as most of the private sector has no clue about all the work going on in Washington–this is wasteful and a shame.

        In his new book, Cyberwar, Richard Clarke does a great job of translating Washingtonese to common language. Good effort by Clarke, but the fact that he had to do this should be a red flag for all of us. If we can’t understand each other, we are doomed from the start.

        FedRAMP Seeks to Unify Cloud Computing Security Standards Across the U.S. Government

        Wednesday, May 5th, 2010

        Yesterday, I hosted a panel at the Cloud Computing summit focused on cloud security for the federal government. The panel was made up of some smart folks: Alex Hart from VMware, Bob Wambach from , and one of the primary authors of the Cloud Security Alliance guidelines, Chris Hoff from Cisco.

        While these folks offered great contributions, most questions were focused on the fourth member of the panel, Peter Mell from NIST, the chair of the Federal Cloud Computing Advisory Council. Why? Let’s just say that Mell may be the single individual most focused on cloud security in the world. He has been tasked with defining cloud computing standards for the entire federal government–a big responsibility since President Obama and Federal CIO Vivek Kundra continue to trumpet the benefits of cloud computing and push federal agencies to adopt pilot projects.

        Mell’s work will soon come to fruition when the feds introduce the Federal Risk and Authorization Management Pilot program (FedRAMP). FedRAMP has two primary goals:

        1. Aggregate cloud computing standards. Today, many agencies have their own sets of standards, which complicates procurement and frustrates federally-focused technology vendors. FedRAMP is intended to consolidate cloud computing requirements into one set of standards that span the entire federal government.
        2. Ease agency certification processes. Let’s say Microsoft’s federal cloud is FISMA-certified by the Dept. of Agriculture. In today’s world, this wouldn’t matter to any other agency–they would still be required to certify Microsoft’s cloud before procuring services. Kundra, Mell, et. al. recognize the redundancy and waste here. With FedRAMP, once a cloud provider passes the Certification and Accreditation (C and A) of one agency, all other agencies get a free pass.

        Since FedRAMP is still a work in progress, the audience made up of federal IT people had a lot of questions about all of the fine points. Thus Mell was in the hot seat for most of the time.

        Peter Mell deserves a lot of credit. Federal agencies have often acted independently with regard to IT, so Mell and his team are herding cats.

        If FedRAMP works, cloud service providers can deliver to a single set of standards. This will encourage innovation and bolster competition. On the agency side, FedRAMP could pave the way for a wave of cloud computing consumption over the next few years. What happens if FedRAMP fails? The federal government becomes difficult to service, so most cloud service providers treat it as a market niche. If that happens, the federal government could lose its cloud computing leadership and momentum very, very quickly.

        Why Are There Still So Many Problems with The Federal Cybersecurity Effort?

        Thursday, April 15th, 2010

        On May 29th of 2009, President Obama declared: “It’s now clear that this cyber threat is one of the most serious economic and national security challenges we face as a nation.” At FOSE this year, FBI Deputy Assistant Director, Stephen Chabinsky gave this ominous statement, “Cybercrime and cyber terrorism could be a game changer and thus represent an existential threat to our nation.”

        With such strong words, you’d think that the Feds would have their act together on all things cybersecurity. Unfortunately, you’d be wrong. Speaking at the Interagency Resource Management Conference this week, Cybersecurity Coordinator Howard Schmidt reinforced this bad news. Schmidt’s wake up call pointed to the fact that the Federal government:

        1. Is way behind on intrusion detection. Schmidt stated, “as far as enterprise-wide intrusion detection goes, it falls under the category of, ‘Why haven’t we done that already?’”
        2. Has not put its money where its mouth is. The federal government hasn’t done enough to fund cybersecurity training programs or scholarships.
        3. Has so far failed to coordinate Cybersecurity efforts across federal agencies.

        If you aren’t scared and angry right now, you should be. Since 2001, the Federal government has spent billions of dollars on cybersecurity yet these basic problems remain. Heck, we’ve spent hundreds of millions on the Einstein project, an uber network security monitoring technology effort, yet we aren’t doing basic intrusion detection. Ay, ay, ay!

        Schmidt, a security veteran is clearly frustrated by what he is finding. The rest of us should be outraged.

        Let’s hope that the President, Congress, DHS, DOD, and NSA can get its act together and fix these problems under Schmidt’s capable leadership. If not, we may be in serious trouble.

        Feds Change Cybersecurity Strategy — Again

        Friday, February 12th, 2010

        Yesterday the Office of Management and Budget (OMB) announced that it will no longer pursue the Trusted Internet Connect (TIC) initiative first announced in November 2007. TIC was considered one of the cybersecurity efforts making up the Comprehensive National Cybersecurity Initiative (CNCI) which was born out of National Security Presidential Directive (NSPD) 54 and Homeland Security Presidential Directive (HSPD) 23 in January 2008.

        Unless you are somewhere between Foggy Bottom and Independence Ave. SE you are probably confused by all of these acronyms so allow me to explain.

        Back in 2007 there were thousands of Internet connections across the Federal government. This was viewed as a tremendous problem since each connection was a potential ingress point for malicious code and hacker attacks. TIC proposed a simple solution to the problem — decrease the number of Internet connections to as few as possible and then secure the heck out of the remaining connections.

        I believe the ultimate goal was to reduce the thousands of Internet connections to something like 50. Throughout 2008 and 2009 the Feds boasted about the tremendous progress they were making.

        Okay now fast forward to yesterday. OMB throws the TIC baby out with the bath water and announces that it will no longer reduce the number of Internet connections but rather improve security requirements at all Internet ingress/egress points. OMB goes on further to say that the number of Internet connections in 2010 was roughly the same as in 2007. Diane Gowen, SVP of Qwest Government Services summed this up as follows: “Despite the whole TIC Initiative, there are probably as many points of Internet connection as there used to be. The new administration is less concerned with the number, and more concerned about getting them protected.”

        Back in 2007, many security professionals (including me) thought that TIC was completely misguided because:

        1. It was never linked to network engineering or architecture. Those internet connections aren’t there by accident. Yes, it is smart to minimize the number but reducing thousands to 50 would have to mean a “rip and replace” of the whole Federal network.
        2. It ignores network evolution. Data center consolidation, web-based apps, and cloud computing demands network flexibility and Internet connectivity. Reducing the number of Internet connections could be counter-productive here.
        3. It wouldn’t work. Did OMB really think that DOD, NSA, or homeland security would go along with this? My guess is that these agencies thumbed their noses and other civilian agencies followed.

        The crime here is that it took 3 years and tens, if not hundreds, of millions of taxpayer dollars to ramp up TIC — and then totally reverse course. Someone should be held accountable.

        I predict that the next shoe to drop will be some type of pull-back from the Einstein Project — a DHS/US Cert/Carnegie Mellon science project that could have easily been built with commercially available software from ArcSight, NetWitness, Nitro Security, Q1 Labs, RSA or dozens of others.

        I’m sure President Obama’s Cybersecurity Coordinator, Howard Schmidt, is rolling his eyes at these recent events and the demise of TIC. Let’s hope he introduces some pragmatism into high priced Federal cybersecurity plans before we waste another few hundred million.

        House Cybersecurity Bill Passes. What’s Next?

        Wednesday, February 10th, 2010

        There is little doubt that President Obama and the 111th congress are prioritizing cybersecurity initiatives.

        The President outlined his plan last May and appointed Howard Schmidt as his Cybersecurity Coordinator late last year. As for the 111 congress, it passed the Federal Data Breach Bill (H.R. 2221) earlier this year and just last week the House passed the Cybersecurity Enhancement Act (H.R. 4061) by an overwhelming vote of 422 to 5.

        Just what is the Cybersecurity Enhancement Act? The bill is really focused on cybersecurity research, development, and training. Agencies participating in the National High-Performance Computing Program must provide the congress with a cybersecurity research plan, update an R&D implementation plan annually, and create new plans every three years. Additionally, the bill funds NSF cybersecurity scholarships in exchange for post graduation government service. The bill also seeks to build cybersecurity collaboration between academic, government, and International institutions and pushes the development of technology standards for cybersecurity.

        On balance, this is a good bill that certainly heads in the right direction. That said, I have a few suggestions for fine-tuning this bill as it moves along:

        1. Start earlier. In South Korea, 2nd graders receive training on how to be a good Internet citizen. A cybersecurity bill (either this one or a follow-on) should fund K-12 cybersecurity programs as well. Young children on the network are at least as vulnerable as adults.
        2. Push for continuing education. It is ironic that with the unemployment rate as high as it is, many security positions remain unfilled. Unemployed or underemployed adults with mortgages and children would enthusiastically participate in cybersecurity training if it were available. Note to the President: This should be a funding priority as it is all about 21st century job creation.
        3. Broaden cybersecurity training. Yes, we need firewall administrators and security researchers but we also need security professionals who also have strong business, legal, and social sciences skills. This position was well articulated to Congress in June of 2009 by Cornell Professor Fred B. Schneider. We need to create a holistic security program like Dr. Schneider suggests who understand security technologies and its implication on business, law, and society.

        One other note about the legislation: The stipulation that calls for a new R&D plan every 3 years is misguided. Security threats change on a weekly basis so three years is far too long a timeframe.

        With all of my suggestions aside, I applaud the 111th congress for truly collaborating on this important legislation. I strongly urge the Senate and President to fast track this bill.

        Cybersecurity Coordinator Political Hot Potato

        Friday, November 6th, 2009

        President Obama had it right when he said that he would make cybersecurity a priority of his administration. That was back in May and things have progressed since then. For example, just last week, DHS Secretary Janet Napolitano cut the ribbon on the new the National Cybersecurity and Communications Integration Center (NCCIC), a new cybersecurity command-and-control data center in Arlington, VA.

        That said, a visible gap in the President’s plan remains. At his press event in May, the President promised to appoint a cybersecurity coordinator as a member of the National Security Council (NSC) and National Economic Council (NEC). Unfortunately, this position remains open.

        Over the past few months, the cybersecurity coordinator position has become a proverbial political football. First, the Bipartisan House Cybersecurity Caucus sent a letter to the President urging him to fill this role as soon as possible. This advice has since been echoed by Representative Yvette Clark (D-NY) and the tech industry group TechAmerica.

        While the pressure on the President mounts, others on Capitol Hill are also chiming in. Senator Joseph Lieberman (I-CT) agrees that the cybersecurity coordinator role should reside in the White House, but the Senator plans to introduce a bill that specifies the cybersecurity coordinator’s role and wants to require a Senate confirmation for the individual. Meanwhile, Lieberman’s colleague Senator Susan Collins (R-ME) has been extremely vocal in her opposition to this plan. She believes that the cybersecurity coordinator should report into DHS and not the White House.

        Note to Washington: Political wrangling like this is exactly why most Americans remain cynical–it seems like Washington is the place where critical issues go to die.

        Personally, I believe that the cybersecurity coordinator needs to be in the White House and extremely visible to the president — not buried in the biggest bureaucracy in the land — but that’s my opinion. Aside from this, however, I believe we need to appoint a cybersecurity coordinator ASAP and then make adjustments to this person’s responsibilities, relationships, and reporting structure over time. Cybersecurity is a critical issue that needs immediate attention, not more debate and analysis.

        Two other notes to Washington:

        1. Cybercriminals are not waiting around for you guys to make up your collective minds. Every day you delay is costing American citizens and businesses a lot more money.
        2. If there is a major cybersecurity attack soon, these delays will mean that Washington will be held accountable. Must we learn this way again?
        Search
        © 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

        Switch to our mobile site