Dear President Obama,
As America enters a new era that has already begun to reflect the leadership, the change, and the hope of your presidential campaign, it is imperative that we take this opportunity to implement a vision for how the United States and the world will securely and efficiently maximise the value of technology for the betterment of all.
We are experiencing unprecedented advances in technological innovation, but we are also losing ground in realizing gains from these advances due to increasing dangers posed by a rapidly evolving information security threat environment.
From organised criminal elements who prey on our inability to secure our information technology assets, to state-sponsored espionage that undermines the foundation of our strong nation, we can no longer sit idly by and hope things will change for the better or occur without action on our parts. We must demand freedom in our digital age and eliminate the fear that challenges our prosperity.
We look to you as a leader who not only understands but embraces technology to help us realise this dream of a prosperous, technologically advanced society. To that end I present thoughts intended to maximise the social benefits of advancing information technologies while increasing their safety born of decades of service to the security industry, to our society and to our country.
Communication and collaboration between the public and private sectors
To date, there have been many attempts to bridge the divide between the public and private sector in the information security space, but now more than ever it is critical that we work together to make these efforts successful.
Bringing security to cyberspace requires more than the efforts of elite organisations that operate in secrecy and behind the scenes, although clandestine operations against malevolent forces are important. National information security initiatives must emphasise cross-functional, cross-organisational, and cross-domain information sharing among our country’s best and brightest regardless of political affiliation or employer.
In the first 90 days in office your administration should seek to consolidate the efforts of Federal government organisations with information security responsibilities—civilian and military, clandestine and fully public—into a single organisation that is funded under a common objective to secure public and private critical infrastructure and reports directly to the administrations Chief Technology Office.
A forum for anonymous sharing of security incident information
Timely, 360-degree coordination and tracking of security incidents across the public and private sector will provide visibility into the state of the threat landscape and give information security professionals an important advantage over their adversaries.
This public-private information sharing must allow for companies to remain anonymous and not struggle with the dilemma of doing the right thing for fear of damaging their public image.
The US government should accommodate the interests of the private sector in communicating security incidents anonymously and enable public and private sector actors to respond quickly to fast-emerging and newly discovered threats.
In the first 90 days in office I suggest that the government increases resources available to the Department of Homeland Security’s US-CERT office and restructure information security intelligence reporting and information sharing that occurs between the various governmental and private agencies.
Additionally we should propose developing a “World CERT” organisation to expedite cross-country coordination, planning and incident response.
Eliminate the fear, uncertainty and doubt that plagues the information security discussion
Shawn Henry, Assistant Director of the FBI Cyber Division, recently told a conference (here) in New York that computer-based attacks pose the biggest risk “from a national security perspective, other than a weapon of mass destruction or a bomb in one of our major cities.”
Assistant Director Henry continued: “Other than a nuclear device or some other type of destructive weapon, the threat to our infrastructure, the threat to our intelligence, the threat to our computer network is the most critical threat we face.”
This sentiment is amplified in the private sector as security companies have proclaimed the profits of cybercrime to outstrip those generated from illegal drug trafficking. Granted, information security is a serious issue, but over-stating threats and projecting lurid consequences do not help us accurately assess problems and effectively resolve them.
While security threats present profound danger to society, we also need realistic understandings, rational thought and frank yet non-inflammatory dialogue to lead us to appropriate and effective actions.
Most of all, we need to fully understand the scope of the threat using language that enables communication and not fear. Over-blown rhetoric makes decision-making impossible and, over time, numbs the public to real threats and risks. “Crying wolf” does not do our country and the efforts to improve security of our critical infrastructure any favours.
In the first 90 days your administration should assemble a cross-functional task force headed by the Chief Technology Office to develop an initiative that allows us to understand the full scope of the cyber security problem and define communications that can explain the problem across every sector of our society.
Implement tax incentives for meeting base security compliance initiatives
As is noted below most organisations from all economic sectors have not mastered the basics required to maintain the health and improve the security of their computing infrastructures. Unfortunately, we have seen that due to the ubiquitous and interconnected connected nature of computing, a failure of even a few organisations to get on top of security issues can negatively affect everyone.
Regulatory initiatives driving compliance, such as Sarbanes Oxley (SOX), Payment Card Interface (PCI), Health Insurance Portability and Accountability Act (HIPAA), or others can increase awareness but often lack sufficient enforcement mechanism to drive organisations to comply, and if they do, comply in the most minimal ways necessary to avoid sanctions. We need both carrots and sticks, balancing tax incentives and enforcement mechanisms to move organisations from a minimal compliance culture to a do-the-right-thing culture in managing security risks and threats.
In the first 90 days of your administration the Chief Technology Officer should define a plan that enables both public and private sector companies to have a common language, a common set of technical guidelines, and mechanisms to reinforce security best practices with tax and other incentives.
Increase technology standards around basic infrastructure security
One of the biggest challenges to improving the effectiveness of most IT organisations security program is that even in 2009 most IT groups are unable to answer very basic questions, such as…
- How many computing devices do I own?
- How many devices are connected to the network right now?
- How many of these devices do we actively manage for security purposes?
- Of these how many comply with corporate policies?
To answer these questions, organisations must implement controls to provide real-time visibility and control into the state of all computing devices. As part of this, they must implement security configuration management programs that enable continuous compliance with defined security best practices. Furthermore, these visibility, management and compliance disciplines must also apply to mobile and intermittently connected devices that often operate beyond organisational firewalls and security perimeters.
The following is not an inclusive list, but lays out four basic requirements all public and private sector organisations need to implement to cope with the dynamic information security threat environment in an increasingly interconnected and complex technology landscape.
Requirement 1—real-time visibility and control into the detailed state of all computing devices
Computing devices, especially those that do more than provide a single static purpose, undergo state changes on a regular basis. State changes result from a wide variety of causes, including user actions, application usage, computing resource consumption and conflicts, and also external variables. Understanding the detailed, real-time state of computing devices under management is essential to any information security program. Variables to be tracked should include:
- Asset Discovery—Deep, pervasive discovery of all computing devices, regardless of location, type or connection
- Software Inventory—Continuously inventory all installed and running software
- Software Usage—Monitor, in real-time, the usage of all software on a computing device
- Hardware Inventory: continuously inventory all hardware elements of a device.
Benefits include situational awareness that enables faster response times to security attacks, improved efficiencies of change, and more effective cross-functional group (security and operations) communication
Requirement 2—security configuration management
This requirement includes defining the desired configuration state of all computing devices using industry accepted best practice guidelines (DISA, NIST, FDCC, CIS, etc), auditing the environment to identify any computing devices that deviate from policy, and remediating non-compliant devices to ensure they adhere to policy.
Implementing security configuration management controls have the following benefits:
- Ensure a common language across functional IT security and operations groups
- Eliminate administrative and misconfiguration vulnerabilities and exposures that can often lead to security exploits
- Enable support for a wide-range of compliance initiatives
Requirement 3—continuous policy compliance and enforcement
Implementing a compliance program is only as effective as its controls are at identifying deviations from desired states. Since computers tend to quickly drift from desired good states in the absence of continuous assessment and correction, static compliance efforts that assess and enforce compliance at discrete points in time program are ineffective.
Additionally the expense of a point-in-time compliance program can quickly become cost prohibitive if performed on an annual basis. Here, compliance can become an annual “crash” effort that can shut an organisation down and leave IT staffs trying to cope with an overload of assessment, diagnostic and remediation work on entire infrastructures.
Continuous compliance parses the compliance workload over the working year, never letting any machine drift off standard or requiring massive interventions to right an entire infrastructure.
The benefits of continuous compliance include the ability to align compliance to broad sets of regulatory initiatives at less cost and more effectiveness.
Requirement 4—support for mobile and intermittently connected devices
There are very few organisations that completely deny access to mobile, hand-held devices. In fact, one of the most significant value generating innovations in computing technologies over the last decade has been the ability to extend computing services to remote locations such as homes, airports, hotels, or any place where people can communicate or do business.
Any current IT program must include controls that can support, manage, and secure mobile and intermittently connected devices where ever they are located and however they are connecting to the network or the open internet.
The benefit here is two-fold. Effective security enables anytime anywhere access to computer-based communications and information, while reducing the opportunity for malefactors to leverage mobile devices to perform economic and socially damaging actions. Mobile computing is a very real means to make the economy more efficient and create new opportunities for growth, social inclusiveness, and interaction.
President Obama, I know that I am not alone in welcoming the hope and change that formed the foundation of your presidential election and I know that I am not alone in extending my hand and my participation in support of your administration’s efforts to create a world that allows all of us to experience our dreams fulfilled in a digital age.