“Hi, this is Robert Downs from Dell support — I got redirected to this number by accident by the guy I called, is this Guy?”

“Hi Robert — I’m the receptionist, Donna, I could redirect you to Guy — do you know his extension?”

“Well he said he was pretty busy but I just need a few generic questions to close out this help ticket so I can go home — do you think you can help?”
“Uh, I don’t know…”

“Please? Its after 7 here and I really got to go home.  Its just a second”

“Um.  Ok, sure.”

What operating system do you use?

>>>XP

What web browsers do you have on your PC?

>>Firefox 2.0 and IE6

Do you use outlook?

>>No, we use a webmail

When was the last time you updated?

>>The IT team does updates every Tuesday night.

What version of Acrobat Reader do you have?

>>7

What’s your antivirus/endpoint security brand?

>>Mcafee endpoint security.

…
It might not look like it at first, but Mr. “Downs” from “Dell technical support” is a hacker who just obtained enough reconnosence to compromise users and servers inside the target company — an act that costs US companies an average of $6,751,451 per data breach incident according to a Ponemon Research study.

A good hacker knows that a good hack involves three things:

1. Vulnerability
2. Exploitation
3. Maintenance of access

Related posts:

1. What if you could show key Social Media/Web2.0 sites in one graphic?
2. Social Media and Web2.0 for National Security Planners
3. Social Media and the National Security Professional

One of the things I like about Alan Paller the individual and the organization he helps lead SANS is they encourage people to write.  They are great motivators, especially if you are pursuing a security certification.  As part of a my 2003 SANS certification I wrote a piece on Quantum Encryption and Quantum Computing and am glad I SANS forces me to put some thought into that.

I’m especially glad now that we are seeing increasing amounts of news and research announcements on the topics.  A key point I highlighted in the paper is the oft needed reminder that Quantum Encryption and Quantum Computing are two different things.  Both rely on Quantum effects but the impacts of their implementation will be different.  Quantum Encryption will enable encryption keys to be passed securely over a distance.  Quantum Computing will enable many things, but some dramatic security implications are expected.  For example, through implementation of the fast factorization of  integers via “Shor’s Algorithm,”  public key encryption using RSA encryption methods will be broken when Quantum Computing is available.

Now to my point:  I just read a great piece on Quantum Encryption written by Matthew Luce of the Jamestown Foundation.

The piece, titled China’s Secure Communications Quantum Leap, provides a solid review of recent announcements by a team of Chinese researchers from Tsinghua University in Beijing and the Hefei National Laboratory for Physical Sciences (a government directed research center).  Papers published by this team announce successful demonstrations of quantum teleportation, a requirement for quantum encryption.

Here is more from Matthew Luce:

Although much of the science behind this technology is still young, quantum technologies have wide-ranging applications for the fields of cryptography, remote sensing and secure satellite communications. In the near future, the results from this experiment will be used to send encrypted messages that cannot be cracked or intercepted, and securely connect networks, even in remote areas, with no wired infrastructure, even incorporating satellites and submarines into the link.

Rather than transporting matter from place to place, quantum teleportation’s most practical applications currently involve using photons for instantaneous, almost totally secure data communication. Using the term “teleportation” to describe this effect can be justified by what Albert Einstein called “spooky action at a distance”: after two particles are linked together through quantum entanglement, any change in the state of one particle immediately alters the other, even from miles away. In effect, the state of the particle at the sender’s end is destroyed and reappears as an exact replica at the receiver’s end, with a negligible chance of undetected third-party interception.

Does that have your interest?  Does that make you mind go on the national security and technology implications?

Check out Jamestown.org for more great writing on that and other topics.

Related posts:

1. The National Security Implications of Free 3D in a Browser
2. Cyberpower and National Security
3. Enhancing Security and Functionality At The Same Time

In September 1997 the US Naval Institute ran an article I wrote titled “The Devil is in the Details: Information War in the Field and Fleet.” Now 13 years later there are a few things I wrote in that article I wish I could take back! But for the most part I believe it still offers some cautionary notes relevant to the still emerging field of cyber conflict.

In its day, the article was one of the first to signal that it is ok to write about the emperor having no clothes when it comes to new information warfare concepts. There was already great promise in cyberconflict concepts then, but plenty of snake oil salesmen too, and I proposed seven tests that officers in the field and fleet could use to help them vet and form personal opinions on the relevance of a concept to their mission.

The article was cited a few military journals and military academia, and then was cited by a source I would not have predicted. I was the 7th citation in a book written by two Chinese Colonels (Qiao Liang and Wang Xiangsui) in their widely read “Unrestricted Warfare.”

I thought of this old article after reading news of a computer trojan on ground systems being implicated in the crash of a civilian airliner.  A trojan contributing to a crash is exactly the kind of thing my old article would have said was not possible. If I had been told that was possible in 1997, or even in 2010, I would have almost certainly accused the briefer of exaggeration. Today I work hard to stay up with the capabilities of the threat and I know cyber threats are very serious and are costing us $Billions in real value and probably $Trillions in opportunity cost. But contributing to the crash of an airliner?

But now there is a new fact to examine in the progression of the cyber threat, and one that should cause us all to rethink the path we are on regarding our information systems. I’ll write more on that soon.

And some additional thoughts/questions: Aren’t you glad we have a Cyber Command to help ensure we reduce the chances of this type of threat to our military aircraft?  Don’t you wish we had an organization able to help reduce the chances of this type of threat impacting civilian aircraft?  Do you think we should all be moving at warp speed towards a new FAA designed Next Generation Air Traffic Control System?  Will it be safer than the old one? If you think so, what makes you think so?  Can you help improve on concepts like “Enhancing Computer Security by Two Orders of Magnitude.”

The September 1997 article is posted below.

============================================

The Devil is in the Details: Information War in the Field and Fleet

(Second honorable mention, USNI Colin Powell Joint Warfighting Essay Contest)

Published September 1997 USNI Proceedings

LCDR Robert D. Gourley, USN

Some of the nation’s brightest minds are now shaping our approach to information warfare. They are setting up special schools, writing papers and books, debating strategies and codifying joint information warfare doctrine. The JCS and military services are establishing new information warfare commands and orchestrating organizational changes at national, theater, and operational levels. Modern information warfare has the potential of doing for today’s military what ULTRA and MAGIC did for our forces during World War II. Those programs provided insights into enemy intentions and formed the basis of our successful deception plans. Now invigorated with powerful computer and communications systems, information warfare will soon represent an integral part of the American way of war.

But the Department of Defense has moved so fast to embrace information warfare concepts that mid-level officers of all services have had little time to catch their breath. We will soon have to implement concepts that we hardly understand. There is also a growing body of evidence that suggests some information warfare concepts will not work in the field or fleet.

This article is not a primer on information warfare. Such articles abound in professional journals and the open press. It does, however, seek to widen the debate by encouraging constructive criticism on information warfare. It does so by providing seven tests for evaluating information warfare briefings, point papers, articles or books. Applying these tests to a quality information warfare plan will prove its relevance. But these tests will unravel flawed concepts. Testing concepts that fall somewhere between the ends of this failure/success spectrum will provide insight on how to make good plans better.

These seven tests are:
- A test for an over reliance on metaphors.
- A test for plans that overestimate the threat.
- A test for plans that overestimate our own capabilities.
- A test for historical relevance and accuracy.
- A test for extraordinary attempts to avoid criticism.
- A test for unsupported assumptions.
- A test for nonstandard definitions.

#1: Test for an over reliance on metaphors. Metaphors are an important part of our language. They are especially important in explaining new concepts or ideas. Unfortunately, the metaphor is sometimes mistaken for reality. Test any concept explained by a metaphor to ensure the metaphor does not become the concept.

Some metaphors lead to restrictive thinking. For example, a popular metaphor in information warfare is that of “The five pillars of C2W.” Its advocates draw images of five columns labeled OPSEC, PSYOPS, EW, DECEPTION and PHYSICAL DESTRUCTION that rest on a solid foundation labeled INTELLIGENCE. The pillars hold up a rooftop labeled THE MISSION. While useful to introduce the idea, the metaphor does not reflect how C2W should work in the field or fleet. C2W planners may contribute to plans for use of military functions other than the five in the metaphor. The pillars also imply separation. C2W should not consist of stovepiped functions developed separately from each other or the mission. Support to the mission requires planning and executing each function together with other functions and planning efforts. Perhaps a better metaphor in this case is that of strands of a rope– individually they may be strong, but bound together their strength is stronger still– and adding more strands will make the rope even stronger.

Expansive metaphors can also result in misleading interpretations. For example, another common information warfare metaphor is that of “Cyberspace,” the imaginary world behind the screen of your computer. Fantasy novels and the popular press have made the term a household word. Military versions include the “Cyberbattlespace.” The metaphor has reached the point where people talk of “fighting in cyberspace” and of creating teams of “cyberwarriors” to lead those fights. What actually is behind a computer screen is the inner workings of a display device. Like the rest of the computer and every computer network, it is a physical construct of matter that moves energy according to the laws of physics. Strictly speaking, we cannot “fight” in cyberspace any more than we can “walk” inside a Picasso painting.

#2: Test for an overestimation of the threat. There is a serious threat to our nation’s information systems. Hackers attack private and government computer systems on a daily basis. Our economy loses billions of dollars a year to computer crime. The General Accounting Office estimates that hackers conducted up to 250,000 attacks on federal computers last year alone.i Many of these were embarrassing breaches involving DoD information.

The threat is serious, but fortunately our most sensitive networks are well protected, and new technology is making them even more secure. Leaders in government and industry recognize the problems of computer security and are devoting resources to protect them. The Department of Defense and the military services are implementing comprehensive defensive measures. The FBI has computer investigation squads. The Justice Department has doubled its funding for computer crime prosecution. The Secret Service has a computer crime section. The CIA is opening an information warfare technology center. State and local law enforcement officials around the country are following suit.ii Industry’s defensive efforts are even greater than those of the government. Information is industry’s life blood, and they are devoting time, money and brain power to protect it. In an attempt to coordinate the efforts of industry and government, the President has formed a Commission on Critical Infrastructure Protection, which is now conducting public hearings on the issue.iii

Many information warfare experts describe threats from computer literate opponents linking into systems to reroute trains, crash stock markets, open drawbridges, cause midair collisions, reroute HOV lanes and destroy birth records. Some experts paint a threat of computer terrorists crippling our nation by attacks on banking, business communications, power generation, law enforcement and air-traffic control computers. Threat characterizations like those may be neglecting the high investment both government and industry are already making in defensive information warfare. Incorrect threat estimates can result in a waste of resources that should be applied to our real weaknesses. If you suspect an information warfare concept was built to counter an unrealistic threat, you should probably inquire about the details of the threat assessment it is based upon.

#3: Test for an overestimation of our own capabilities. The military can and should expand its capabilities to attack enemy computers. Since computers do so many things that few ever predicted, some people fall into the trap of thinking that we can build computers that can do anything. This is not quite true.

How can you tell if a briefer or a particular reading is guilty of overestimating our capabilities? It is easier to understand the realm of possibilities with a background in quantum mechanics and computer science. But even if you are not conversant in these areas you can still make informed judgments. All you need is a good foundation in the performance of current C4I systems, coupled with an ability to ask probing questions. For example, if you were told that we could degrade an enemy’s oil producing capability by injecting a virus into a computer, your first question should be “How?.” If you are told that the same computer the enemy uses for oil production has been penetrated in labs, ask how the virus will be delivered in hostile territory. If the answer is by space or aircraft, our capability is probably being overestimated. If the answer is by a spy, you should ask if he is in place now or if we need to mount an operation to get him in place. Keep in mind that networks of agents take years to establish. Like many other military operations, the devil is in the details of information warfare plans.

#4: Test for historical relevance and accuracy. Information warfare theorists frequently frame their ideas with historical references. This search for supporting historical tidbits sometimes results in erroneous interpretations. These errors can become so widespread that they begin to be accepted as fact. For example, some information age strategists quote General von Motlke’s vision for reorganizing the German General Staff to make optimum use of telegraph systems. Historians tell us there is no record of von Moltke ever saying any such thing. These fictitious quotes are being used to bolster arguments for organizational change today.iv

Many information war strategists draw parallels between the concept they support and concepts of the past. History can teach us the relevance of these parallels, many of which are right on the mark. For example, Major General Grange and Colonel Kelly highlight the information warfare strategies of Genghis Khan to remind their readers that Òarmies have conducted information operations throughout history.v This is certainly true.

Other information warfare advocates draw parallels that may be less relevant. For example, many try to build support for their ideas by referencing the German Blitzkrieg. They describe Blitzkrieg as a revolutionary concept that allowed the Germans to take French forces with similar technologies by surprise. They point out that there were some in Germany who opposed Guderian’s new ideas. The point of the analogy is usually that we must accept the new information warfare idea being advocated or we will fail in war.

Unfortunately, history also shows us that all new ideas are not great ideas. The Maginot line was a new idea, designed to convince the Germans that war would be untenable. The complex appeasement plan negotiated by Prime Minister Chamberlain prior to World War II was considered by many a new idea that would avoid war. Both of these new ideas failed completely. Concepts should never be condoned just because they are new.

Some information warfare concepts use historical models to explain the history of man and then predict the future. Testing these models to see how well they apply to the past can help you determine if they are too simplistic to allow for reliable predictions of the future. For example, one popular model in information warfare concepts is the “Three Waves” theory proposed by Alvin and Heidi Toffler. This model proposes that the way nations make war is tied to the way they make wealth, and that society has changed its economic and military systems in three waves. From 10,000 years ago till the 19th century, society and war were agriculturally based. When an industrial wave swept through the world the dominate war form became based on mass production. Now that we are riding the crest of an informational wave, knowledge will be central to our way of war.vi

Although this is a good summary of the history of civilization, it is not surprising to learn that there are many historical exceptions that do not fit this model.vii It is also not surprising that this type of model is just too general for short term predictions. For developments over the next ten years, simple trend analysis will provide a better assessment of the future security environment.

#5: Test the concept for extraordinary attempts to avoid criticism. This may actually be a signal that the idea deserves more of your scrutiny. Avoiding criticism may come in the form of calling attention to the wisdom of the developers of the idea. A briefer may say that “a group of certified geniuses including a Nobel prize winner developed this idea.” If you hear one like that, keep in mind that educated people are not immune from generating foolish ideas, especially if the subject is outside their area of expertise. For example, two noted PhD criminologists recently published an article on information warfare threats that included references to computer viruses that in reality did not exist. They had read some common computer jokes, and believed the jokes to be true. The jokes had made up names of viruses such as “the Gingrich virus” (the joke says the virus makes you sign a contract with your computer).viii

You might also be told that the concept’s supporters include some of the highest ranking officers in our military, perhaps even a service chief or the Chairman of the JCS. This does not mean the idea no longer deserves your scrutiny. Based on the attention given to joint and service professional military education, our seniors encourage independent thought on national security issues and would welcome professional dialog on information warfare.

Criticism avoidance may also take the form of a briefer skimming over key parts of a concept while explaining that “You wouldn’t understand this part, so I’ll skip it.” I’ve heard phrases like that in briefs to mid-grade military officers. There are certainly some complex information warfare issues to sort out, but there are few whose salient aspects cannot be described to today’s well-educated military officers. If someone resorts to avoiding complicated material and says it is because you would not understand, it is a good indication that you are dealing with a modern day snake-oil salesman. As a rejoinder you could make it clear that you expect plain language explanations on the concept. Perhaps you can remind the briefer that Carl Sagan could satisfactorily explain the entire cosmos to the average American using nothing but plain English.

You may encounter a briefer who answers simple questions with “I can’t get into that… it is classified.” If so, you may want to reply with a general question like “is there anything about it you can describe at our current classification?” If the answer is still no, you may wish to contact a member of the individual’s parent command or a co-worker who may be cleared to higher levels. Keep in mind that your objective should never be to gain access to information that you are not cleared for. Classification can (and sometimes should) be used as a trump card that will not let you give some concepts your full scrutiny.

#6: Test for unsupported assumptions. These can creep into arguments on any controversial subject. However, the only information warfare assumptions officers in the field or fleet should accept are those defended by good arguments. For example, a common assumption in information warfare is that it “will in and of itself relegate other more traditional forms of warfare to the sidelines.”ix There is no evidence that this is the case at all. In fact, the new JCS Joint Vision 2010 provides the assessment that solving future crises will always require an ability to put “boots on ground.”x

Another common assumption is that we must reorganize to use information warfare strategies. Many of our organizations can and should change, but information warfare strategies need not affect every organization. Efficient staffs have long been able to implement new ideas with current structures. Most Unified CINC staffs and many of their subordinate staffs are now grappling with how to best reorganize to take advantage of information warfare. Often, they may find that they need no substantial changes.

#7: Test for nonstandard definitions. Almost every organization dealing with information warfare (including those in academia and industry) defines information warfare concepts differently. There are those that say we shouldn’t haggle about such a minor point. However, words and how they are defined can have a significant impact on how we transform concepts into reality. Fortunately there is a “no haggle” solution to this issue. We in the military should insist on using the definition JCS promulgates to us as doctrine. This means the best source (at this writing) is DoD’s Joint Pub 3-13. “Joint Doctrine for C2W.” It defines information warfare as “actions taken to achieve information superiority by affecting adversary information, information-based processes, information systems, and computer-based networks while defending one’s own.”xi

CONCLUSIONS:
The U.S. military must continue to develop strategic theories of information warfare. Such theories will, in turn, drive joint doctrine, technologies, organizations, and procedures designed for use by operators in the field and fleet. Currently, those with little military experience and senior officers removed from day to day operations are leading the debate on information warfare. But the nation’s real information warfare experts are officers in the field and fleet skilled in making assessments in a data rich environment. By taking a more active role in this debate and applying the tests presented above to current concepts, operators can better the information warfare plans we will be expected to implement in crisis or war.
END NOTES

i. GAO Report. Information Security: Computer Attacks at Department of Defense. (GAO/AIMD-96-84. May 1996).

ii. Shannon Buggs, Court-martial to begin in computer spying case. THE RALEIGH NEWS & OBSERVER (Raleigh, N.C. December 9, 1996).

iii. John Schwartz, Retired General’s Mission: Making Cyberspace Secure. WASHINGTON POST (Washington, D.C., January 31, 1997). A19.

iv. R. L. DiNardo and Daniel J. Hughes, Some Cautionary Thoughts on Information Warfare. AIRPOWER JOURNAL (Winter 1995).

v. Major General David Grange, Colonel James Kelly, Victory through Information Dominance. ARMY (Association of the U.S. Army, March 1997). 33.

vi. Alvin and Heidi Toffler, WAR AND ANTI WAR: Survival at the Dawn of the 21st Century. (New York, Little, Brown and Co., 1993).

vii. For a critique of this model see Robert J. Bunker’s The Tofflerian Paradox. MILITARY REVIEW (May-June 1995). 7.

viii. David Carter, PhD. , and Andra Katz, PhD, “Computer Crime: An Emerging Challenge for Law Enforcement.” LAW AND ENFORCEMENT BULLETIN (FBI Academy, Quantico VA, December 1996).

ix. Steve Kish, Do We Need an Information Warrior? MARINE CORPS GAZETTE (Quantico VA, January 1997). 20.

x. Chairman of the Joint Chiefs of Staff, Joint Vision 2010. (Pentagon, Washington, D.C., 1997). 18.

xi. Joint Pub 3-13.1 Joint Doctrine for Command and Control Warfare (C2W). (Pentagon, Washington, D.C., February 7 1996).

Related posts:

1. Twelve Principles of DoD Cyber Conflict
2. Intellectual Rigor and Cyber Conflict
3. The Future of Cyber Security and Cyber Conflict

Using wi-fi hotspots at airports, coffeeshops, hotels, conferences or work locations can be a tremendous productivity boost, and your options for connecting to wi-fi are only increasing.  Companies like McDonalds, Starbucks, Panera and Chick-fil-A now offering free connectivity just to help sell their wares.

But did you realize that when you connect to a wi-fi hotspot, even if it is a hotspot you have to pay to join, you are opening yourself up to privacy attacks?  Every other computer (including iPad/iPhone/Droid) on that wi-fi network can now know something about your computer just because you joined the wi-fi lan. And, if you allowed your computer to be configured a certain way you might be providing a significant amount of personal information to your fellow wi-fi users.  You might even be authorizing them, through your configuration settings, to see all the files on your computer.

My recommendation: Pause for a moment and check the settings on all your devices.

Basic concepts: When you are using your device at home or in your office you might have good reason to have wide open settings that let others on your LAN move files in and out from your computer. That’s a great way to share work, backup files, exchange photos, share printers, synchronize contact databases etc (and hopefully that is over an encrypted LAN you control).  But then when you take that device on the road and join a wi-fi network, you really don’t want to be authorizing everyone else on that wi-fi network to have the same authorizations you share at home.  Right?

Below are some quick tips you can use to check your device configurations:

Checking your settings on Windows devices:
In the Windows control panel open the sharing center, then select Choose Homegroup and Sharing Options and Change Advanced Sharing Settings.  This will enable you to turn off printer sharing, file sharing, network discovery and public folder sharing.   You should also check your Windows firewall.  This is in the Control Panel under System and Security.  Windows will also let you automate changing your settings for wi-fi security at home, work and on public networks.  You can make security choice setting when joining the network (by default you should see a window when joining the wi-fi network that lets you select home, work or public settings, with public settings being more strict).   You can check what these settings are configured for in the control panel under teh Network and Sharing Center.

Checking your settings on Mac devices:
In your Systems Preferences select Sharing.  Review the name you have given your computer.  Does it provide more info than you would want others to know? Why not give it a more generic name just in case.  Then review all the services listed and make sure none of these are checked unless you are at home or work and comfortable sharing.  Your Mac also has a firewall that is configured under Systems Preferences and “Security”. Under the Firewall tap select “Allow only essential services” and then click “advanced” and select the option for Stealth.  That will keep your computer more low key.

Checking your settings on iPod/iPhone/iPad:
What did you name your iPhone/iPad/iPod Touch? Consider naming it something generic so when it is discovered on a network it doesn’t reveal too much personal info.  The easiest way to do that is in iTunes.  Connect your device, launch it and select the device in the left hand column. Highlight the name and type something else (I named my iPod “Zune” just to throw any hacker off, ha!). You should also be in command of when your devices join networks, so in the settings panel, under “wi-fi” select the configuration switch for asking to join networks.

Checking the settings in your Android Device:
These devices are just as easy to check and configure as the iPhones.  Look under “settings” then tap “wireless and networks.”  You can review wi-fi networks that are available to join and which require passwords.  You can also view and edit settings from this screen.

Checking settings externally:
If you run your own network at home, guess, what?  That means you are the head security guy for your network.  You should definitely treat that job with the respect it deserves and if you run a wi-fi network at home there are more settings you should check.  And those settings, including the settings of every device on your network, should be scanned by you to ensure they are in compliance with your policy.  You can do that with programs such as WireShark or any number of scanners.  But if you are an iPhone or iPod Touch user there is an App for that.  One of my favorite ways to scan wireless networks is the iPod Touch’s iNet Pro program.  Runing this program is a fun way to rapidly check the configuration of your home networks and can also tell you the kind of info others are broadcasting when you are in public environments.  The Android platform also has some great wi-fi scanners available, including some that run in augmented reality.  The clip below shows one of those at work:

Related posts:

1. Protecting Federal Networks Against Cyber Attack
2. FedScoop: All source information for federal technologists
3. Mitigating IPv6 Security Threats

With this post I would like to provide some personal thoughts on the key things organizations should be doing to enhance security, privacy and functionality of their IT.  This includes some specific recommendations for security solutions, including solutions I’m on advisory boards for (read the disclaimer).  So I better caveat this by saying “please use your own judgement!”   I associate myself with firms because I believe they are world class best and that is why I’ve mentioned the specific capabilities here.

With that, here are my views of the top five things every government organization should be doing to reduce risk in cyberspace:

1.  Adopt an fully implement a program centered around the Consensus Audit Guidelines.  Details on this effort are at http://www.sans.org/cag This program is a well coordinated, well thought out list of controls and metrics that every organization should have in place.  It includes 15 controls subject to automated measurement and validation and five other controls that are not supported by automated measurement.  The combined 20 controls will let organizations measure and continually improve their security and functionality.

2.  Understand you can’t do it alone.  Stopping the threats today is a constant struggle, and even the most secure enterprises are getting penetrated (case in point, consider the US intelligence community and what a single criminal insider was able to do).  All organizations, of all sizes, need to find the right organizations to network with and the right cyber defenders to coordinate with when times get tough.  In general, these are groups like :

• Carnegie Mellon CERT
• US CERT
• US Cyber Command
• DISA’s IA team
• FBI (and the IC3).
• DoD Cyber Crime Center (DC3)
• DoE CIRC
• SANS

A lesson I’ve learned the hard way, multiple times, is that coordination with groups like this should be done before you need to.  When the crisis comes you should already know who to plug in with.

3.  Establish deep packet inspection multi-function capabilities at the entry points to your networks.  My favorite means to establish this capability is with the Cloudshield telco packet server.  Cloudshield’s capabilities address many enterprise challenges including threat from external sources plus threats of data loss by the use of an open, programmable network platform.

4.  The greatest source of threats into the enterprise IT systems today is via the browser. Shutting down this avenue of attack while keeping your users on the net is a key requirement. Web-borne malware comes in via the browser and well resourced criminal groups are ensuring they will always be able to find a way in. The solution here: Invincea browser protection.  Invincea protects users against web-borne threats to eliminate these risks.  See their blog for more info.

5.  Maintain control of the state of your endpoint devices by use of automated, persistent security readiness.  Applying endpoint security automation continuously remediates issues on user desktops so infections/penetrations/trojans/problems are found fast and the computer’s state is returned to its previous working status.  The most scalable, robust solution in this space is Trumfant.  Use of Triumfant is a key component of defense in depth but also a significant contribution to IT O&M and readiness.  Triumfant will reduce the amount of trouble tickets your help desk receives, stuff just works better.  See their blog for more info.

Above I mentioned 20 controls, 9 coordinating organizations, and three specific technologies.  But there are far more technologies of interest, many of which are reviewed and described in detail on our site at http://ctolabs.com

Related posts:

1. Enhancing Security and Functionality At The Same Time
2. One to watch regarding standards and security
3. Compliance enhances IT support to the mission

Even before the U.S. Cyber Command stood up there was wide-ranging speculation about what the command would do, the authorities it would be granted, and the powers it would wield. No amount of insight from those with knowledge of the command will be enough to assuage the concerns of those who feel such an organization – and more specifically its intimate links with an intelligence agency – is a threat to liberty online and in general. Two of the early players in the cyber security and intelligence world – Bob Gourley and Mike Tanji – square off over the value – or lack thereof – of the Cyber Command and its impact on national security.

Pro

Cyber Command is destined for success. It will achieve its intended primary purpose, which is making a significant positive impact on Department of Defense IT security (from the mission statement: “…direct the operations and defense of specified Department of Defense information networks.” It will also contribute to our nation’s ability to conduct offensive cyber conflict (from the mission statement: “… prepare to, and when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains.”

These are not simple tasks but you only need look at what existed before Cyber Command to see the positive benefits which the organization makes now. Prior to Cyber Command, ambiguity of command in cyber decision-making was the norm. An almost uncountable number of organizations asserted leading roles in the domain, including USSTRATCOM, elements of the Office of the Secretary of Defense, every military Service, the National Security Agency (including both the defensive and SIGINT components playing different roles), and other elements of the IC. Every COCOM also has a role in cyber conflict and each consider cyber defense an important capability (but each has challenges understanding their own posture due to ambiguity in service chain of command for cyber). These many players still have incredibly important missions and roles in cyber conflict, but they now have a guidon to follow.

Cyber Command is led by a staff of experienced military professionals with a deep understanding of the wide-spectrum of DoD missions and the impact IT and security posture can have on missions. And they are supported by a deep bench of technical experts and an experienced cadre of threat analysts.

The military leadership of Cyber Command will include many technology professionals, but more importantly it will include uniformed military officers with significant experience in making decisions in stressful operational environments. The cyber domain is different from the physical one in many ways, however, success in traditional military operations can lay a foundation for success in Cyber Conflict. When appropriately applied, for example, the often studied principles of combat from the United States Army Field Manual[1] that provide sound basis for training, strategy development and in many traditional kinetic engagements, operations, are directly applicable to cyberspace. Consider:

• Objective (clearly defined, decisive, and attainable)
• Offensive (Seize, retain, and exploit the initiative)
• Mass (Concentrate combat power at the decisive place and time)
• Economy of Force (minimum essential combat power to secondary efforts)
• Maneuver (Place the enemy in a disadvantageous position)
• Unity of Command (Ensure unity of effort under one responsible commander)
• Security (Never permit the enemy to acquire an unexpected advantage)
• Surprise (Strike the enemy in a manner for which he is unprepared)
• Simplicity (Prepare clear, uncomplicated plans and clear, concise orders to ensure thorough understanding)

When planned in context of deep understanding of how technology works and an understanding of authorities for operating in privately held systems, these principles provide a tremendous foundation for further examination of the cyber environment. This points to a clear benefit of cyber command, an ability to leverage DoD strengths to defend DoD network.

All indications are that the nation will face many cyber challenges in the future, and not every battle will be won. But we stand a far better chance of victory now that this capability is in place.

Con

Cyber Command is unlikely to have any significant impact on the security of military networks in the near- to mid-term, which for the purposes of this post will mean sooner than 2015: an epoch in Internet time. The reasons are diverse and plentiful.

Talent for Cyber Command is most likely going to be drawn from the NSA and other existing cyber security organizations within the government. To be clear: the government is full of gifted computer and information security professionals, but most of them won’t end up at Cyber Command. This has nothing to do with Cyber Command itself; it is simply standard bureaucratic practice. No government manager let’s their best people leave; they send “those who can be spared.” Is the worst of the NSA still better than the best of our adversaries? Only if you believe the other side has little to no dead-weight in their ranks.

Cyber Command is led by a smart, talented General Officer who in his previous job presided over technical and managerial efforts like Groundbreaker and Trailblazer. As best as anyone on the outside can determine, these are cures that are worse than the disease they were meant to defeat. And who would have thought that an agency that lived and died by its computer systems would need trivial things like electrical power? How exactly is adding to his already expansive and diverse responsibilities supposed to instill confidence in this new endeavor?

Service-specific “cyber” commands have been in existence – if not in name, in practice – for years, yet there has been no discernible improvement in the security of military networks in all that time. Memos, warnings and orders from these elements (including the JTF-CND, where your author’s first worked together) are regularly ignored or waived for operational need. Absent the ability to commandeer or switch off the discrete networks and/or segments that make up military cyber space, edicts from Cyber Command are just memos from another bureaucracy that will be dealt with accordingly. It will never exercise sufficiently granular authority over the operational requirements of combat units. One need only look at the PFC Manning disaster to realize just how slipshod security gets the farther away from Fort Meade you sit. No security officer – cyber, physical or otherwise – ever won an argument with a combat commander.

On a much more fundamental level however, Cyber Command will fail to live up to the promise because it operates under a set of assumptions and theories that have yet to be proven as valid. Military metaphors are popular with those who comment about the hazards of and in cyberspace, but if fighting (or preparing to fight) in cyberspace, then what is the analog to “territory?” To adapt a phrase from the Infantry: “If they (your troops) are not there, you don’t own (have dominion over) it.” Shoehorning digital problems into familiar military constructs only make the discussion easier; it may have little to do when it comes down to solving real, practical problems associated with conflict in the virtual world. In fact, it could be hampering our ability to move forward towards developing an environment that is both effective and safe.

And of what use is a “cyber” command if the physical underpinnings upon which it is premised are damaged or destroyed? Let’s not forget that the predominant nature of war is still putting steel on target (issues of form and scale notwithstanding). We may find that we’ve invested billions of dollars in an organization and capability that are rendered useless through the application of a kinetic solution that may have cost a few thousand dollars. Where is the corresponding investment in ensuring the physical security and technical resilience of the systems and networks we feel so compelled to “command?”

We don’t need a Cyber Command as much as we need a DOD Cyber Security Think Tank that could draw upon the knowledge and experience of existing scholars and practitioners – in and out of the government – to produce new, practical and effective solutions for operating securely online and dealing with threats in the information age. Such an entity could promulgate its guidance down through the existing command structure from the Office of the Secretary of Defense (the one DOD organization that can indeed grab people by the throat to make them comply). Harnessing and coordinating the power and output of the best minds available on pertinent topics, and in particular the peculiarities of using and securing information technology in the military, will yield better results that simply complicating an already confusing morass and perpetrating moat, wall, FLOT, FEBA, and “dominance” –type thinking that fails us today.

This We Agree On

The current state of affairs with regards to computer and information security in the DOD is unacceptable. Smart policy, secure-yet-functional procedures attuned to military operations, and strong authorities are essential if we are to ensure that information technology is a meaningful adjunct and force multiplier to physical military power. It would be a wonderful thing if Cyber Command were able to accomplish that mission, but if it does not, we should not hesitate to learn from our mistakes and quickly move on to a new construct or approach. Our adversaries in cyber space follow this model with great effect; why mess with something that works?

Related posts:

1. New Command to Focus on Cybersecurity for DoD and IC
2. Pros and Cons: Bill Clinton as DNI
3. Intellectual Rigor and Cyber Conflict

The White House has issued a draft for comment of a new National Strategy for Trusted Identities in Cyberspace. The strategy draft was introduced by Howard Schmidt in a White House blog: A National Strategy for Trusted Identities in Cyberspace

Howard’s introduction included:

“Today, I am pleased to announce the latest step in moving our Nation forward in securing our cyberspace with the release of the draft National Strategy for Trusted Identities in Cyberspace (NSTIC).  This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.”

In a terrific move, the government is using the online social commenting structure of Ideascale.com to help enhance the dialog and comments on this draft.  You can see the way these comments are shaping up at:  www.nstic.ideascale.com I can tell this document has already been well staffed and according to the White House release over 4000 comments were received on previous versions.  I’m sorry to say I have not provided any input to date.  I’m not sure how many other techie types did either.  Maybe some of my heros did and I hope I don’t say anything below that offends them if I did.

I also offer some CTO-type context below.

One thing I noted right away was that the first seven pages were little more than justification. This is clear indication that the drafters understand not all see a need for significant action here.

After those seven pages, the core of the document dives into:

• Guiding Principles – Establishes the tenets that this Strategy must uphold in order to be successful. The Guiding Principles are necessary characteristics of the Identity Ecosystem.
• Vision and Benefits – Presents the overarching vision the Strategy seeks to achieve along with the details of the Identity Ecosystem and the benefits for individuals, private sector, and Government.
• Goals and Objectives – Defines what this Strategy intends to accomplish.
• High Priority Action Plan – Introduces critical tasks that form the basis for realization of the Strategy Goals and Objectives.
• Conclusion – Provides a high-level summary of the Strategy and a call to action for the public and private sectors.

The following are some personal opinions on those elements of the strategy:

Guiding Principles: This is perhaps the most important part of the document. I could certainly suggest re-wording a few, but that is not what is important here. What is important is capturing the key principles, and I don’t disagree with any of these. It is good to read them and clearly lots of thought was put into them.  I bet since this document has been widely staffed there is widespread agreement on these, but it is good to re-look principles, especially at the beginning of an effort like this. I hope dialog with citizens and academia and industry result in widespread acceptance. Perhaps there will be other principles captured in this interaction with the populace, but I personally cannot think of any.

Vision and Benefits: I’m sure onboard with the vision, which is: “Individuals and organizations utilize secure, efficient, easy to use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.” I’m sorry to report, however, the entire rest of this section is not so impressive, at least from the standpoint of someone who likes to see progress on big issues like this. After introducing a vision the drafters immediately do a bit of a “bait and switch” and present ideas they seem to assert must be part of the solution, including a very detailed new vocabulary and a new approach for framing the future solution. This might be a solution. But there might be an infinite number of others. So how do we know this is the optimal one? What other options were considered? Is this option based on science of any sort? As a computer scientist I would like to know.

The strategy asserts that the vision will be accomplished by an ecosystem of three layers: one for execution, one for management, and one for governance. Each are then defined and new terms are proposed for each. But my sense is their are many other possible frameworks and I don’t see the level of academic rigor or practitioner’s sense I would expect in a framework like this. I want to see a framework written by masters of the art like the Carnegie- Mellon University’s Software Engineering Institute or the standard’s body OASIS. Then I’ll feel that serious thought has been put into optimizing a workable way to implement the vision.

There is certainly thought and serious attention paid to use-cases in this section, but this is supposed to be a section on vision.

But the section was titled “vision and benefits,” which underscores again that the drafters are making a point of underscoring why action is required. Three pages of solid benefits I think most of us would like to see are captured in this section. This is very useful to articulate and I hope the open dialog and comment period results in even more being captured. But it seems to be a logical flaw to suggest that the only way these benefits will be obtained is by accepting the drafter’s assertion that we must define an identify ecosystem the way it is written there.

Goals and Objectives: In a logically flowing strategy, a vision will be an endstate and the goals will be those things that must be accomplished to ensure success in reaching that endstate. Objectives contribute to achieving goals and will normally have responsible parties assigned and dates associated with when they must be completed. I’ve already mentioned the long assertion in the vision section regarding a particular approach to an ecosystem and that throws off the logic flow a bit. If that section were removed then it would probably help with the logic flow better and these goals would be in much better context. So pretend you didn’t read that part. Here are the four goals:

• Goal 1: Develop a comprehensive Identity Ecosystem Framework.
• Goal 2: Build and implement interoperable identity infrastructure aligned with the Identity Ecosystem Framework.
• Goal 3: Enhance confidence and willingness to participate in the Identity Ecosystem.
• Goal 4: Ensure the long-term success of the Identity Ecosystem.

I don’t see any huge problem with the goals as stated. But the lens we will just those goals are on how well they help us accomplish the vision. Remember the vision: “Individuals and organizations utilize secure, efficient, easy to use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.” Keep that in mind as you think of those goals. Some of my comments are below:

Goal 1: Develop a comprehensive Identity Ecosystem Framework.

Wait a minute! An identity ecosystem framework was already asserted in the vision section. I think the goal can stand as it is but key objectives should include working with academia and the internet technology community (including standards boards) to coordinate enhanced identity management frameworks. The goal should not be to just develop and build the framework asserted by the drafters of this strategy, in my opinion. They have simply not provided any justification that their way has been thought out well enough. And with no justification they are not going to be able to compel the action required. The internet standards community works in a way where logic, trust and compelling arguments are key and collaboration is the preferred means to developing standards. I’ve seen no evidence of this occurring yet (although I have to admit it could have been, I can’t be everywhere at once!).   I have seen evidence of coordination with industry and industry bodies, but not with standards groups or academia.  I wonder about that.

So my issue is not the goal, but the means to get to it. I want to see objectives that focus on the great centers of computer science in America, like our universities and standards bodies.

Goal 2: Build and implement interoperable identity infrastructure aligned with the Identity Ecosystem Framework.

This is a call for an infrastructure. I have to support this. I believe the nation needs to serve its citizens this way, like it did in serving us with canals, roads, interstate highways and other transportation systems. I can’t say the objectives listed will guarantee success. There are only three objectives presented: one on continuing government leadership, one on promoting speed in deployment, and one on promoting broad use of solutions. If we accomplish all three objectives do we have guaranteed success in the goal? I don’t think so. Seems like more work is required in this area.

Goal 3: Enhance confidence and willingness to participate in the Identity Ecosystem.

It is hard to argue with this goal. Government is about service to citizens. If this system is not for the use of citizens and if they do not trust it to enhance their privacy and economic and personal freedoms then it is doomed. I’ll reserve judgement on the objectives for these goals. They seem ok on their surface.

Goal 4: Ensure the long-term success of the Identity Ecosystem.

Finally we get into a goal and objectives which give a hat tip to the standards community. This goal brings up very important points about the fact that the Internet is global and not owned by any one provider or commanded by any one country. An objective is listed that calls for enhancing US participation in technical standards bodies. This is a great goal. I would only say that participation requires engagement by very smart, educated participants because the way these bodies work is by people injective good ideas and contributing to broadly understood goals. They do not work by groups or even countries coming in and thinking they can command. Every once in a while great corporations are able to muster the technical talent required to sway a standards body their way, but even then that is not a cake walk. You must build compelling arguments.

Following the goals and objectives section is a section titled “Commitment to Action” which provides a list of nine high priority actions. I think it would have been more sound and build a stronger argument if these had been in the goals and objectives section of the plan. This reads like it is “goals and objectives part two.” What was that goals and objective section I just read? Was that supposed to be just warming me up for the real actions?

Anyway, we seem to be finally getting into the meat of the document. The nine actions seem like good things to do. Who is against DNSSEC, IPSEC and PKI? And who is against enhancing privacy? This whole list is full of smart things like that.

The conclusion of the document says: “This Strategy provides a vision for how users, service providers, and other stakeholders can improve their use of digital identities in online transactions.” As for me, I didn’t see that. I saw a good vision, but the document really lacks in the “how” department. I also saw many good actions and some terrific context. But seems like much more work is needed before we can say this strategy provides a vision for “how” we can improve use of digital identities. I think we can get there. We can get there by tapping into the great thinkers who really know identity management. The great computer science thought leaders from American academia and the standard’s bodies that make the Internet work.

Maybe the way ahead is to have the government coordinate the vision and principles and let the standards community come back with goals and objectives. The government could facilitate that interaction and keep it on track. But my sense is from reading this document the government’s role should not be to assert they know the answer, yet.

I’m not asking that the government go back to the drawing board.  In fact, I’d like to see things move faster and would like to see some new ideas injected into the process.

Here is one that might help.  Since many folks (like me) can criticize but few can truly produce workable ideas that scale, why not pull together a venue of the greatest minds in technology and issue the challenge to them.  If the government has a compelling vision I think this could be done.   I would start with the list of Turing award winners, then add in the dean’s of computer science from our greatest academic institutions.  The result: a body who knows technology will be informing and guiding the strategy.  When combined with the great leadership of professionals from government and the continued contributions from industry, this could be the winning approach.

Related posts:

1. CTOs, Global Cyberwar and Our Collective Future
2. A CTO Analysis of Secretary of State Hillary Clinton’s Speech on Internet Freedom
3. The Future of Cyberspace Security: The Law of The Rodeo

On June 10, 2010, the US Senate Homeland Security and Governmental Affairs Committee (HSGAC) unveiled a major cybersecurity bill designed to modernize, strengthen, and coordinate US Cyber defenses.

Senators Collins, Carper and Lieberman introduced this bill with the clear articulation to defend not just federal networks but the Internet itself.  As portion of the announcement recorded by TalkRadioNews is below:

The bill itself is named the “Protecting Cyberspace as a National Asset Act of 2010.”

It creates an Office of Cyber Policy in the White House with a director accountable to the public to lead all federal cyberspace efforts and devise national cyberspace strategy.  A National Center for Cybersecurity and Communications within the Department of Homeland Security, also led by a director accountable to the public, to enforce cybersecurity policies through the government and even the private sector.

Some key aspects of this Bill, from the site of the HSGAC:

1. Creation of an Office of Cyberspace Policy in the Executive Office of the President run by a Senate-confirmed Director, who will advise the President on all cybersecurity matters. The Director will lead and harmonize federal efforts to secure cyberspace and will develop a national strategy that incorporates all elements of cyberspace policy, including military, law enforcement, intelligence, and diplomatic.  The Director will oversee all related federal cyberspace activities to ensure efficiency and coordination.
2. Creation of a National Center for Cybersecurity and Communications (NCCC) at the Department of Homeland Security (DHS) to elevate and strengthen the Department’s cyber security capabilities and authorities. The Director will regularly advise the President on efforts to secure federal networks.  The NCCC will be led by a Senate-confirmed Director, who will report to the Secretary. The NCCC will include the United States Computer Emergency Response Team (US-CERT), and will lead federal efforts to protect public and private sector cyber and communications networks.
3. Updates the Federal Information Security Management Act (FISMA) to modernize federal agencies practices of protecting their internal networks and systems. With strong leadership from DHS, these reforms will allow agencies to move away from the system of after-the-fact paperwork compliance to real-time monitoring to secure critical systems.
4. Requiring the NCCC to work with the private sector to establish risk-based security requirements that strengthen cyber security for the nation’s most critical infrastructure that, if disrupted, would result in a national or regional catastrophe.
5. Requiring covered critical infrastructure to report significant breaches to the NCCC to ensure the federal government has a complete picture of the security of these sensitive networks.  The NCCC must share information, including threat analysis, with owners and operators regarding risks to their networks. The Act will provide specified liability protections to owners/operators that comply with the new risk-based security requirements.Creation of a responsible framework, developed in coordination with the private sector, for the President to authorize emergency measures to protect the nation’s most critical infrastructure if a cyber vulnerability is being exploited or is about to be exploited. The President must notify Congress in advance before exercising these emergency powers. Any emergency measures imposed must be the least disruptive necessary to respond to the threat and will expire after 30 days unless the President extends them.  The bill authorizes no new surveillance authorities and does not authorize the government to “take over” private networks.
6. Development of a comprehensive supply chain risk management strategy to address risks and threats to the information technology products and services the federal government relies upon. This strategy will allow agencies to make informed decisions when purchasing IT products and services.
7. Requiring the Office of Personnel Management to reform the way cyber security personnel are recruited, hired, and trained to ensure that the federal government has the talent necessary to lead the national cyber security effort and protect its own networks.

Now some analysis:

1. By ensuring the White House will have a Senate-confirmed Director, it will help underscore for the executive branch that this issue should be taken a bit more serious.  Sounds like a prudent thing for the Congress to do.
2. Creating a National Center for Cybersecurity and Communications (NCCC) in DHS with a leader also confirmed by the Senate sends a similar message, but it also empowers an individual and group to do something that no one has been authorized to do before (at least no one under the rank of President). This office will have authority to lead across government.  As a CTO with enterprise experience I respect this kind of position.  I am convinced you cannot defend large enterprises without the smart application of both central authority and decentralized action.  If you try with either of those missing you fail.  I am not worried about too much technical authority being drawn into one location, there are too many forces at play to keep that power from being abused and, if the person and staff are picked carefully, they will avoid making decisions that impact missions in a negative way.  Notice I have caveated my opinion here.  The nation must choose wisely and put a very smart technology leader in this position.  Someone who can enforce the right standards and give direction when required but can back off and let agency IT leaders run things when required and that person must be smart enough to know when and how to decide what to decide about.
3. Updating FISMA is long overdue.  Moving towards real-time monitoring is GREAT!  It is the only way I know of to move towards enhancing both security and functionality at the same time.
4. Naming the NCCC as the focal point for coordination with the federal sector is also a solid move.  It goes without saying, but the NCCC should be staffed and led by very savvy, very social, very action-oriented people.  Without social leaders with high emotional intelligence we stand the risk of getting what we have always gotten here.
5. As a CTO, I applaud the measures this Bill describes for removing artificial impediments to information sharing.  Government and industry need trust-based relationships and unfortunately too many laws and behaviors that flow from those laws, like FOIA, have damaged those relationships.  Addressing them head on is the right thing to do.  Technologically there are few issues here.  Issues are in policy and the Bill seems to do a good job at addressing some big ones.
6. Development of a comprehensive supply chain management strategy is another great goal I am glad to see.  There has been a great deal of action lately in establishing coordination mechanisms with senior IT leadership in the country and I believe this will serve as a good foundation for development of a strategy like this.
7. The human side of technology is one that also needs significant attention and it is good seeing the Bill address this head-on by requiring OPM to reform the way the government leads cyber security personnel.

Some concluding thoughts:

• I wish I would have raised another issue with the staffers.  I feel bad about this, but I have something I would like to add to the Bill.  I guess I’m too late, but maybe I can get my input to the SSCI or HPSCI instead.  I want to suggest that the US Intelligence Community be tasked with providing a detailed yearly cyber intelligence threat assessment  for unclassified dissemination. The IC does a good job of providing some counterintelligence assessments and frequently mentions cyber in open fora like Congressional Testimony, but I believe this issue deserves a focused, NIE-like report dedicated to this topic.  Of course the IC should also be tasked with support to the NCCC.
• I found the Bill was full of smart information coordination and information sharing language and constructs.
• The great work of folks at NSA, Cyber Command (including legacy organizations like JTF-GNO and JFCC-NW), STRATCOM, DHS, NCICC, US CERT, FBI, DC3 and many others must continue and I believe the language in this bill is very respectful of the great work that these groups have been doing.
• I wonder who the first CTO of the NCCC will be?  That is going to be one cool job!

Related posts:

1. Melissa Hathaway Op-Ed on Cyber Security
2. Protecting Federal Networks Against Cyber Attack
3. Rod Beckstrom and the National Cyber Security Center at DHS

Carahsoft is a unique, trusted firm that helps government find and rapidly acquire the right technologies and helps high tech firms successfully interact with government (which has famously onerous processes for businesses that want to serve the federal mission).  Carahsoft is a client of my firm and one of the things I’m particularly proud about is their sponsorship of venues where government and industry tech leaders can interact together.  One venue of note is a series they coordinate called the Intelligence Community Executive Forum.

This periodic event focuses on executives from the IC and the industry companies around the IC.  Today’s session of the ICEF focused on industry and commercial technologies addressing the Comprehensive National Cybersecurity Initiative.

It is hard to capture the content of a venue like this.  Its true value comes from the dynamic interactions and high data rate conversations that take place throughout.  But I thought I should try to provide some gist of what happened so you can determine whether or not you should participate in future venues like this. Give the agenda below a quick glance then I’ll add some additional context:

Agenda:

During breaks several sponsors were providing demos and additional information on their technology including:

A quick gist:

Don Boian of Cyber Command provided great context and a good kickoff to dialog.  Then throughout the event, cyber thought leaders in and out of government discussed the state of current technologies and current mission needs in cyber-focused organizations.  Some of these mission needs are truly enduring.  For example, the need for defense in depth as a strategy and approach vice just point solutions.  But today, defense in depth is not enough.  Adversaries always find a way in and defenders must continuously monitor and prepare for remedial action.  With the incredibly high volumes of data and information around those intrusions new means must be found to gain insights into what is occurring and then determine the appropriate action to take.  This must be done so fast new operational constructs around “dynamic defense” are required.  Defenders require capabilities that can increase the speed of good guy decision-making.  There must be speed in vulnerability detection, speed in intrusion detection, speed in decision-making and speed in execution.  Cyber Command defenders use the phrase “operate at network speeds.”

Another common theme throughout the event was a call for enhanced situational awareness in the cyber domain. The bad news is that call has been made for decades now.  There has been movement in enhancing situational awareness, but nothing yet fills the need.  More work is required.

Another theme was the need to enable humans to interact with data in far better, far faster ways.  Cyber data needs to be rapidly run through automated tools that can enable not just search but discovery using tools like Endeca.

Collaboration for cyber related commands and organization is another area where many enhancements have been made lately.  In a very good trend, it seems most organizations working cyber defense/cyber operations now know of each other and have frequent interactions.  There is more need for enhanced human to human collaboration and even enterprise grade social networking/social media around cyber defense as an aide to bringing the right understanding to situations.  A capability to watch here is Jive.

It is not only network defenders that need collaborative capabilities.  Developers of software and those that lead/manage/interact with them, including users, need ways to collaborate.  The ICEF was treated to an overview of a very positive capability to do that, the DISA led Forge.mil .  In my opinion, the positive disruptions from this activity have just begun, far more goodness will come from this project as more and more developers make use of it.  It is speeding development of new capabilities and is also laying the foundation of what may be the biggest positive improvement in the security and testing environment in years.

The security aspects of Cloud Computing were discussed in detail.  A general statement: If security is engineered into cloud computing capabilities, cloud concepts can significantly enhance the security of enterprises.  However, the reverse is also true.  If security is neglected in cloud constructs it can doom us all!

The ICEF was treated to an interaction with Tony Sager, one of the nation’s greatest thinkers in cyber security. Tony’s ability to express technological concepts in ways we can all understand is always appreciated.  A key conclusion from Tony: we are entering a phase in cyber defense that will require enhanced information management.   Note:  Tony provided us all with context on some very important concepts that all network defenders should be tracking, SCAP, NDV and FDCC.   My personal sense from the interaction was that most in the venue who work closely with security technology new of these constructs, however, it is getting to the point where all IT professionals and all leaders in an out of government need to know these capabilities, even if you are not a security professional.  So, a recommendation:  accept it as your civic duty to study up on SCAP, NVD and FDCC.

Other speakers, including Dr. Ted Kirscher, Chief Architect of the NSA Threat Operations Center, underscored again the need for new means to conduct highspeed assessment of the right data from defensive devices.  Ted, like everyone else who spoke, also ensured we all knew the collaborative nature of the work in front of us all.

For the many people I heard from this was a day well spent, a time to reflect on progress and to think through the next priorities to address.  There are some huge challenges that confront cyber defenders, but with new organizational constructs and new focus being placed on the mission these challenges are certainly achievable.  Some might still look impossible, but hey, like Walt Disney said, “It’s kind of fun to do the impossible.”

Related posts:

1. Intelligence Community Executive Forum and Carahsoft
2. Melissa Hathaway Op-Ed on Cyber Security
3. Melissa Hathaway speaks at Intelligence and National Security Alliance

I’m excited to be part of a great new company called Invincea.  They have appointed me to their advisory board along with Bob Flores and Gary McGraw.

So I’d like to take the opportunity to provide you with some background on why Invincea is going to be a game changer in the industry.

Invincea plugs a major entry point of malicious code into the enterprise.  It stops web-borne attacks.  Most attacks against enterprises come via web browsers.  And most of those attacks are things that cannot be stopped by guards and gateways and legacy anti-virus programs.  Many web-borne attacks come through very crafty insertion of malicious code in websites, and most of those (71%) come from websites that your enterprise thinks is legit to use but have been hacked, so legacy guards that try to block bad sites with access control lists do nothing to stop them.

Invincea provides a fully-virtualized browser solution that runs your browser in its own virtual environment separate from the desktop operating system.  The result: the desktop operating system is protected from all web-borne threats.

From the Invincea website:

Web-borne threats are up 225 percent. Stealth malware lurks within legitimate sites, poised to attack through browsers.

Browser-Based Threats: The majority of today’s Web-based malware attacks enter an organization through the browser. Some are blatant—a user is tricked into downloading and opening a file containing malware that then installs on the PC. However, the greatest threat comes from malware that lurks within legitimate Web and social media sites.

Explosive Proliferation: According to Websense Labs, the number of malicious Web sites grew 225 percent in the second half of 2009, and 71 percent of which are legitimate sites that have been compromised. According to PandaLabs, more than 25 million new strains of malware were created in 2009 – that’s more than all the malware created over the past 20 years combined.

Increasingly Sophisticated Attacks: New strains of Web-based malware utilize stealth installation, also known as Drive-By Downloads, Zero-Day Attacks and Advanced Persistent Threats to exploit flaws in the browser and allow the malicious agent into a PC unbeknownst to the user. Whether blatant or stealth, malware can expose vital business resources and information to untrusted networks via the simple and necessary activity of Web browsing.

Invincea™ Browser Protection enables users to knock out sophisticated Web-borne threats – in real time.

Invincea™ Browser Protection shields PC users against all types of Web-borne threats by seamlessly moving desktop Web browsers into a controlled virtual environment.

Exceptional Protection: Invincea provides a fully isolated browser environment to maximize PC protection. It automatically detects and terminates a threat in real time, disposes of the tainted environment, and restarts a pristine one.

Signature-Free Detection: Unlike other solutions, Invincea does not rely on malware signatures for detection, nor does it rely on users to make correct security decisions. Instead, it automatically identifies malware attacks based on behaviors and actions inside a controlled environment.

Easy to Use & Deploy: The Invincea secure browsing environment has the same look and feel as your unprotected browser, with no difference in use and negligible PC performance impact. Invincea Browser Protection can be easily distributed and updated using your existing desktop management system.

Forensic Intelligence: Invincea captures actual, real-time malware attack details that can be used to bolster other security devices.

If you are concerned with web-borne attacks I hope this grabs your attention.  See http://invincea.com for more info.  I also recommend you review and consume their blog at http://www.invincea.com/wordpress We are also tracking invincea on our new compatriot site http://ctolabs.com, a place we will talk more about in the future.

More later,
Bob

Related posts:

1. Enhance your security posture
2. Current Internet Explorer security flaw even worse than usual ones: Use Firefox or Chrome
3. Computer Security: a change to the net assessment