The Wall Street Journal just ran an article titled:  “New Military Command to Focus on Cybersecurity.”   In it they indicate “current and former officials familiar with the plans” say a new military command will be established to coordinate the defense of Pentagon computer networks and improve US offensive capabilities in cyberwar.

WSJ also reports that Defense Secretary Gates plans to announce the creation of a new military cyber command after the rollout of the White House review.

My opinion:  This WSJ article seems more balanced and accurate than the article I discussed in my post “NYT wants cyber security to be a divisive issue.”

The WSJ article is in consonance with what is going on and what should be going on.  I believe NSA should be formally given the lead for defending DoD/IC systems, but defense remains a team sport, and DHS should be given the lead for defending the rest of .gov networks (while still leaning on NSA/DoD/DNI as required).  And all players need to work well with industry and allies in a coordinated, fast moving way.

What does this mean for enterprise technologists?  For the most part it is good news.  But for day to day security operations in most enterprises, the relationships you have with other organizations will remain the same as before– for now.   And the current body of best practices remains in place.  You still need to understand and implement and follow the Common Audit Guidelines, for example.  Doing that is going to help you and will help others too.

You may also like -

GovSec conference is March 29-31 2011Pros and Cons: Cyber CommandIntelligence Community Executive Forum on Cyber OperationsDefense bill passes after lengthy debateCrucialPointLLCCybersecurity Workforce FrameworkCrucialPointLLCPentagon CIO’s Tech Revamp: 4 PrioritiesCrucialPointLLCLeadership changes in DoD IT, logistics, cyberCrucialPointLLCHomeland Security Committee Unveils Cybersecurity BillBob Gourley

Have you ever been sucked into the false debate over how much IT spending should be spent on security?  I used to all the time.  Some folks point to a rule of thumb that goes something like “ten percent of the IT budget should be applied to security.”  That old school formula may well be part of the reason we got into the mess we are currently in.  It contributes to thoughts that lead you to think security can be separated.  By my way of thinking, 100% of the budget goes to security and functionality and that is the calculus.

Really, security is about ensuring information confidentiality, availability and integrity. And those constructs are totally connected to functionality of IT.   I try whenever possible to use the term security and functionality in the same context just to underscore that point.

For example, the goal I continually push regarding security in the federal space is not just one dealing with security.  I put it this way:  “Security and functionality of all federal IT will be increased by two orders of magnitude in the next 24 months.”  Putting the goal this ways also underscores that it is not security vs. functionality.  Both need to increase.

This goal also cries out for the need for metrics in security and functionality.  For functionality there are many customer focused survey methods that can help collect the right metrics.  For security, I think one metric stands out above all others:  Detected unauthorized intrusions.  There are many other important metrics for other dimensions of the security problem, but that one is key.  So, a goal that expects both security and functionality of federal enterprise IT to improve by two orders of magnitude will expect customer survey satisfaction to go through the roof, and will expect detected intrusions to drop significantly.  If there were 50,000 detected intrusions in 2008, there should be less than 5000 in 2010.

That is a dramatic goal.  What makes me think it is achievable?  In part the dramatic action being put in place today in the federal space.  And in part by dramatic new technologies and approaches like private clouds and thin client computing and enhanced identity management and authorization methods.  But of more importance and more relevance than all of that, in my opinion, is the coordinated action and leadership underway by CIOs and CISOs and the security  experts in the federal space today.

As evidence of this incredible positive action I’d like to bring your attention to a release by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines.  Details of this effort are at http://www.sans.org/cag/

The Consensus Audit Guidelines provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance.   These controls and metrics include:

Critical Controls Subject to Automated Measurement and Validation:

1. Inventory of Authorized and Unauthorized Hardware.
2. Inventory of Authorized and Unauthorized Software.
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
4. Secure Configurations of Network Devices Such as Firewalls and Routers.
5. Boundary Defense
6. Maintenance and Analysis of Complete Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based On Need to Know
10. Continuous Vulnerability Testing and Remediation
11. Dormant Account Monitoring and Control
12. Anti-Malware Defenses
13. Limitation and Control of Ports, Protocols and Services
14. Wireless Device Control
15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

1. Secure Network Engineering
2. Red Team Exercises
3. Incident Response Capability
4. Data Recovery Capability
5. Security Skills Assessment and Training to Fill Gaps

The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them.   The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.

What should CTOs think about this guidance?  As for me, I most strongly endorse it. In my mind the appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise.

The deeply respected community leader Alan Paller said it this way:

“This is the best example of risk-based security I have ever seen,” said
Alan Paller, director of research at the SANS Institute.  “The team that was
brought together represents the nation’s most complete understanding of
the risk faced by our systems. In the past cybersecurity was driven by
people who had no clue of how the attacks are carried out. They created an
illusion of security. The CAG will turn that illusion to reality.”

Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.

A debate has been running for months both among government thought leaders and the technical literati on whether or not the US should appoint a “Cyber Czar” who can exert authority over IT security in the federal space or perhaps even aspects of the nation’s IT defenses.  This is a complex discussion that has had some of the greatest thinkers in and out of government involved.   A great snapshot of issues and the opinions of many well reasoned experts are expressed in the CSIS report “Securing Cyberspace for the 44th Presidency” and other thoughts are here: The Future of Cyber Security and here: Threats In the Age of Obama .

Unfortunately for those who would like to still debate and discuss this issue, there is already a Cyber Czar who can accomplish most all his objectives in our networks.  His name is Russian Prime Minister Vladimir Putin.  This former KGB operative now controls Russia with an iron fist and has shown others again and again he will exert influence anywhere he needs to in order to accomplish his objectives.  He will use tanks when required and cyber when desired and combinations when it suits him.  There are indications his agents are also in our networks now.  If our objectives are to keep players like him out, we cannot say we are accomplishing them.  If his objectives are to get in, then we can say he is accomplishing them.  Till this situation changes, we need to confront then this new reality:  Vladimir Putin is the Cyber Czar.

We have our own great technologists and wizards of cyber, of course. And we have great hero entrepreneurs of technology who have built the cyber world we all use today.  One of those greats is Michael Dell, creator of an idea and corporation that develops, manufactures, sells and distributes personal computers we all depend on.

But he is someone who will now think twice before thinking he can interact as a peer to Cyber Czar Putin.  After listening to Putin’s speech at the World Economic Forum in Davos, Michael Dell praised Russia’s technical and scientific prowess and asked a nice, friendly question:  “How can we help.”  As a former govie CTO I would get asked that type of question all the time from industry and really appreciated it whenever a senior thought leader would ask that.  But not Czar Putin.  He did not appreciate that at all.   Putin was offended by the assertion that the mighty Russia might need help in anything Cyber. The exchange is captured here on YouTube:

Fortune: described the exchange this way:

“Putin’s withering reply to Dell: “We don’t need help. We are not invalids. We don’t have limited mental capacity.” The slapdown took many of the people in the audience by surprise. Putin then went on to outline some of the steps the Russian government has taken to wire up the country, including remote villages in Siberia. And, in a final dig at Dell, he talked about how Russian scientists were rightly respected not for their hardware, but for their software. The implication: Any old fool can build a PC outfit.”

Clearly cyber domination is personal with Putin.  He is the Cyber Czar.

I think I should end with a plea to all who care about cyber freedom and all who know the potential positive contributions of IT:  Please don’t be pleased with this current situation.  Please don’t just think the title of Cyber Czar I’ve now used to describe Putin is something we should be proud of.  It is not.  We should continue to act till we are able to assert that we are masters of our own networks.  Our nation’s intellectual property, including the intellectual property of all our companies and citizens, is too important to let it be given away without at least a cyber fight.

You may also like -

Pros and Cons: Cyber CommandIntelligence Community Executive Forum on Cyber OperationsDefending Against Stuxnet Type ThreatsPNNL Seeks Chief Cyber Security Research ScientistCyber And Physical Security: The discussion continuesIs your “cyber security expert” full of s***?Haft of the SpearYea! Legislation!Haft of the SpearCTO Perspectives on Cyber Security BillCTOvision.comAlex's 2012 Tech PredictionsCTOvision.comDeputy Secretary of Defense Lynn: Cyber Strategy’s Thrust is DefensiveCTOvision.com

If you are a technologist, please take a moment to download the PDF of the report by the U.S. Commission on Cybersecurity.  This report, titled Securing Cyberspace for the 44th Presidency, is the best proclamation of the challenges of cyber I have read.  It is also a roadmap that will help any trying to navigate these very tough issues.

I’ve been involved in things cyber for a long time.  My deepest
involvement began in December 1998, almost 10 years ago to the day.  In all that time I’ve seen lots of studies and lots of papers and many treatments of the issues.  But I’ve never seen one that captures the complexities and the need for specific actions as well as this one.

I’d really recommend you read every word, if you want to be considered literate in this field.   But if it will be a little while till you get to it, here are some key points:

The three major findings are:  1) Cybersecurity is now a major national security problem for the U.S., 2) Decisions and actins must respect privacy and civil liberties, and 3) only a comprehensive national security strategy that embraces both the domestic and international  aspects of cybersecurity will make us more secure.

The report makes a few points about the Bush Administration’s Comprehensive National Cybersecurity Initiative (CNCI).  In general the give credit to that initiative, and call it good.  I agree, it is a great activity I’ve previously written about that is led by one of the most effective people in government today and has done great work.  But as the commission points out, the work of the CNCI is good but not sufficient.

The biggest shock for me in this study:  The amount of funding on R&D for cyber security.  I have been looking into the many activities underway, and maybe that look made me deceive myself into thinking it was a well funded effort.  According to the comission, however, they estimate that the total R&D funding in the federal government for cybersecurity is about $300million.  Less than two-tenths of one percent of the total federal R&D.

The report has a great section on identity manangement.

I am convinced the organizational approaches outlined in the study are the right ones as well.  There is only one place in our government where we can lead solutions to this challenge.  Where is that?  Hey read the report!

What else do I recommend CTOs do besides read the report?  I think one way we can all help the cybersecurity effort is to think through which standards bodies are the most important to engage with regarding security.   A few are here:
http://ctovision.com/2008/05/standards-organizations-ctos-should-track/

You may also like -

Cyberwar? What Cyberwar?Enterprise Technology Developments in 2010 and 2011Privacy, Security, Functionality and Enhanced Benefits of Free CommerceRedesign of CTOlabs.comIf You Could Pick One Thing For Congress To Do Regarding CyberSecurity, What ...CrucialPointLLCCyberattack as Covert ActionCrucialPointLLCJoin Cloudera and Carahsoft for Big Data Success in GovernmentBob Gourley

In May 2008 I provided an overview of Standards Organizations CTOs Should Track.  Standards groups don’t change that fast, so the list is still pretty much ok, but I was very light on industry consortia.  Industry groups can play a large role in setting and implementing standards.  Industry reps send the majority of thinkers to standards bodies and industry management decides what standards to follow or ignore.  Tracking industry consortia can be very important to the CTO.

Since security is such a hot topic I wanted to point out one I think we should all watch.  The Industry Consortium for Advancement of Security on the Internet or ICASI.

ICASI was formed as a non-profit organization by a group of global IT leaders including Cisco, IBM, Intel, Juniper and Microsoft.  ICASI establishes trust mechanisms to allow those vendors to work very close together in a multi-lateral way to address international, multi-product threats.  Member companies can work in ways that protect sensitive information but enable effective collaboration.  Global leaders were sought for membership because of both the need to serve global customers and the challenges of defending against threats to global supply chains.

The ICASI is an informed group that is clearly aware of and supportive of many other efforts, like those sponsored by the White House and Department of Homeland Security.  For example, the ICASI cites reporting from National Security and Telecommunications Advisory Committee, like the NSTAC Report to the President on International Communications dated 16 August 2007 which highlights the need for a group like ICASI.

The ICASI vision:  Drive excellence and innovation in security response and share it with industry.

ICASI was formed by some of the greatest companies in the IT community.  As an optimist I believe they will help enhance security and look forward to their upcoming report on accomplishments.   But still, they are trying to tackle some very hard problems.  And they have not been providing information to the public on their internal dialog.  Should we be concerned that this was another good attempt that fell short of the vision?  Will the huge cuts in IT companies impact the people and resources provided to ICASI?  Stay tuned for more info…

You may also like -

What You Need To Know About FedRAMPThe Cloud and CybersecurityA National Strategy for Trusted Identities in CyberspaceStandardizing the CloudOracle, Sun and the Enterprise CTOPrevistar: Continual PreparednessCrucialPointLLCYesterday’s Security Doesn’t Work for Today’s ThreatsCrucialPointLLCNIST identifies cloud computing standards gapsCrucialPointLLCThe End of Cyber Security (Part IV)Haft of the SpearUS Offers $10M to Jump-Start ID Security Tech ResearchCrucialPointLLC

There are some interesting analogies between performance management applied to organizations and performance management applied to computers.

In both cases, performance metrics are crucial to success.  In organizations, what we reward gets measured, and what gets measured can be more efficiently and effectively done.   In our computers, what we decide is important gets measured, and those measurements can help us drive to increasingly effective and efficient performance.

Computer metrics apply to a broad range of disciplines and needs, including needs like:

• Improved power efficiencies
• Lower heat generation
• Smaller footprint and lighter weight
• Higher reliability
• Multi-threaded execution
• Continuous availability
• Enhanced security
• Enhanced information assurance
• Enhanced agility in the face of change
• Enhanced ability to ensure compliance

Metrics in these areas drive improvements, but they also help drive decision-making, both by the IT management team and, when done appropriately, by automated management computer systems.  Just as agile, high-performance organizations can rapidly assess metrics and drive decision-making based on them, the agile, high-performance IT enterprise can leverage metrics to drive decisions and actions.  Automated remediation of problems and automated implementation of new policies are only possible with well through out, integrated metrics solutions.

Well thought out metrics solutions also provide built in ways to measure compliance with directives and regulations, including:

• SOX: The Sarbanes-Oxley act of 2002, which establishes many standards for public companies, including internal controls for assuring the accuracy of key data and audits on key information.
• FISMA: The Federal Information Security Management Act of 2002, which bolsters computer and network security in the federal goverment and many contractors.
• OMB M06-16:  A security checklist coordinated by NIST and promulgated by OMB.
• FDCC: Federal Desktop Core Configuration, NIST coordinated, OMB mandated requirement for 300 settings on each Windows XP and Vista computer.
• SCAP: Security Content Automation Protocol, a US government multi-agency initiative to enable automation and standardization of technical security operations.  SCAP is the method for using specific standards to enable automated vulnerability management, measurement and policy compliance evalation.

Compliance with these and related directives, and compliance with the governance guidance of the enterprise CIO and CTO, are good governance.  This sort of compliance can be automated with tools like Triumfant’s compliance manager, and when automated generally provide a very rapid return on investment (ROI).

My conclusion:  in this case, the computers in your enteprise should be treated like an optimized organization: use metrics to enable compliance, agility and continually improving performance.  And use those metrics to drive decisions, and automate the entire process to the greatest degree possible.

For more on this topic also see: http://ctovision.com/2008/08/compliance-enhances-it-support-to-the-mission/

You may also like -

The Technology of VoltDBData Wizards Know Hadoop is Powerful: But they want more automationHadoop World Breakout Sessions 8 and 9 Nov: Recommendations for the enterpris ...A look at VMware's vFabric Cloud Application PlatformOne Trillion Reasons: One Year LaterTTPs, CRADAs, MRM, and FixmoCrucialPointLLCEnterprise Customers Gain Business Insight and Competitive Advantage With Net ...CrucialPointLLCA look at VMware’s vFabric Cloud Application PlatformBob GourleyJoin Cloudera and Carahsoft for Big Data Success in GovernmentBob GourleyCloudera and Carahsoft Webinar: Big Data Success in Government 19 Jan 2012CrucialPointLLC

ITIL is the Information Technology Infrastructure Library, a set of tips, techniques, processes and concepts for managing an IT enterprise.  ITIL focuses on infrastructure, application development and operations. ITIL is without a doubt the most widely accepted approach to enterprise management.  It provides a full set of best practices.

I’ve come to believe that all CTOs should learn ITIL.  I don’t believe ITIL holds all the answers for enterprises, but it has many useful models and many best practices that can be of enormous benefit, so enterprise class CTOs will increasingly find a familiarity with ITIL comes in handy.  For CTOs in vendors, integrators or startups, you will be interacting with enterprise technologists and should understand the power of ITIL as well.

ITIL came out of the UK and the name ITIL remains a registered trademark of the UK’s Office of Government Commerce (OGC), so I should tip my hat to them.  The OGC and the many other contributors to the ITIL have done enterprises everywhere a great service and they deserve our thanks.

The reference library of ITIL is provided in five core texts:

1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement

Benefits of ITIL, asserted on the ITIL site, include:

• reduced costs
• improved IT services through the use of proven best practice processes
• improved customer satisfaction through a more professional approach to service delivery
• standards and guidance
• improved productivity
• improved use of skills and experience
• improved delivery of third party services through the
  specification of ITIL or ISO 20000 as the standard for service delivery
  in services procurements.

The following info on the books of ITIL v3 is condensed from Wikipedia’s entry on ITIL:

Service Strategy

Service strategy encompasses a framework to build best practice in developing a long term strategy. Topics include: general strategy, competition and market space, service provider types, service management as a strategic asset, organization design and development, key process activities, financial management, service portfolio management, demand management, and key roles and responsibilities of
staff engaging in service strategy.

Service Design

The design of IT services conforming to best practice, and including design of architecture, processes, policies, documentation, and allow for future business requirements. This also encompasses topics such as Service Design Package (SDP), Service catalog management, Service Level management, designing for capacity management, IT service continuity, Information Security, supplier management, and key roles and responsibilities for staff engaging in service design

Service Transition

Service transition relates to the delivery of services required by the business into liveoperational use, and often encompasses the “project” side of IT rather than “BAU” (Business As Usual). This area also covers topics such as managing changes to the environment. Topics include Service Asset and Configuration Management, Transition Planning and Support, Release and deployment management, Change
Management, Knowledge Management, as well as the key roles of staff engaging in Service Transition.

Service Operation

Best practice for achieving the delivery of agreed levels of services both to end-users and the customers (where “customers” refer to those individuals who pay for the service and negotiate the SLAs). Service Operations is the part of the lifecycle where the services and value is actually directly delivered. Also the monitoring of problems and balance between service reliability and cost etc are considered. Topics include balancing conflicting goals (e.g. reliability v cost etc), Event management, incident management, problem management, event fulfillment, asset management, service desk, technical and application
management,  as well as key roles and responsibilities for staff engaging in Service Operation.

The above is just a short introduction.  For more info, I recommend the booklet The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps, by Kevin Behr, Gene Kim and George Spafford.  The book is a very fast read and will leave you with enough of an understanding of the power of ITIL to let you decide how fast to move your organization into implementing it.

You may also like -

Learn how to get ready for the FDCCI with Bob Gourley and Carahsoft (Webinar)Disruptive IT List Update: watching several dramatically positive technologiesGoogle Announces Apps for Government: More choices for gov CTO/CIOs.Survey says: Security risks never higher, or more costlyRedesign of CTOlabs.comFrom Networks to SwarmsBob GourleyThe Evolving Enterprise Threat EnvironmentCrucialPointLLCIf You Use Hadoop You Have Been Waiting For This: Cloudera Enterprise 3.7CrucialPointLLCLearn Lessons On The FDCCI with Bob Gourley and Carahsoft (Webinar)CrucialPointLLCJoin Cloudera and Carahsoft for Big Data Success in GovernmentBob Gourley

I recently finished a visit to one of our nation’s greatest intellectual resources, the school of computer science at Carnegie Mellon University.   The incredible work being accomplished at the university includes the globally famous Software Engineering Institute and the equally renowned CERT/CC.  CMU also serves the nation by hosting and supporting Cylab.   More on each of these is below.

SEI is a Federally Funded Research and Development Center (FFRDC).  SEI processes and practices, which are almost certainly familiar to readers of this blog, are now being taught at universities everywhere.  Their comprehensive approach to quality is being used today by development organizations around the world and is producing fantastic results.  There are many reasons for this, but the short version is that SEI processes like the Capability Maturity Model Integration (CMMI), the Team Software Process (TSP) and the Software Engineering Measurement and Analysis (SEMA) have proven to enhance the quality and performance of software activities while reducing cost and development time.  Read more at: http://www.sei.cmu.edu.

The CERT/CC is a group I first stared working with in December 1998 when I was one of the startup grew of the JTF-CND.  I’ve been a big fan of them sever since, and have tried to track what was going on there, but frankly I lost touch and am really glad I got the in person update.  The CERT/CC is a critical enabler of hte IT industry’s ability to detect and remediate vulnerabilities, conduct computer forensics, visualize cyber information, and respond to incidents of every scale.  For more on the CERT read more at: http://cert.org.

The Cylab is the nation’s largest university based research and education program focused on cyber security, dependability and privacy.  Cylab conducts sponsored research as one of the NSF CyberTrust centers.  According to the CyLab website:

The CyLab Strategy is to integrate response, prediction, research and development, and education both nationally and internationally and build capacity in:

• Technology – by pursuing an aggressive, highly interdisciplinary research and development agenda that integrates technology, policy, and management
• Human Resources – by educating professionals in Information Technologies, Business, and Policy, and by creating “cyber-aware” citizens worldwide
• Industry – by transitioning technologies to large, medium, and small companies and by creating start-ups

For more on the Cylab read more at: http://www.cylab.cmu.edu/.

Thanks to all at CMU for doing what you do, it is really appreciated by computer scientists, CTOs and leaders everywhere.  Please keep it up.

You may also like -

Wanted: World Class Best Enterprise CTOTwiki and Gov2.0: Innovative Open Architecture Platform and SolutionsCMU cyber researcher to get presidential awardCrucialPointLLCTTPs, CRADAs, MRM, and FixmoCrucialPointLLC