Washington, D.C., November 5, 2009 –Today, Rob Housman, the Executive Director of the Cyber Secure Institute, put out this statement concerning two disturbing trends in cybersecurity: the growing number of unsupportable security claims and the increasing reliance on widely held beliefs as opposed to tested and proven technologies.  Housman said:

One of the Institute’s primary objectives is to cut through the morass of cyber security claims and counterclaims and distinguish what is real and what is not.  Lately, the Institute has seen a significant uptick in the number of unsupportable, if not patently false, security claims being made.   We have also seen a growing reliance upon widely held beliefs that may or may not be based in proven fact.

Along these lines we feel it necessary to highlight and debunk two recent examples of these trends: 

Erroneous Claims: Marc Brown, a Wind River vice president, recently told Military Embedded Systems that Green Hills Software’s real time operating system is “only certified under ‘high robustness’; they did not certify under EAL6+, as they did not actually add in the necessary requirements to comply with EAL6.”

His statement is false.   Even a cursory review of the Green Hill’s listing on NSA/NIAP’s website shows that the Integrity technology has, in fact, been certified under both the relatively new “high robustness” standard and at EAL 6+.   For Wind River to suggest otherwise is false.  

In contrast, the NSA/NIAP listing for Wind River’s VXWorks MILS 2.0 technology shows that it is presently being evaluated but has not been certified at any level.  It is nonsensical for a company that is not certified to attack a technology that has received the highest security certification ever by the federal government.

Additionally, Wind River’s criticism here displays a serious lack of understanding of the current certification standards. Wind River’s statement implies that high robustness is somehow a lesser security. In fact, a close review of the two sets of certification requirements shows that they are both extraordinarily rigorous. Most technologies on the market today are not even close to being able to meet either standard. And, in the RTOS vertical one might argue that the high robustness standard is even tougher than EAL6.   

Rather than attacking technologies that have already been certified secure, we would encourage Wind River to focus on its own going certification process.    If they can achieve this high standard we look forward to working with them.

Reliance on Truisms: eWeek recently published an article entitled “10 Reasons Why Google Android Is Secure.”  In the article eWeek states, among other things, that Android is secure because it is built on open source software and because the platform technology is Linux-based.  Both of these arguments are seriously flawed.

First, while many believe that open source software is more secure, in fact, the process by which open source software is created raises the serious risk that malicious code can be inserted into a program.  With tens of thousands of lines of code—much of it of unknown or little known origins—and without any formal proof of the code, there simply is no way to ensure that open source software is fully secure—let alone prove it.  Any one who doubts this need only refer back to the frightening revelation by Ken Thompson, one of the UNIX creators, that he was able to insert an untraceable Trojan in the UNIX login command.

Second, while many believe that Linux is a more secure software platform, in fact, Linux isn’t significantly more secure than the other uncertified systems that are currently on the market.  There are thousands of published known vulnerabilities in Linux and untold numbers of other exploits known to hackers and criminals, as well as our enemies.

Debunking these truisms will be seen by some as an act of heresy.  However, our cybersecurity systems must be based on tested, proven technologies, not on beliefs, no matter how widely held.

There is only one truly secure Smart or App Phone in use today: the one used by Pres Obama.  It is no coincidence that the President’s phone runs on a certified secure system, not a Linux-based, open source technology.

Washington D.C., October 28, 2009—Today, the Cyber Secure Institute called Wired Magazine’s idea that we should “forget medical privacy” profoundly stupid.  This idea was part of the Magazine’s 2009 list of “Smart Ideas,” which is the cover story of Wired’s October 2009 edition.As part of the magazine’s annual list of “smart ideas,” Wired endorsed an idea promoted by Jamie Heywood that people should forget about medical privacy.  The article quotes Mr. Heywood as saying, ‘“Privacy has been an excuse by those with vested interests in hoarding information.”’  Wired and Heywood call for people to “create public profiles listing their symptoms, medications, and other details long deemed too sensitive to share.”  Heywood believes that our personal healthcare data should be as easily accessible as “ordering a pizza.” 

“Wired concedes that the ideas in the 2009 Smart Ideas list are ‘dangerous,’” Rob Housman, Executive Director of the Institute said.  “Wired is right, the idea that we should forget our medical privacy is extremely dangerous.  However, it isn’t just dangerous, it is also inane, stupid, irresponsible, irrational, and nonsensical . . . I could go on” He added.

‘“Heywood and Wired admit ‘that there may be pitfalls—the prospect, for example, that employers could weed out workers with rare diseases . . .’” Housman said. “However, they suggest that the number of people who would suffer as a result of these “pitfalls” will be small, ‘. . .a couple of lost jobs.’ This is nonsense,” he said.

“If all our personal medical data was made public as Wired and Heywood argue the impacts on Americans would be far reaching,” Housman said.  “Untold thousands of people would suffer, not just people with rare diseases.  Everyone whose data indicates anything that an employer may frown upon would be at risk.  People would lose jobs, others would be unable to get work, or passed over for promotions, or demoted,” Housman said.  “How many companies would pass over a well qualified woman if they knew she was seeing a physician in order to get pregnant?  How many employers might find a reason to fire someone with heart disease or diabetes or any other condition that could impact performance, absenteeism or healthcare costs?”

“Moreover, of all magazines, Wired should know better than to suggest that there are ways that openly disclosed data can somehow be made anonymous,” Housman added.  “Not a day goes by without some form of serious personal data breach.  Even protected medical data is routinely compromised.  Moreover, there are now websites and other technologies that compile, sort and aggregate data sources to present detailed, highly intrusive composite profiles of people.  Wired’s idea would mean that these sites would now be able to tell you not just what books you’ve been surfing but what diseases you have,” Housman continued.  “To think that you can somehow protect open data by ‘anonymiz[ing]’ it is ridiculous—we can’t even fully protect classified systems in the Pentagon.  Wired should know better,” Housman said.

“We appreciate Wired’s desire to shake things up a bit.  However, Wired might have been better served by sticking to ideas that, while they may be provocative, might have a shred of commonsense behind them.  The notion that we should just forget our medical privacy is utterly senseless,” Housman said.

“We’d suggest Wired consider putting forcing the adoption of inherently secure IT systems on next year’s Smart List, that is a provocative, necessary idea whose time has come,” Housman said.

Today the Institute released our Preliminary Analysis of the National Institute of Standards and Technology (NIST) Recommended Security Controls for Federal Information Systems and Organizations, which NIST released on August 1, 2009. The NIST Recommendations are a critical component of the Federal cybersecurity effort.  The Recommendations will shape the security approach of all unclassified Federal IT systems.In addition, how the Recommendations are implemented will have spill over effects on IT security efforts beyond the Federal government, to include both the sub-Federal level public sector and the private sector.  And, in turn, they will impact a major portion of the Federal IT market, and the larger IT market as a whole.“Overall, the Institute sees the NIST Recommendations as an important step forward in bringing a more unified, coherent and integrated approach to IT security,” Housman said.  “They make important security strides in a number of key areas.  “However, they also raise a number of serious questions.  For example:

·      “The Baseline Controls provide protections against “highly skilled, highly motivated, and well resourced” threats only for systems designated High Impact.  However, the definitional aspects of High Impact systems do not apply to vast numbers of Federal IT systems that could have major impacts on the nation and individual Americans if breached.  For example, the e-Health systems now being pushed by the Obama Administration would seem to fall in the Moderate category.  However, the threat to so called Low and Moderate Impact systems come from sophisticated actors, like the Chinese military and organized crime.  Nevertheless, the NIST recommendations only require these systems to be secure against unsophisticated threats—the proverbial teenage vanity hacker hacking away in the basement.

·      “The Recommendations do not provide a mechanism for certifying or validating that specific IT systems meet the NIST requirements that they are being deployed to fulfill. 

·      “The Recommendations on their face seem to adopt the current hack and patch approach to cybersecurity.  They do not explicitly require that IT systems be actually secure against the real world threats we face.

·      “The Recommendations do not seize the opportunity to put in place a mechanism, such as a ‘Best Available Cybersecurity Technology’ requirement, that would have driven technological innovation and real cybersecurity,” Housman added.

“All in all, the NIST Recommendations are a major step forward but they fail to fully seize the opportunity to advance President Obama’s Cybersecurity agenda,” Housman said in closing. 

Read Full Report

Just this morning the Institute put out a new Hack and Patch Dispatch about the Microsoft “Browse Slave” vulnerability.  Today, we were about to blog about the hack of the e-Health system in the UK—with the push towards e-Health in the US, the need for next generation security in such a system is a major theme for us.  However, before we could do so, the news is awash with stories about the latest cyber attack, likely North Korean, against U.S. government websites.

Summer in Washington is supposed to be slow—lazy, hot and awfully humid days spent watching the Nationals lose yet another one-run game, wishing the beach is two hours closer and taking the Founding Fathers names in vein for not picking bay-front Annapolis instead of swampy DC to house our government.  But, sadly, business has never been busier for the Institute.  Therein lies the problem.

In all candor, with all these inherently insecure systems being constantly compromised it is all but impossible for us to keep up.  Where do we focus our attentions?  Do we hammer the latest attack against our government IT systems?  This attack, yet again, shows that our nation is unprepared for the cyberwar—or more accurately low-grade conflict—we are now facing on multiple fronts. Do we focus on the rush to create an e-Health system that will leave the nation, and all of us as citizens, consumers and patients, vulnerable and at real risk?  Or do we draw attention to the latest hack and patch of the Microsoft system, clearly demonstrating that the IT system that nearly every American relies upon is inherently flawed from a security standpoint?  Rest assured, by the time I write this blog there will be yet another attack, vulnerability, worm, flaw, gap, and cyber horror.

However, the attacks will not stop until someone makes it stop.  It won’t stop until the Obama Administration gets tough on cybersecurity.  The President is to be applauded for his focus on this issue.  But a budget-less, fang-less cyber coordinator isn’t going to force change.  That said, it is a start.  Nonetheless, the only way things will change is if change is driven—top down from the President, and bottom up from all of us.

Just as early environmental law forced the car industry to meet aggressive, at the time out of reach fuel efficiency standards.  Just as Kennedy charged the public and private sector to go to the Moon: “We . . . do [these things] not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win, and the others, too.” Just as consumer demand for healthier products now has McDonalds offering salads and fruits.

We need to force a new cybersecurity paradigm.  We have to provide incentives and mandates to encourage, cajole, and yes even compel, the IT world—from innovators to integrators to users—to seek a new course.  This next generation of IT needs to be based upon inherently secure technologies, not the hack and patch technologies of today.  This will require a bold departure.  However, it is long overdue.

That said,  I need to go focus on a new report from Oracle that says consumers don’t trust ecommerce security—I can’t imagine why.

Ariel Silverstone has a new analysis of the job description for the White House Cybersecurity Coordinator out today that is worth reading.

He raises a number of key points that deserve discussion. 

By way of context, I have a unique perspective on these matters. I served for four years as the Assistant Director for Strategic Planning in the White House Office of National Drug Control Policy, or the Drug Czar’s Office.  I have also had the privilege of advising two individuals (one formally and one informally) who were tasked with running  “czar” offices.  In one case, the individually who I advised was tapped to head up a new security czar’s office, standing it up from fresh ground—the same task that the new cybersecurity coordinator will face.

With that background, allow me to turn to Ariel’s thoughtful analysis.

Ariel states that the Coordinator should be within the Executive Office of the President.  He is absolute correct.

To be effective the new coordinator will need to play at the highest levels—meaning with the President’s Cabinet.  Cabinet members are loath to return calls and take orders from “coordinators.”  This isn’t just small mindedness.  Government runs on hierarchy. Cabinet Secretary’s are Senate confirmed, and that puts them in a much more elite circle; the coordinator won’t be. The roles and responsibilities of a Cabinet agency head are codified in statute by the Congress; the coordinator’s won’t be, at least not for the time being.  As a result, there is the real risk that the coordinator will be viewed by these key leaders as a glorified staffer.

Given that, to be effective, the new coordinator will have to be perceived as having apparent authority.  Apparent authority—non-statutory, non-titular power—was a main reason why even Cabinet Members returned Rahm’s Emanuel’s calls when he was a “Senior Advisor” to President Clinton.

The most important element of apparent authority is access to the President—if your colleagues see you as someone who can get the president on the phone or get an audience with ease, then they have to deal with you.  Being in the EOP means that geographically and organizationally part of the president’s immediate world—his house guard if you will.

Additionally, being within the EOP brings with it host of trappings of power that are critical in dealing with the rest of the administration, but more importantly the outside world.  These trappings are important for the coordinator, but they are even more important for the coordinator’s staff.  The coordinator should insist that his or her staff get so called “blue badges,” which provide open White House access.  His or her staff should be included in the daily White House key staff meetings.  The coordinator also should insist on White House Mess privileges—I have seen first hand the impact you can have by taking someone to lunch in the Mess.  These are not mere vanities, they are the elements of authority, of power and position that can be used to advance a goal or a policy.  Even something as simple as a White House business card can make things happen.

Ariel states that the coordinator should respond directly to the White House Chief of Staff.  I agree. 

Being a direct report to the Chief of Staff elevates the individual and the office.  It also would mean that the coordinator would not need to clear or vette positions or policies through others in the hierarchy before bringing them forward.  This is critical over the long term.  The new coordinator must see every level of bureaucracy as a maze full of pitfalls that stands between her and effecting change.  The easiest way to overcome this maze is to shorten its length before even entering it.

Based on that view, if I were being selected as the coordinator, I would at least try to secure the ability to go even higher than the COS.

When Gen. McCaffrey was considering taking the drug czar’s job, he did something that was strategically brilliant.  At the time, the drug czar’s office lacked the same types of real authorities that the new cybersecurity coordinator will lack.  As a result, McCaffrey worked with President Clinton and his staff to develop a written agreement between the White House and the General laying out the parameters of his job and setting out certain terms and conditions.  One of those terms was that he could not be denied access to the president, not even by the chief of staff.  In essence he became a direct report. This gave him an order of access that few within the administration had—more than even the typical Cabinet member had—and everyone inside knew it.

Ariel states that cybersecurity requires a multi-year budget. He is right on target. 

Gen. McCaffrey used to constantly repeat an admonition that he had received when serving under Gen. Colin Powell:  “Don’t show me your programs, show me your budget.”  This is akin to the more widely known phrase: “Money talks, bull merde walks.”

If the coordinator is to be effective he or she needs to have authority—direct or indirect—over a multi-year budget that comes from the Congress.

In exchange for that budget—and given the amount of failed spending that has epitomized cybersecurity to date—I would suggest that such a multi-year commitment of funds be accompanied by the requirements that the coordinator:

1. Develop, in conjunction with the other relevant agencies, a multi-year cybersecurity strategy for the nation; and
2. Develop and report on progress against a series of performance measures of evaluation.

Let me stress that performance measures need to be end-state focused.  Holding lots of meetings does not count for anything unless they result in some measurable improvement to our nation’s cybersecurity.

It should also be stressed that resource issues can be addressed in a number of different ways.  Obviously, the coordinator’s office must be fully resourced, with everything from a travel budget to adequate staff.  However, beyond those funds, the ability to impact budgets can be almost as important as direct budget authority.  For example, by statute the drug czar has the ability to decertify the “drug budget” component of any other agencies budget.  This provides the drug czar a big stick—best used sparingly—that can be critical in getting things done. 

The coordinator won’t have that statutory authority, however the President and can make up for that by ensuring the coordinator is an active participant in the OMB budget review process.  The OMB budget review allows OMB and other key players the ability to shape all sorts of policies and programs through the pocketbook.  And, if other actors know the coordinator will be reviewing their cyber budgets, you’d be surprised just how many friends the new coordinator will find in Washington, around the Beltway and even beyond.

Ariel calls upon the coordinator to begin a true public-private partnership.  He is correct yet again.

With 85 percent or more of the digital critical infrastructure in private hands, the coordinator cannot possibly succeed without an effective working partnership with the private sector.

Here again, while in the White House, I saw first hand how a coordinator can use real public-private partnerships to advance policy goals.  The drug challenge—in some ways like the cyber challenge—is primarily a societal problem, and government cannot solve it without the help of the community writ large.  As a result, we invested extraordinary amounts of attention, energy—not to mention dollars—on building these partnerships and strengthening our nongovernmental institutions—and it made a huge impact.

Along these lines, I also agree with Ariel’s thinking about the need for an official advisory board and the need for academic outreach to strengthen the field.  I agree.

I would add one other element to the directed outreach Ariel calls for and that is educational outreach more broadly.  In the public health area we have made enormous strides in certain areas through public educational outreach—we have cut smoking, increased seatbelt use, increased childhood vaccinations, and cut youth drug use.

These challenges are different, but also similar to the challenges we face in the cyber realm.  I would encourage the White House and the new coordinator to consider a nationwide cybersecurity educational campaign. 

Ariel calls on the coordinator to champion the National Institute for Standards and Technology and its efforts as part of the international standard setting community.  Here again I agree, but I would add the NSA’s certification work in conjunction with NIST to that list.

IT is the Institute’s view that one of the biggest challenges we face in the cybersecurity realm is, in essence, market failure.  And that market failure is predicated on the fact that the typical consumer has no way of determining what is and what isn’t secure.  As a result, the market is full of security claims that are simply false. 

We are in desperate need of basic cybersecurity performance standards and certifications.

We are increasingly dependent on IT systems for our national, homeland and economic security.  However, there are no effective standards that dictate the minimum level of security that a critical IT system must achieve.

We standardize (read direct and/or certify) the safety and/or security of everything from children’s blankets to body armor to drugs.  And our protections in these areas—while at times burdensome and not without cost—have not unduly impeded innovation.  In fact, in areas like food and drug safety our protections make us the international gold standard.  There is simply no reason that we cannot develop standards to ensure the security and safety of our critical IT.

To Ariel’s list let me also take this opportunity to add a thought that I think is critical both in terms of the job description and the type of person needed to fill the job.

The coordinator must fully utilize the bully pulpit.  To this end, he or she must not be required to vette every speech, every interview with the inter-agency and the press office.  One of the things that made Gen. McCaffrey such an effective drug czar was that he made extraordinarily good use of the media to get his message out.  The coordinator will need to take a similar approach—as well as extending it to the new world of digital and social media.

As a corollary, it is critical that whoever is selected for this post must be the sort of person who can command public attention.  Think of it this way, will Bill Gates, a four-star general or the CEO of Citibank listen when he or she speaks?  Because, if you can’t actually force someone to change their behaviors, you have to convince them as to why they must.  To be effective, the coordinator must have enough force of personality to be able to drive change even against all the impediments that will lay in the way.

Recently the Institute analyzed the ramifications of IT vulnerabilities for the push towards e-Health. Our analysis focused to an extent on the recent hack of a Virginia State prescription drug database.  This week Virginia State officials testifying before State legislators said that they are now receiving reports that doctors are hesitant to prescribe more potent painkillers to patients because of the hack and the vulnerabilities inherent in the database.

The Associated Press reports:

A House panel learned that powerful drugs such as Oxycontin, Valium, Vicodin and Ritalin are being withheld because pharmacists can’t check with the prescription drug database that still allows limited access.

This is precisely the sort of real world health impact from cyber shortcomings that the Institute’s analysis discussed.

If hackers can continue to be able to access vital health records almost at will, then they will have the ability to steal records, alter information, or simply deny access.  Or, as with what has happened in the energy sector, they could simply use the power to take these systems offline to extort untold sums of money.  As bad as compromising a prescription drug database may be, imagine if the database that was taken down had the real time medication data for a patient arriving at an emergency room in extreme distress.  How much could you be compelled to pay if a hacker had your life in the balance?  Or the lives of hundreds of thousands of patients?

For these reasons the Institute continues to advocate that the first step in building an e-Health system has to be the development of an essentially hack proof digital infrastructure that has security designed in from the start—not yet another bolt on system of firewalls and forensics that is inherently insecure.  Such a secure infrastructure must utilize only technologies that are tested by third party experts—preferably the NSA and NIST—against established, national standards.  Such testing must include extensive penetration testing, even with the source code.  And, only technologies that can meet these requirements should be part of the national e-Health infrastructure. 

In sum, the mantra for e-Health must begin with the Hippocratic Oath’s promise to “First do no harm.”  An insecure e-Health system cannot live up to that oath.

Yesterday the Institute attended the first meeting in Washington, DC of the Security Innovation Network. 

The meeting began with a keynote address by former Director of National Intelligence, Vice Admiral (ret.) Michael McConnell. VADM McConnell’s remarks were impressive.   The Admiral noted that from a cybersecurity standpoint, “The United States is the most vulnerable nation in the world.”  He also noted that after becoming the DNI, he told President Bush that if the 9/11 terrorists had hacked a major bank and taken it down, the impact would have been significantly greater than even the heinous attacks of 9/11.  McConnell noted that Bush turned to then Treasury Secretary Paulson and asked if he concurred.  The Admiral noted that for a brief moment he was on edge hoping his Cabinet colleague shared his perspective.  A moment later, Paulson strongly his assessment.  President Bush in response noted that IT is our nation’s competititve advantage for the future—a point that the Institution has regularly stressed—and that the United States needs to defend our IT and that advantage.  This exchange began the ramp up in cybersecurity efforts during the Bush Administration. 

The Admiral stressed that it was relatively easy to make the case for cybersecurity during the 2008 election cycle, as both candidates during the last presidential race had their  IT systems hacked and information stolen by foreign parties.

With respect to the current glide path of cybersecurity, the Admiral stressed the strength of the commitment to improve our cybersecurity within the Obama administration, emphasizing the budgetary commitment and the 60 Day Review and follow on efforts.  However, he did emphasize one point that deserves much greater attention.  Admiral McConnell noted that the $17 billion presently targeted at IT and security enhancements would secure .mil and begin to secure .gov, but that 98 percent of the challenge is .com.  This is a sobering note and points to the real challenge ahead.  In terms of how we will meet this challenge the Admiral said he expects it will require a combination of collaboration, coordination and positive incentives with new standards and mandates—this too has long been the view of the Institute.

What stands out most from VADM McConnell’s presentation is that at the highest levels of the intel and defense world the perception of the cyber threat is vastly higher—and more accurate—than across the remainder of the tech world, the corporate world and the public writ large.  The typical CEO these days is simply not focused on a cyber-armageddon, even if his or her company could be caught in the mix.  The average man on the street is much more worried about the economic crisis, another 9/11 terrorist attack, or a North Korean nuclear attack, than a digital Pearl Harbor.  However, at the senior most ranks, our leaders are very much worried about a digital attack. 

This disconnect is a real issue.  It is a major barrier to enhanced cybersecurity across our critical infrastructure. Someone—be it the President, the cyber czar, or a corporate leader—needs to stand up and shake people up until they get it.  The Institute looks forward to helping in that effort.

A number of the other speakers after McConnell also made critical points.  While the list of prescient observations is too long for a detailed run down, allow me to highlight a few:

Jerry Archer, the CISO of Intuit, stressed that cyber threats have evolved markedly over the last few years, as hackers have become increasingly sophisticated and professional.  Archer said that he has not seen a vanity, or amateur, hacker in the last two years.  Every hacker he faces now is a professional.  He also said that hack attacks have grown by 1,500 percent over the last two years.

He also noted that cyber-crime now exceeds drug crime on a dollar per dollar basis.  Paraphrasing Archer, why risk running drugs when you can hack millions of dollars while sitting in a cyber café in Somalia with no risk of getting caught?  Along these lines he noted that the Russian hacker who stole millions had not only gotten a mere slap on the wrists, but he was subsequently elected mayor of his town. 

Archer stressed the need for IT platforms with security built-in not grafted on as an afterthought.  This is another core view of the Institute—that we need inherently secure technologies. 

Finally, Archer focused on a key point that the Institute will take up again in the coming days: the business case for cybersecurity.  He noted that in the corporate environment today money isn’t limitless, so cybersecurity improvements need to be justifiable, in other words produce ROI.  Along these lines he said we need impactful innovation in cybersecurity to produce inherently secure technologies that achieve real security, or ROI.

Steve Elefant, who is now leading the end-to-end encryption program for Heartland Payment Systems, provided a number of interesting observations from the perspective of the company that recently suffered perhaps the largest hack ever. 

Most importantly, Elefant explained that Heartland’s CISO had never been turned down for a security technology and yet the company was still hacked.  This sums up the state of cybersecurity today in a single line.  The technologies we all rely upon are  inherently insecure.  Companies can spend vast sums of money and be all but as vulnerable as the next guy who spends a mere fraction.  This creates perverse disincentives for cybersecurity investments—as well as innovation.  It also clearly shows the need for a leap-frogging technology.  We need to go from inherently insecure technologies, with security added on after the fact—like a digital Maginot Line—to inherently secure technologies that begin from security.

Elefant also echoed the changing nature of the hacker threat, stressing that Heartland was hacked by a criminal group. 

He also stressed the need for greater exchange and coordination between the public and private sectors.  He noted that the breach of Heartland could have been headed off; law enforcement knew of the form of attack from prior breaches before Heartland’s, however that information wasn’t shared more widely.

Finally, let me heartily endorse and align the Institute with the efforts of SINET, as it is known.  SINET is focused on “increas[ing] collaboration between the United States public and private sectors with the mutual objective of accelerating innovation in security technology, practices and implementation.”  In short, SINET seeks to bridge the gap between Silicon Valley and its sister valleys, allies, hubs, triangles, routes and corridors and the Beltway, meaning the prime government-industrial complex (to include major systems integrators, tech contractors and the like).  SINET is run by Robert Rodriguez, a retired US Secret Service cybersecurity leader, who is a strong advocate for cybersecurity innovation and the scores of emerging companies in this space.  Anyone in this space should consider becoming a SINET member.

Last week an Associated Press investigation revealed that the companies that handle your credit card data, including banks and major retail outlets, are not as secure with your information as they could be.

Scores of retailers and payment processors have disclosed data breaches in the past few years. This year Heartland Payment Systems suffered perhaps the largest data breach ever—hundreds of millions of transaction records were comprised, and millions of people had their account information stolen.  The hack that hit Heartland also compromised perhaps 300 other companies—only the others never disclosed the problem.

As with Heartland, even companies with the industry’s top computer security rating, known as Payment Card Industry (PCI) compliance, have been the victims of major breaches.

Credit card companies and the payment processors who work with them are left by the government to develop their own industry security rules. These PCI standards require stores that initiate credit card transactions must use antivirus software and have firewalls installed. However, hacker simulations are run just once a year and these businesses are allowed to define the scope of the tests and run the tests themselves. As Ariel Silverstone, the CISO of Temple University, has aptly said, “Who can fail an audit when one of its tenets when one of its tenets is that the audited organization gets to define its scope?” Those merchants who decide to hire outside security auditors to check for compliance frequently carry this out the cheapest way possible.  It is no surprise that the AP describes these rules as “cursory at best and meaningless at worst.”
Moreover, some companies that handle your sensitive financial information aren’t even PCI compliant. They are forced to pay fines but are left free to process your credit and debit card payments.

Suffice to say, your credit and debit information is at serious risk.

What is surprising is that there has been little effort until late to do something about this serious problem.  The lack of network security has been the dirty little secret of the processor industry. The payment industry is built on efficiency and the industry has feared that adding security would slow the process down.   With the entire payments industry worried about speed, and all being equally insecure, better to not talk about this problem at all.  Surprisingly, the credit card providers have not been pushing for greater security.  Instead they have been content to operate across inherently insecure networks notwithstanding the billions of dollars at risk.  Breaches and the frauds that follow have been chalked up to the cost of doing business.   Besides, these companies don’t have to go through the hassle an individual consumer endures when his or her financial data has been compromised.
Tougher compliance standards, PCI or other, are needed. Financial systems, including payment IT systems, should deploy only the best available technologies end-to-end.  Merchant’s computer networks must be secure in the handling sensitive financial information. Processors need to ensure that even if a retailer is hacked, the critical private financial data on their systems are protected.  Consumers should be immediately informed of the possibility that their information has been compromised.  The list of necessary improvements is long and substantial.

President Obama released his new Cyberspace Policy Review this Friday, May 29th, which outlined his plan to improve America’s Internet and computer security. The review is the result of a 60-day, “clean-slate” evaluation headed by an interagency group. The key components of the review include:

• Leadership: The President will appoint a new cyber security policy official, or “coordinator.”  This official will work across the federal government coordinating efforts in policy and technology, build agendas and help ensure the necessary budget is met to accomplish the President’s goals.
  Review: “Leadership should be elevated and strongly anchored in the White House to provide direction, coordinate action and achieve results.”
  Comment:
  -Cyber security requires a leader. President Obama’s creation of a cyber security coordinator is a step in the right direction, but the job description lacks specifics such as: How much authority and power will they have? Who will be appointed and what will be the pre-requisites for appointment?
  -The cyber coordinator must have the support of Congress to ensure a large enough budget to accomplish significant goals— in both parties and in both houses.
  -To be effective, the coordinator must be publicly appealing and be able to use the bully pulpit effectively.  Support from the public is vital, as they use the Internet most frequently and on the largest scale; cooperation from them is therefore key to increase security.
  -The president must find a candidate who has widespread support, while having extensive background knowledge and experience in cyber and national security—no small task.
• Transparency: Officers or boards within the private, public and government sectors will be implemented to increase communication between the sectors and therefore increase trust. This enhanced level of trust will ensure greater success in efforts to strengthen security, while ensuring that privacy and civil liberties are upheld.
  Review: “The Federal government should continue the principle of “mission bridging”…sharing of expertise, knowledge and perspectives…between network defenders and the intelligence, military and law enforcement organizations.”
  Comment:
  -We all know that sharing is important, but when it comes to sharing important information, where is the limit?  For example, will this sharing bring technology providers into a pre-procurement process to identify operation requirements? Will there be requirements for sharing certain information among sectors? And if a player in the process refuses to disclose certain information, is there a penalty for keeping it confidential?
  -To what extent does real sharing implicate antitrust concerns? And if it does, how will this be addressed?
  -Additionally, sharing by the government is complicated by the classification and protection of much of the most important security information. Obtaining security clearances takes time and money and can require private individuals to disclose very private information. How will the government facilitate the sharing of information in classified areas?
• Education: The Federal government will implement a cyber security education program that will span from kindergarten to the university level. Public awareness will be spread through the use of public service campaigns promoting responsible use of the Internet.  These campaigns will facilitate understanding of Internet security on all public, industry and government levels.
  Review: “The Federal government should expand support for key education programs and research and development to ensure the nation’s continued ability to compete in the information age economy.”
  Comment:
  -Preventative education is one of the best ways to address a problem. The key will be in how this goal is implemented. How will the Federal government fund cyber security education? What sort of courses or teaching methods will be taught to ensure an impact is being made?
  -This type of education is difficult to determine a success rate, so money could be wasted on programs that produce delayed, weak impacts on the public.
  -Policymakers love to talk about education, but when the budget cardinals get their hands on these programs, they are almost always under-funded. Will these cyber education programs have the resources necessary to make an impact?
• Synergy: Increased collaboration between the government and public will guarantee a more cyber-secure America. The review calls for more information sharing through forums and partnerships between agencies, the industry and the public, in order to recognize common goals and plans.
  Review: “The government should work creatively and collaboratively with the private sector to identify tailored solutions that take into account both the need to exchange information and protect public and private interests…”
  Comment:
  -The Institute supports collaboration where mutual agreements are being made that benefit each side.
  -But there must be assurance that all parties are given equal opportunity for partnerships and information sharing. Are there incentives for particular partnerships compared to others? Will certain companies, agencies or organizations be favored over others for their importance or possession of high-level information?
  -And while partnerships are very feel good, we need to prioritize efforts so that we focus on things that can make a real impact.
• Standards: Through “incentive-based legislation”—for example, monetary consequences for service providers— government can encourage industry leaders to demand more security. The president stressed that the “Administration will not dictate security standards for private companies.” However, the review calls for new rules, oversight and laws that require notification of incidents and sharing of information with the government by the private sector. The review also advocates for partnerships in the global IT community to formulate an international standard of cyber security.
  Review: “Another way to increase reporting is through consideration of appropriate data breach notification laws that require notification to the public and to the government, including law enforcement entities that could pursue investigations.”
  Comment:
  -The Institute strongly supports the use of incentives such as monetary  “consequences” to drive the market for better cyber security.  Without such incentives the status quote will remain unchanged.
  -However, no one should believe that putting such measures into place—presumably this will require new statutory authority—will be easy. To get this done, the coordinator—and more importantly President Obama himself—will need to spend political capital and twist some arms. That said, we believe it is well worth the effort.
  -As the Administration develops these mechanisms, a range of issues will need to be addressed, including: What would be the framework for these incentives? What kind of penalties are involved? Do companies who have more to lose decide the incentives aren’t worth it?  Are the incentives strong enough to change market-driven behaviors?
  -The new rules, oversight and laws outlined in the review provide negative incentives to the private sector. They need to be carefully crafted to not unduly inhibit cooperation needed for security improvement.
  -Sustaining partnerships in the global IT community and finding an “international standard” of security may be problematic because of immense socio-economic, legal and cultural differences.  Countries have different views on relationships between government and the people, as well as the amount of information and news the public is allowed to view.  Any international law or standard is not only difficult to agree upon, but difficult to enforce. That said, such a standard could be a “game changer” if successful.
• Innovation: For successful innovations, governmental, industry and public sectors must collaborate on ideas to enhance security technologies and ensure they work to their full potential for each sector. The federal government will help implement new privacy technologies such as identity management systems that build trust between all parties involved in online transactions to assure confidential information is kept safe.
  Review: “The Federal government will work with the industry to develop next-generation secure computers and networking for national security applications and tough new standards for cybersecurity and physical resilience.”
  Comment:
  -Innovation takes lots of time, money and investment.  How much is the government willing to spend/invest on developing and implementing these new technologies? How do small businesses and individuals who may be unable to pay for their own security ensure their information is safe as well? How far are we willing to go for new innovations?
  -Innovation and privacy also requires a delicate balance; we must be sure individuals’ information is safe, while not making it impossible to check their bank statement online.

Contact: Rob Housman
202-486-5874; 202-289-7999
rhousman@cybersecureinstitute.org

CYBER SECURE INSTITUTE STATEMENT ON PRESIDENT OBAMA’S
CYBER SECURITY ANNOUNCEMENTS

 INSTITUTE’S EXECUTIVE DIRECTOR—FORMER WHITE HOUSE CZAR OFFICIAL—AVAILABLE FOR COMMENT ON ANNOUNCEMENT

WASHINGTON, DC, MAY 29, 2009—Today, Rob Housman, the Executive Director of the Cyber Secure Institute, made the following comments concerning President Obama’s announcements on cybersecurity.

Housman said, “The President today demonstrated an unprecedented level of commitment to the nation’s cyber security.  Most importantly, the President stressed that the status quo, the unending hack and patch, is no longer acceptable.  That single understanding, that single statement, is vital to achieving real cybersecurity.  The Institute strongly supports the President’s view that a new approach is necessary.”

Housman went on to say, “As the President himself noted, so much of his agenda for the nation’s progress—from e-Health to a smart energy grid—is premised on advanced information technologies.  Effective cybersecurity is critical to the President’s ability to make progress in all these areas.  However, too many of our systems today are inherently insecure—we simply cannot rely on them if we are to make these leaps ahead.  We must require that critical cybersecurity systems need to be highly resilient and fully secure.  While the President stressed that the government won’t dictate security requirements to industry, at the end of the day, the government will need to use a variety of tools—from incentives to requirements—to drive change or else the status quo will remain.”

Housman, who served as Assistant Director for Strategic Planning in the White House Drug Czar’s Office under President Clinton, also noted, “Having served in a White House Czar Office, it is my view that the cross-cutting nature of cyber security requires a White House czar to coordinate efforts across the government and with the private sector.  As the President emphasized, to date no one is in charge, and that all but guarantees inadequacy of response.  The President has taken a major step to change that.”

He went on to say, “However, the key will be just how ‘in charge’ this new czar will be. Will the Cyber Czar have direct access?  Will the Czar have a high enough profile to command the bully pulpit? Will the Czar have unfettered access to the bully pulpit? Will the office have adequate staff and budget?  Beyond developing a strategy what sorts of real powers and authorities will he or she have?  Or will the Czar be limited to the power of persuasion?  One reason the Drug Czar office had an impact was it had broad budget review power over the federal agencies.  Will the Cyber Czar have that sort of power?”

#    #    #