Ignorance About the Cybersecurity Threat Has Experts Concerned
Friday, July 25, 2008 at 10:37 ** CQ HOMELAND SECURITY **
* Ignorance About the Cybersecurity Threat Has Experts Concerned * By Daniel Fowler, CQ Staff
The lack of awareness about the cybersecurity threat -- in the public and private sectors as well as on the individual level -- has people whose job it is to secure computer networks worried.
In a recent roundtable discussion with Congressional Quarterly Homeland Security, officials of Cupertino, Calif.-based Symantec, a security, storage and systems management firm.
"We are both -- in the private and public sector -- under constant attack, whether it be from state actors or just criminals, and the vast majority of people are oblivious to that," said Mark F. Bregman, the company's chief technology officer.
Also participating in the discussion were Kevin Richards, U.S. federal government relations manager; Tiffany Jones, director of government relations for the Americas; and Joe Pasqua, vice president of research in Symantec Research Labs.
"The thing that's a little bit frightening is that so many personal and other computers are under attack and people don't have awareness that they are being attacked because now it's not just about loading viruses that do annoying things on your machine," Bregman said.
"It's about placing these bot networks and things like that where for me as a user it's not really doing anything harmful to me, but it's making my machine an agent in some activity like denials of service attack or spam that's being launched against somebody else," he said. "So, I may be involved in an attack without really knowing it and that level of awareness is not there."
In addition to awareness, the group also touched on topics ranging from the national cybersecurity initiative to business continuity and cyberwarfare.
Q: What do you think is the country's weakest link in terms of cybersecurity?
Bregman: I don't know that I would point to a single weakest link other than the fact that there is a lack of awareness of the threat. I don't know if I'd call that the weakest link, but I think that is the biggest threat we have. There is a sense of complacency or a lack of awareness of the threat.
Richards: I guess I wouldn't call it a weakest link necessarily, but more of a challenge and that would be coordination. There are so many different sectors involved in cybersecurity, and private industry owns or operates 85 percent of the critical infrastructure -- so, I think it's a challenge for the government and the private sector in working together and coordinating that.
Jones: I would absolutely agree. I spend about a third of my time over at the Department of Homeland Security, and our company is constantly being asked to participate in a number of different forums to look at everything from better coordination, better situational awareness, more information sharing. There are a number of different challenges, and I think that is the impetus for the cyber-initiative -- to help get at some of those major problem areas.
Q: Is there enough collaboration between the private sector and the government in terms of cybersecurity and what do you think should be done to improve that relationship?
Bregman: I think there is increasing collaboration. There is a lot of effort to align the work. There are a lot of challenges. One of them is in the private sector. We're very competitive with the other companies who also participate and, at the same time in the context of national security, we have a shared goal. So, there are challenges in how to work between government and the private sector and among private sector firms that have to be worked through.
Richards: I think that the National Infrastructure Advisory Council has done a lot of valuable work. Our CEO sits on the NIAC. ... I think the NIAC has really strived to give some recommendations on how to protect the critical infrastructure. There's been a lot of good private sector recommendations put forward.
Jones: One of the issues though is . . . we make a lot of great recommendations, but what actually ever comes of those recommendations? And so part of it is, we're really hopeful that with the cyber-initiative a lot of these recommendations will actually get implemented.
And, because even if they don't all fall within the cyber-initiative, we're actually seeing a lot more activity generated just because the cyber-initiative to some extent is being utilized as a catalyst to place more attention on the issue writ large.
In my former life, I actually helped draft the national cybersecurity strategy in Richard Clarke's old team. And, so having been a part of that initial strategy process and then seeing the gap that occurred between that time and now and then starting to see the ramp up again of that activity has been fascinating to watch.
Q: You mentioned the national cybersecurity initiative that President Bush signed back in January. What are your thoughts on it?
Bregman: Well, I think it's needed and, as Tiffany said, I think it creates a catalyst or even maybe a focal point for the activity both within government, which by itself is also quite fragmented, and with industry. There are a lot of different parts of the government that have a role to play in cybersecurity and cyberdefense, and yet there hasn't been that central focus. And now, I think, with the cyber-initiative that will bring that focus and it will raise the overall awareness as well.
Pasqua: Yeah -- within industry as a whole and then even within individual organizations. So, as organizations look out, there it is -- sort of a North Star that you can point to, to focus and drive activities internally.
Richards: I think it's an affirmation and a recognition by the administration that the threat has escalated and that more investment needs to be made in this area. Symantec also puts out an Internet security threat report that we release twice a year and we're finding that the threat is more consolidated, more organized and sophisticated. So, we're happy that the administration is recognizing that as well.
Q: Often in emergency preparedness, we talk about the individual as being the weakest link. Does this hold true in the world of cybersecurity?
Bregman: Generally that's been the problem. You read the newspaper. ... take the VA losing information. That was because of an individual mishandling information. It wasn't because there was a systemic problem, and that's often the case. When you look at data loss problems, when you look at breaches - - very often they are traceable to somebody not properly executing the policy.
So, the key in cybersecurity is you can assume that people are not going to be able to or not choose to always adhere to the policies. How do you implement systems to monitor that and to manage it? And that is the challenge.
A simple example, very big in the commercial world right now, is why don't we just encrypt all the [data] on the laptop -- that way when someone loses one, which is going to happen . . . the data's protected. Those kind of things really have to be looked at systematically and it's not a purely technology issue and it can't be purely relying on the people because then you will have that weak link.
Q: What about the individual in terms of their personal computers? Is that a weak link?
Bregman: Well, I think there [are] two different dimensions to that. One is potentially it's a weak link, your computer at home may not be well protected. But, under almost all policies whether it be a corporate policy for most companies or government policy, you shouldn't have corporate or government information on that personal computer. So your personal information may be at risk. But, your poor hygiene shouldn't affect our business.
The reality though is, of course, people don't follow the policy. Well, I'm going home, I'm just going to take this thumb drive and work on my presentation on my home PC or I'll just take these 100,000 personnel records home with me, update them. That's how that happens.
But having said that, there's another thing that's happening very rapidly and that's something we talk about and call the consumerization of the enterprise or consumerization of IT. And, that is happening for two reasons.
One is exactly this problem, "But I want to be able to work on this stuff at home" or more likely it works the other way which is, "Look, I have a home computer and I want to be able to get into the network at work." And, increasingly you're seeing pressure from rogue employees like Joe and myself who go to the IT department and say, "You've got to give me access from my I- phone" or "I know that's the standard machine, but I want a Mac." And so that's the consumer persona pushing back into the enterprise. And, you see this throughout the government as well.
Same thing with applications. Within the intelligence community now, they're implementing Intellipedia. That's a consumer application. Essentially, it's Wikipedia for the intelligence community because the people they're bringing, the people that they're hiring in out of universities that are coming in as analysts are saying, "I've got a set of tools I need to use to be able to do my job. What do you mean I can't use Facebook? What do you mean I can't use Wikipedia. What do you mean I can't use my I-Phone. You don't get it."
And, what's happened is 25 years ago people came into the work force and they were told here's how to use computers. "Wow, I never saw one before then."
Now they come in and they've been using it since they were five years old and they come into the workforce and say, "You guys don't understand -- this is how we use computers." They're telling IT that and that's creating kind of a new vulnerability because companies are feeling that pressure.
Their initial reaction is to lock things down and say, "Nope can't do that, can't have anything on your machine that's not corporate issued, got to have a corporate machine." But, more and more they're realizing that it's ineffective and costly and they're unable to recruit new employees because the new employees will go somewhere that does allow them to use their own tools and do things their own way. So, companies and government are going to have to figure out how to adapt to this.
I was talking to somebody from the U.S. Army about this at an IT security conference and he came up to me and I was very surprised he said it's an issue for them in intelligence within the DOD. When they want to recruit the best and the brightest for cybersecurity, they can't treat it the traditional military way of saying . . . "You might do it that way in the civilian world, but here's how we do it here," because those guys just won't come to work for them. It's not cool. And so they're having that challenge.
He's trying to figure out how can we allow people to bring this consumer technology into the government while at the same time ensuring that it's still secure and we're still protecting it and it's still safe.
Jones: I would say that the Department of Homeland Security is also very interested in trying to reduce the risk that the general consumer plays in creating this army of botnets and propagation mechanisms that could at the end of the day, if utilized in the right way with the right payload, damage infrastructure.
Bregman: I think there's also one other thing in the case of cyberwarfare or cyberdefense that's very different. As Kevin said, I think it's 85 percent of the critical infrastructure to sort of keep the nation running is in the private sector. It's your local bank. It's your insurance company. It's the telephone infrastructure.
All of that by definition is interconnected directly to consumers because they're the customer. And so sure, the military air traffic control system, you can probably fence that off, not let any consumers touch that. The banking system? Not really.
And, so the fear is that an adversary is going to go not after the air traffic control system, the military air traffic controls, they're going to shut down the financial system. And, they can get at it through 300 million consumers as opposed to having to go after a gateway in the federal network.
Pasqua: And the other thing that's going on there is one of these other trends like consumerization of IT -- the industrial institutions are under increasing pressure to open their networks more to consumers, not close them down more, whether it's opening them to consumers for greater numbers of services or opening them to partners and other businesses so they can implement business to business services.
Richards: Our Internet security threat report usually shows that the home user is the most attacked. And I think that what we're seeing is that about half the breaches that occur are usually lack of training or awareness. It's not always necessarily the insider threat.
Q: A cybersecurity expert recently told CQ that by focusing on continuity and resiliency, the financial services and government sectors have actually enlarged the cybertarget for attackers and that other sectors are following suit. He said expanding the target is done by creating backup data centers, backing up fiber optics with wireless and increasing remote user access. What do you think about that statement?
Bregman: I'm not sure I agree completely because I think when people try to establish business continuity or improve business continuity naively that can be a problem. But, one aspect of business continuity, is how do I keep my business running in the face of a cyber-attack. If people are thinking about it holistically in terms of not just the systems have to be up and available to users, but they also have to be secure, which is a part of business continuity, then I think you can actually do a better job.
Now the challenge is, that you're right, you are . . . increasing the surface area for an attack. But, at the same time, if you're really thinking about business continuity, you're increasing the surface area for an attack, but in a way that is hopefully providing a more defensible, more resilient environment.
It's sort of the argument you'd use in a conventional sense where I could put all my assets in one place and really harden it or I could distribute them. If I distribute them, is it increasing my likelihood of getting attacked? Well, maybe. But, if I do it in a smart way -- I'm actually improving my survivability, which is really the key.
The ironic thing is, the whole philosophy behind the Internet was to distribute it in a way that was survivable, not to harden it. And, it's worked extremely well. Despite lots of predictions of imminent collapse, the Internet is incredibly resilient.
Q: We've heard discussion of Russian cyber-attacks on Estonia and China attacking the United States. Can you give me your thoughts on the use of the Internet for asymmetric warfare? Do you see this as a future combat method?
Bregman: Yes. Not future. Not future. We're under attack right now. We just don't have to go in the bomb shelters. That's what I meant by the awareness problem. There are probably two dozen nation states that have ... publicly known cyberwarfare capabilities. And the difference about cyberwarfare is you could be operating it all the time. If somebody dropped a bomb in the middle of Washington, you'd notice it and it would kind of get someone's attention. A lot of these cyber-attacks are kind of lost in the noise of the overall level of activity in the Internet ... and they don't want to be visible.
Richards: I think one of the things I find most alarming is some of the rootkits that were discovered in federal agencies, silently capturing and transmitting information to different areas and I think that's something the government has become more aware of as well.
Jones: And, it's not just government. A number of companies have identified the same problems and challenges. Hence the reason for the Defense Industrial Base initiative. It's a project that's ongoing [relating to] the interconnectivity between the defense industrial base contractor infrastructure and government infrastructure. In many cases they are one in the same, and so by potentially compromising the DIB infrastructure, you're gaining access into government infrastructure.
Bregman: There's also a very blurred line between industrial espionage, which is taking place wholesale through the Internet, intellectual property theft and actual national level cyberthreats because a lot of the shift is in the cyberworld it's not about killing more of your enemy than they kill of yours until someone gives up. It's maybe more about disrupting operating process, financial systems, economics, and that's not as visible. And, so when companies are losing intellectual property through cybertheft, is that a cyberwarfare problem or is it a criminal problem? I don't know. It's not as clear.
Q: Can you talk about Symantec's involvement in the Software Assurance Forum for Excellence in Code, which is looking at the threat of people interjecting vulnerabilities into product code?
Bregman:As we think about the people potentially stealing intellectual property, the flip side of that is there is a threat that they could be injecting defects or vulnerabilities into our product code and there are lots of ways that could happen. The government particularly is a big user of software, is very concerned about this.
We don't want to put software with vulnerabilities or deficiencies into production in critical systems. How do we know that the software is good? The naive approach is, lets just make sure it's built in the U.S. by U.S. citizens. Inadequate.
The real question is how can we provide practices, processes, tools that allow us to assure that the end product that we're going to deliver does what it says it does and doesn't do anything else like send copies of your e-mails to someone else?
So there's a group called SAFEcode that we are one of the founding members of which is an industry group focused on sharing best practices, defining approaches and tools to try to solve this problem.
Q: Could you elaborate on this threat?
Bregman: We've had criminal cases where an employee at a company put a backdoor into software and later on, as he got fired or became disgruntled, he uses the back door to disable it or cause a problem.
What if instead of that, what if that were an actor for another nation state? I'll just add this little thing and later on my clients can get all that information. That would be very bad.
Or imagine if you could just disable the control systems for power plants by sending it some commands that the owners of that software, the people who bought it and installed it, didn't know was there.
Q: Is there a timetable to come up with a protocol or guidelines?
Bregman: The group has been developing and publishing various reports and white papers so I don't think there's a fixed time line to say OK, we're done. This is an ongoing process.
Q: If you were able to make any cybersecurity recommendation to the next administration, what would it be?
Bregman:The first recommendation probably isn't even for the next presidency. The concern is very often presidential initiatives get a nine-month kind of slow down, usually starting about now. So one thing we're talking to people on the Hill and others about is, let's not lose momentum on the cyber-initiative. It is too important. And it's not something that is political in the sense of there's going to be a different approach from the next administration. It's critical to the nation that we keep that momentum going.
Richards: Mark's absolutely right. We just want to maintain momentum on [the] cyber-initiative and make sure in the transition that that priority doesn't get lost between this administration and the next administration. And there seem to be effective people on the Hill pushing it forward, so we don't think it'll be an issue. We just want to keep the awareness level up.
Bregman:The challenge is, in a way, back to what I said earlier. We don't want to be fear mongers and have everybody in the population freaked out. On the other hand, there is a real urgency to improve our cybersecurity stance because we are under constant attack today, and the threat is real.
And, the problem is that because of the nature of it, it's somewhat of a silent or invisible threat. And, so how do you with all the other things going on - - from mortgages to health care to you name it -- how do you maintain enough focus on this, which is . . . not something that Main Street U.S.A. worries about?
They worry about health care because they get sick. They worry about the mortgage crisis because they just got foreclosed. They're worried about reading the newspaper everyday and the gas price is five bucks. They don't worry about we're under attack. And so the fear is not just that the initiative will get lost. Even getting it delayed increases the aperture of risk.
Daniel Fowler can be reached at dfowler@cq.com.
