Obama's Cybersecurity Push: What It Means for CIOs

Happy Birthday, America. We're not as safe as we think. From the electricity grid to the banking system to the defense contractors building our most sophisticated weapons, computers running the nation's critical infrastructure see relentless attacks from criminals and countries alike. Sometimes we hear about it, sometimes we don't.

In the last year, the Federal Aviation Administration (FAA), the Department of Defense (DoD) and the ATM banking system have all been attacked in concerted, organized ways by people who have yet to be apprehended. Hardening critical infrastructure systems in industries as diverse as defense, electricity, financial services and telecommunications will take millions of dollars, perhaps many years and massive political clout. President Barack Obama says he wants to do it. IT leaders want to know how.

"I would be looking for a path and partnership," says Bruce Larson, former security director at American Water Works, a $2.3 billion utility that serves 32 states and part of Canada. Part of the problem is that government and industry don't share enough information, he says. "Government needs information from the private sector about how bad [corporate vulnerabilities are] and what the impact could be. And the private sector needs information about what the real threat might be."

To read more, see Obama's Cybersecurity Coordinator Has Broad Agenda and System Security: 5 Ways to Improve Your Defenses Against Attack.

CIOs know that addressing security problems is expensive and largely thankless. Few leaders get pats on the back for preventing crimes and breaches. Some CIOs are wary of government getting too involved in dictating technology standards and choices. But increasing threats bring an urgent need for change in both corporate and government realms, says Paul Kurtz, a partner at security and counterterrorism firm Good Harbor Consulting. Kurtz is a former senior advisor to former Presidents Bill Clinton and George W. Bush on national and homeland security.

"For every month that passes without real leadership and decisive action on part of government, we hemorrhage billions in intellectual property stolen," Kurtz says. "Critical systems that support power, oil and gas, aviation, military operations--they are all placed at risk."

What's Going Wrong

Last November, in what the Federal Bureau of Investigation (FBI) calls a "coordinated attack" on automated teller machines in major cities, a "criminal organization" used 100 fake payroll and gift cards to steal $9 million in 30 minutes. The FBI has issued a plea for help identifying men in images caught on video surveillance cameras in Atlanta.

U.S. financial systems, of course, are a favorite target of both casual and serious hackers. The worry is that focused attacks will hit the 17 other sectors deemed critical infrastructure, which include energy, agriculture, transportation, telecommunications, health care, defense contractors and nuclear facilities. As companies collaborate over the Internet, and core IT systems rely more on the public network, vulnerabilities increase. Threats to federal and infrastructure IT systems "are evolving and growing," says the Government Accountability Office (GAO). Security incidents reported to US-CERT, a government organization that tracks security, tripled from 5,500 in 2006 to 16,800 last year.

In April, for example, government officials confirmed that since 2007, hackers have been slipping into computer systems behind the Joint Strike Fighter weapons project. They gained access through defense contractors on the project, which Lockheed Martin is leading. Through these private-sector entry points, the spies have gotten away with several terabytes of design and electronics system data, the officials told The Wall Street Journal. The invaders are thought to be in China.

In February, a FAA website was hacked, exposing data on 48,000 current and former employees, according to a recent audit by the Office of Inspector General (OIG). And in 2008, the OIG says, hackers took over FAA servers in Alaska, discovered the password of an administrator in Oklahoma and got access to 40,000 FAA user names and passwords. Security testing as part of the audit identified 763 high-risk vulnerabilities, such as computers that allowed the remote execution of commands that could shut systems down or reveal sensitive data.

The Central Intelligence Agency has revealed that hackers have caused power outages by breaking into the electricity grid in unnamed countries outside the United States. This month, the North American Energy Reliability Corp. (NERC)--the U.S. electricity industry's biggest trade group--starts auditing power companies to ensure they register critical cyberassets and comply with federal and NERC's own measures to protect them. In an April letter to members, NERC's chief security officer warns of "the potential for the simultaneous manipulation of all devices in the substation or, worse yet, across multiple substations."

"I'm not trying to be a doomsdayer," says John Gilligan, former CIO of the U.S. Air Force and a former executive specializing in telecommunications security at SRA International. "But I can't think of anyone with real knowledge of what's going on who would say he feels confident in our ability to defend ourselves."

Now an independent consultant, Gilligan recently produced what he calls the Consensus Audit Guidelines, one of many proposals for fixing federal and critical infrastructure security now zinging around Washington (see System Security: 5 Ways to Improve Your Defenses Against Attack). What has bothered Gilligan throughout his decades in IT, he says, is how many different computing standards, mandates, regulations and laws govern different parts of the government as well as critical infrastructure companies.

At least 34 federal mandates, regulations and laws apply to the IT inside companies that touch critical infrastructure in the United States, according to the GAO. What's more, it's a collection of rules that no one person, or even one agency or department, oversees. The assortment includes the Food and Drug Administration, Office of the Comptroller of Currency, Securities and Exchange Commission, Federal Energy Regulatory Commission and the Departments of Treasury, Homeland Security and Interior. Fragmentation means security standards across industries, measured and monitored uniformly, don't exist. Therefore, neither does a good answer to the question, "How secure is the U.S. digital infrastructure?"

Gilligan, like other security gurus, supports the idea of an official to coordinate cybersecurity and related efforts, but warns it's a big, political job to rationalize the crazy quilt of security mandates. The official must coordinate various federal bodies as well as private industry and academia. "Doing this, we would begin to have a cohesive strategy," Gilligan says. "Right now, it's free agents" working for their own organizations' interests.

Formulating long-term strategy gets pushed aside when the focus is on dealing with daily tactical issues or "Whac-A-Mole security," says Daniel Mintz, a CTO at consulting firm CSC and former CIO at the U.S. Department of Transportation (DoT). "The current approach of trying to do everything, everywhere, results in accomplishing little, anywhere," he says.

Last year, under George W. Bush, the government devised a cybersecurity plan called the Comprehensive National Cyber Security Initiative, aimed mainly at protecting systems related to the Department of Homeland Security. That's a narrow swath of cyberspace and, because the work is classified, it's hard to tell how effective it's been. Obama has pledged to be "transparent" about the process and seek out advice from the private sector. But the idea of government imposing new rules for industry sends up a red flag for some. Industry can usually patrol itself, maintains Larson, the former security director at American Water, provided there are market incentives to do so. "If you're a large, publicly owned entity, your board is not going to let you get away without identifying risks and mitigating them. That's market forces at work."

The Changing Threat

When government officials officially talk security, most of the scenes they paint involve malicious people taking down major systems. In turn, we are assured that government and corporate entities have reliable backups.

But that's not the way cyberattackers are behaving, says Eugene H. Spafford, executive director of the Center for Education and Research in Information Assurance and Security. The center is affiliated with Purdue University where a year ago, then-Senator Obama held a summit on security challenges. A trend security experts say is more insidious is attacks that come as subtle changes to data rather than complete denial of service.

Corrupting data in the financial system by introducing errors would spread fear about the accuracy of bank records. People, perhaps countries, now distrustful of the system would pull their money out en masse. Computer break-ins that mess with the electric grid or the healthcare system or the air traffic control system could kill people, Spafford says.

"Suppose all the flight control systems get altered to direct planes into each other rather than have the screens go blank," he says. So far, such a calamity hasn't happened. But if it did, Spafford adds, "the result would be a lack of confidence in the system even when it was restored."

Covering the most critical security gaps, not just the obvious ones, then, becomes imperative, Gilligan says. "Especially in today's environment," he says, "it wouldn't take much to push us even further into recession or depression."

Corporate IT leaders can adopt some protection methods commonly used by government, such as encrypting sensitive data as well as application software when doing backups. But other tactics don't make sense in the corporate realm.

At the U.S. Department of Defense, for example, just 10 of its thousands of computing sites are connected to the Internet, says Rear Admiral Elizabeth Hight, vice director of the Defense Information Systems Agency, which supplies much of the infrastructure IT to the DoD.

Fewer connections to the public networks mean fewer points of vulnerability, Hight says. But today, keeping a company off the Internet probably means putting a company out of business.

Practical Solutions

So what to do? One proposal gaining attention in Washington is the Consensus Audit Guidelines. Gilligan worked to develop them with security research and training group The SANS Institute, the Center for Strategic and International Studies, as well as other security experts and practitioners inside and outside government. The guidelines emphasize simplicity. Rather than dive deep into technology or debate which agency should oversee another, the guidelines put forth 20 basic management and process ideas, the underlying principle of which is frequent monitoring and measuring of whatever you're doing to thwart the most common patterns of cyberattack.

The guidelines, says Eugene Schultz, CTO of consulting firm Emagined Security, "are about how you perceive the problem and how you manage it with limited resources. It's very real-world."

That's a good approach, security experts say, as cybercriminals continually adjust their patterns and tools. Not only that, but most are steps that every CIO could take today without spending a ton of money.

Within each of the 20 controls is an explanation of how attackers can exploit the area and steps you can take to prevent that, ranging from quick-win, simple tasks to advanced methods.

The U.S. Department of State has been testing the guidelines for several months. John Streufert, State's chief information security officer and the deputy CIO for information security, has mapped real security attacks that he has recently experienced to Gilligan's controls to determine whether, if a given recommendation had been in place, it would have had any effect. No private-sector companies have tested the guidelines, Gilligan says, but he is talking with several federal CIOs about doing so. The Nuclear Regulatory Commission is also piloting the guidelines.

Malware is one problem lately at State, Streufert says. Control number 12--malware defenses--calls for such tasks as checking machines daily for updated malware protections and pushing out updates every day. IT should also configure machines to scan removable devices for malware upon insertion into a laptop or PC. Also suggested is taking a firm stand: deploying network access control tools to verify security configurations and patch compliance before granting network access.

State also ran scans for unauthorized hardware and software on its networks, which are controls number one and number two. Streufert is reluctant to say how much malware or how many unauthorized devices he found, or estimate the cost of the problem. But by using Gilligan's 20 techniques, and regularly measuring and improving how the State Department staff proactively manages security, State has reduced the internal risk scores it gives itself in several critical areas by 83 percent over 11 months, Streufert says.

1 2 Page 1
Page 1 of 2
Download: EMM vendor comparison chart 2019
  
Shop Tech Products at Amazon