After Slow Start, the Cybersecurity Coordinator Appears to be Gaining Momentum

It was very encouraging to hear the updates from Howard Schmidt, the White House Cybersecurity Coordinator as reported from the meeting held at the White House on July 14.  The meeting was obviously designed to show progress on the cybersecurity issue and demonstrate that the White house still intended to take a leadership role.  Homeland Security Secretary Janet Napolitano and Commerce Secretary Gary Locke attended the meeting as did IT Security leaders from the DoD, NSA, FBI, and several other agencies.  Most importantly, the President himself made an appearance to provide his support, which was a key visual for Mr. Schmidt as he continues to get his hands around the role.

This blog has been consistently critical of the large gap between the announcement of the role of Cybersecurity Coordinator and the appointment of Mr. Schmidt.  However, there are very promising signs that progress is being made and that Mr. Schmidt is a good fit for the role.  I have been to numerous events where Mr. Schmidt has spoken, and he is obviously eager to take the cybersecurity masses to the public and be accessible.

I had the unique opportunity to speak briefly with Enrique Salem, the CEO of Symantec at a reception following Symantec’s Government Symposium last month and Mr. Salem is an enthusiastic supporter of Mr, Schmidt.  This is consistent with the overwhelmingly positive feedback from everyone I have encountered in the industry that knows Mr. Schmidt or has firsthand experience working with him.  He seems to be the right person for doing a delicate and challenging job.

When I worked at webMethods, CEO Phillip Merrick often used the metaphor of the railroad junction approach employed by the Union army in the Civil War.  It was an important tactic of the Union to divide and attack the Confederacy by controlling important railroad junctions.  Merrick was speaking toward controlling important junction points in electronic commerce, but I was reminded of the metaphor when thinking of the criticality between the defense of our country and cyber security.

The railroad junction approach is a representative tactic to a broader strategy of warfare: targeting all of the things that enable an enemy to wage war, thereby weakening that enemy and forcing a more rapid conclusion to hostilities.  The United States has based much of our ability to wage war on our ability to effectively network information.  That makes these networks a logical attack point for our adversaries, and we must do all that we can to prepare for that scenario and protect against such incursions.  This is not limited to just the systems supporting the DoD – it is our financial systems, infrastructure, and transportation that are also at risk.

Progress relies on someone to lead policy as well as become an effective facilitator between the government and the industry.  By all indications, Mr. Schmidt is that person, and by appearing at last week’s meeting the President continues to demonstrate that cybersecurity is a priority to the country and that Mr. Schmidt has his support.

As the saying goes, it is not about how you start but how you finish.  We may not have agreed to the slow start regarding the appointment of the Cybersecurity Coordinator, but we like the early indications of the direction of the role under Mr. Schmidt.  And we are hopeful for continued progress.

A Condensed Guide to the Security Fails of 2009

The past several weeks I have been posting a series I called the Security Fails of 2009.  It was designed to be a look at stories that illustrated the challenges faced in IT security as well as some of the broader issues shaping the industry. 

For your convenience, here is a recap with links:

12/10 – The Marine One Breach – illustrates the threats created by unauthorized applications.

12/14 – The Strange Case of the Missing Cyber Czar – a look at the seven months that had passed since the announcement of the position in May.  Obviously the position has been subsequently filled.  Coincidence?

12/16 – Conficker Becomes a Media Darling.

12/18 – Adobe Takes the Exploit Crown from Microsoft.

12/21 – The Heartland Payment Systems Breach – Lessons learned form the largest breach of customer data to-date.

Cyber Czar Announcement Slipped Under the Door – What Does That Say?

Today it was announced that Howard Schmidt was appointed to the White House Cybersecurity Coordinator position otherwise known as the cyber czar.  Much has been written in our blog about this position since it was announced, and the timing and approach to the announcement has done nothing to eliminate the concerns previously expressed.  I have much reading to do before I comment directly on Mr. Schmidt, but I do have very strong impressions from the way it has been handled.

The position was originally announced at a press conference in late May on the Friday before Memorial Day.  Not exactly a day and time that you would select for something of importance or to maximize the impact.  Months passed as candidates not only turned down the position, but candidates like Melissa Hathaway left the government for the private sector. 

And now we get an announcement stating the position has been filled on the Tuesday of Christmas week, in a city where most of the government is closed because of a record setting snowstorm.  The announcement gets a mention on the White House blog with a picture of the President shaking hands with his new Cybersecurity Coordinator in what appears to be a hallway.  No press conference, no fanfare, no President standing at the side of the new Czar as a show of support to the position and a commitment to the idea of cyber security. 

I went to the White House press page at 11:00 am EST and there is no formal announcement.  There is news about the Enactment of the Airline Flight Crew Technical Corrections Act, something about agencies cutting spending by $19B, and some nominations that were sent to the Senate, but nothing about this position. 

I am sure there will be Obama acolytes that will line up to applaud the announcement, but I find myself angry today as I weigh what I see from the White House.  I have the somewhat unique perspective of being a marketing person in cyber security.  That means that cyber security is important to me and I have a taste of the threat against our country.  As a marketing person, I see the not so subtle signals being sent by the White House regarding this subject.  Put this in context of the amount of energy thrown at other items such as the Chicago Olympic bid, and it is reasonable to draw the conclusion that the White House is not committed to cyber security and this role.  

I would be a lot angrier if I had not spent the last year working with people at NIST, the NSA, the intelligence community and the DoD who are proactively and energetically looking for new and innovative ways to protect our government from malicious attacks.  Best of all, these groups are working together to share data and knowledge in a way that would make taxpayers happy and proud.  So I’ve seen real, actionable progress taking place long before Mr. Schmidt assumed this role.   

To be clear, I never viewed the cyber czar as some sort of mythical figure that could solve our cyber security problems with a wave of the hand, but I was hopeful that the role would serve as a way to focus attention on the problem and help create a sense of urgency toward progress.  And if that person was seen as having the “full faith and credit” of the President, it would give that person some authority to be something other than a figurehead. But that is exactly how I view this position today – a campaign promised fulfilled in the least effective way possible and with minimal authority, buried in slow press days.

This week we got news that our military drones had been hacked with $26 software, a plea was entered in the Heartland breach by the same person who pulled off the TJX breach (who used a simplistic and well known SQL injection technique to penetrate Heartland), and that Twitter was disabled completely by a DNS attack.  And we get a tepid announcement the Tuesday before Christmas on a position that it took them seven months to fill.  I’d hate to see what type of catastrophic, IT security based incident it would take to make the White House treat the problem with the seriousness it deserves.

Does the Hathaway Resignation Signal Movement Toward a Cyber Czar?

Yesterday I posted about the two-month anniversary of the May 29 announcement by the White House regarding the creation of the Cyber Czar position and the subsequent lack of progress in finding someone to fill that position.  The proverbial plot thickened that afternoon when it was announced that Melissa Hathaway, acting cyberspace director for the White House National Security and Homeland Security councils, had resigned from her post.

I do not know Ms. Hathaway nor do I claim to be close to the process of selecting the Cyber Czar, so at best what I can do is engage in a well worn tradition here in the Washington D.C. area and speculate.   Numerous reports have said that Ms. Hathaway was interested in the role as she was the lead in creating the Cyberspace Policy Review that defined this new position.  In my view, logic and reason would indicate that if she were going to be the Cyber Czar they would have appointed her at the announcement in May rather than have this uncomfortable and undefined gap we are living with today.  So while reports say she withdrew her name two weeks ago, I suspect that the realization that she was not the administration’s choice came much earlier.  Regardless, the work done on the review was broad and extensive, and she should be recognized for helping to move the dialogue about IT security forward.   I wish her the best in her new endeavors.

I am hopeful that Ms. Hathaway’s departure is an indication that the administration is close to having a name for the position and her exit was designed to make the transition more seamless.   I do not question her stated motives, but having her voluntarily leave prior to the announcement of the cyber czar makes for a much cleaner transition for the President and eliminates the need to orchestrate what could have been an awkward departure.   If the administration is not close to having a candidate, then her resignation will likely have the effect of forcing the administration to accelerate the process as her departure eliminates the safety net that existed with her in the role, albeit as a lame duck.   Or we are faced with the third scenario that the administration is really not that committed to cyber security and that all of this has been fanfare and flag waving with no real sense of urgency.   I sincerely hope that this is not the case, but the administration can only blame itself for creating lingering doubts with the two months of post-May 29 silence.

The next several days should be telling.  If the administration indeed has their person for the job, then I suspect they will give the Hathaway resignation a couple of days to recede from the public consciousness and then make the announcement.  Or we will go back to the awkward silence that, in my opinion, shouts volumes.  Let us hope this marks the way forward.

It is August, and the White House has Thrown Out More First Pitches Than Cyber Czar Nominees

Here we are at the last Friday of the month, marking the two month anniversary of the announcement by the White House of the creation of a Cyber Czar to help centralize the cyber security activities of the federal government and build bridges to the private sector.   And in those two months the President has thrown out more first pitches to baseball games than names for the position. 

As a CEO, I am expected to be right more times than I am wrong, but this is one case where I had hoped not to be right.  When you balance the lack of forward movement with stories such as the one by Brian Krebs of the Washington Post on how much sensitive data has been leaked because of peer-to-peer applications, the outlook is not good.  We were already in a game of catch up, and valuable time has been lost while the gap grows larger.

In this case, actions do speak louder than words, and every day that passes (with no announcement) makes the proclamations of May 29 seem increasingly empty.  After two months it is fair to ask the administration about the next steps and when we will see them.  If no one is interested in the post, then the administration must see that as a clear indicator that the post has not been properly defined and empowered and make the changes necessary to move forward.  The alternative is to find a gamer who will take the job as currently defined only to face a certainly difficult climb to success.

I applaud your stated objective to make cyber security a priority, Mr. President.  But after two months, we need to hear something instead of silence so we know that the initiative is moving forward.

Tackling the Pressing One Handed Security Topics of the Day

I had some shoulder surgery on Thursday so I will ease back into the work flow with some short, typeable-with-one-hand subjects.

  • In past blogs we have talked about the ecosystem between Microsoft and the antivirus vendors. The “circle of life” is roughly: MS releases operating systems and software, software has flaws, cyber criminals exploit flaws, people buy AV software. In a recent article in Canada.Com a writer puts some numbers on the affect of an OS release for McAfee and Symantec. Of course, the writer does not single out security related spend so it is very non-specific. But it does put some real numbers into the context of enterprise valuation tied to OS releases and the “positive impact on the entire PC value chain.” There is nothing inherently wrong with such ecosystems and they evolve quite naturally in business. But sometimes protection of a comfortable, mutually beneficial ecosystem can slow innovation, and I am of the opinion that this is the case with IT security at times.
  • A new study shows CEO’s and their management team often disagree on key security issues and the threats to the organization. In short , CEOs do not perceive their organizations as vulnerable, while the next level execs see a different picture. We are not talking wide layers of management between these two views as many of the senior execs report directly to the CEO. There is clearly a disconnect and false sense of security on behalf of the CEO, which leads to obvious issues in funding security initiatives. It would seem we still have some way to go in educating CEOs on the threat level and the potential impact to the organization.
  • Cyber criminals are doing brisk business with malicious sites aimed at those looking to download pirated copies of the new Harry Potter movie. A correlation between Harry Potter fans and computer geeks – who would have predicted?
  • I have led a charmed life and have not had surgery since I was six for tonsils (I never got ice cream, BTW – someone owes me because they always promise ice cream when you get your tonsils out). Prior to the surgery, I cannot tell you the number of times my identity was verified by someone who would look on the information on my bracelet and then ask me personally identifying questions. The number on my bracelet was continually cross matched to the forms. I even had to initial the affected shoulder with the Doctor. Such thorough multi-factor authentication was impressive and laudatory, but threat of malpractice is a major driver to such discipline. This takes us back to the cold hard fact that any security compliance is only as effective as the teeth behind it. Our CEO has been saying as much about the White House Cyber Security Policy and the need for enforcement teeth for it to succeed. What I saw at the hospital is policy driven by real monetary dynamics (avoiding malpractice) that is given high priority from the top.

The Korean DoS Attacks, Securing the Sofware Supply Chain and More

I will take potpourri for $200 Alex…

  • Triumfant CEO John Prisco is quoted in the July 10 post of Byron Acohido’s The Last Watchdog blog regarding the Korean DoS attacks. These attacks have taken an interesting turn as the botnets created by attackers are now literally turning on the infected machines, deleting files and ultimately corrupting the system until it will not boot.  I have read a lot about this attack from many respected members of the IT security community.  Some have assessed the attacks as unsophisticated and poorly executed while others like Acohido and Brian Krebs of Security Fix (which was targeted in the actual attack) are speculating on if is a practice run – a war game – for more targeted attacks down the road.  Either way, it is one of the most interesting story lines since we were all gripped with Conficker fever in the early spring.  I suspect there will be more intrique to come.  If it was a war game, it will be interesting to see how the good guys grade themselves. 
  • I posted a blog entry in June about Securing the Software Supply Chain and how Triumfant can help manage that important part of any organization’s security strategy.  The white paper on the subject is now available on the Triumfant web site for your reading pleasure.  Since many defensive products do their monitoring as malicious software is inbound to the machine, attacks imbedded in what appears to be legitimate software may evade protection.  Because Triumfant looks for changes on endpoint machines, it will detect the event where the imbedded malware “wakes up” and begins its malicious activity.
  • I recently was away at the beach for a week with my family.  I mention that because I did not tweet or blog about the fact that I was gone as there have been reports that people have been robbed after letting the world know through social media outlets that they would be away from their home for extended periods. Which brings me to two points.  First, never underestimate the speed in which the bad guys will find and exploit new paths – in this case social media – to do their criminal work.  Second, security, whether it is IT security or physical security, requires an element of good old prudent thinking to succeed no matter how much technology is deployed.  Human factor eengineering (or stopping stupid as I call it) has been and will always be the biggest failure point in security.
  • Isn’t it time for someone in the Obama Administration to tell us why we do not have a cyber czar yet? I mean really.  I agree with our CEO John Prisco completely and join him in wondering why they would first make the announcement without a person in the spot much less go six weeks after the announcement without a nomination.  The claims of IT Security being a priority are starting to sound very hollow.