Energizing
Your Efforts
IT
security, both physical and cyber is “top of
mind” for
government decision makers responsible for driving business value and
setting the IT agenda.
The nation wanted him moved. After all, he was not one of their own.
After years of occupation, they were finally again free, independent
and sovereign. So, why not remove a hated symbol of that occupation, a
huge statue of a soldier. And they did, despite the protests of the
former occupier.
That should have been end of story, but it wasn’t. Soon
after,
the nation was attacked again. But this time it
wasn’t with
bullets and bombs, it was with worms and viruses.
And the worms and viruses launched during these denials of service
attacks took down government and banking online computing capabilities
for a month. Imagine, being offline for a month! And there was no way
to prove that these cyber attacks were government sponsored.
Fortunately the U.S. was not the target for this attack. But Estonia
was – the victim of cyber attacks from servers in Russia.
Catalyst
For Action
This incident – recounted by Richard Clarke, former Special
Advisor to the President for Cyberspace Security, in his keynote at the
2007 Government IT Security Conference – was one of the
catalysts prompting the administration to ask Congress to immediately
move $152
million into cybersecurity programs for use during FY2008.
| “People are
going
to get in. We need to start designing a different strategy that accepts
the network is permeable and designs
around instead what’s on the network. The network
isn’t valuable, it’s the data on the network, that
at rest and being used.”
—Richard Clarke
|
Then the administration promoted Marie O’Neill Sciarrone to
Special Assistant to the President for Homeland Security and Senior
Director for Cybersecurity and Information Sharing Policy.
Those 30,000 foot level moves are significant. They should not only
provide much needed funding for cybersecurity efforts, but also add
thump to movements such as creating a governmentwide standard desktop
configuration, implementing HSPD-12 and instituting reality-based COOP
where agencies recognize mobile computing and telecommuting are not
optional, but
essential to maintaining and enhancing their operations.
All of this points to more focus on IT security – physical
and cyber – by government decision makers responsible for
driving business value and setting the IT agenda.
The
Wide Open Network
Clarke told the audience that over the years hackers through attacks
such as Midnight Maze and Titan Ring have successfully infiltrated
supposedly secure systems and stolen terabytes of secure data. And like
the 20th century missile race, as defenses improved, attackers got
smarter, raising the stakes. “Then the attacks
stopped,”
said Clarke, “probably because they found a way to do it that
can’t be detected.” Clarke also explained that real
pros
even “clean up” after they finish leaving no trace
of their
crime and asked the chilling question, “If they can do this,
why
shouldn’t they be able to shut down our critical
infrastructure and shut off our systems?”
So why is it that our IT systems seem to be vulnerable to attack?
Can’t we write code to protect us? Clarke explains that would
be
difficult since most code is written outside the U.S. And while it
would be safer to have all sensitive code written inside the U.S., it
would be only a matter of time before an adversary exploits any
software weaknesses.
Networks are already laced with “trap doors” in
both software and hardware says Clarke.
So, what does that mean? Clarke asks what are we protecting –
the
system or the data? “The network isn’t valuable,
it’s
the data on the network, both the data at rest and the data being
used,” explains Clarke.
To secure the data Clarke says securing source codes are important and
that “major players” are getting together looking
for ways
to share information using encryption technologies. And organizations
such as the Center for Security and International Studies are examining
the issue and are commissioned to come up with recommendations for
government cybersecurity by December 2008.
Reality
Based Strategy
Clarke says we need to accept the fact there are routers and fire walls
in use that are laced with “trap doors”.
“We cannot
have 100% security and we need to accept the fact people are going to
get in and start pursuing a different strategy designed on protecting
the data itself.”
“We need to look for ways for encrypting information so makes
it
impossible to use,” adds Clarke. “We
can’t close the
doors, but we can encrypt information and do a better job of assigning
the digital rights as to who can see what data.”
“We need to find ways of locking data down and making it
accessible to only those authorized to use it without having to go
through bulky authentication systems. It must be easy and seamless to
the user.”
Clarke was an advocate of a single “closed loop
network”
for government. This proposal was rejected, but the idea of reducing
the number of government Internet gateways promoted by OMB in its
Trusted Information Connections initiative shows that government
realizes the security implications of a wide open government IT
infrastructure with thousands of gateways to be protected.
Further realization has hit big-time that there needs to be real-time
security monitoring.
Moreover, the recent released NIST guidelines to help agencies with
their FISMA reporting about managing risk acknowledge that security
risks are changing and dynamic and traditional procedures for
certification and assessment may be difficult to use.
Cyber
SaaS?
So what does Clarke advocate?
First of all government needs someone in charge with the authority and
resources to drive change in culture and
compliance with directives.
Clarke also advocates government begin to look closely getting cyber
services on demand through a Software as a Service (SaaS) solution.
“It would take from the individual agencies the burden of
running
27 different systems and create a SaaS alternative; one that is
efficient, competent, outsourced, but closely managed by the federal
government; one that allows departments to hook in and get what they
need when they need it.”
The
2008 Priority Report Series
This new FCW Custom Series examines
what at the top of government’s “Must Do”
list.
There is the “to do list” and then there is the
“must
do” list. These are the program and policy efforts marked
“priority” and are a “must do”
for government
executives and managers.
During 2008, seven priority issues
have been targeted:
IT Security – February 2008
Identity Management – March
2008
Green Government – April 2008
Information Assurance/Sharing
– May 2008
Authentication – July 2008
Collaboration/Tools – August
2008
Security Directives/Compliance
– September 2008
Each installment of the series features public and private sector
leaders giving their thoughts and opinions on:
• Programs/Policies: What these leaders are saying and doing?
• Issues: What is confronting government managers/executives
daily?
• Solutions: What is working both in terms of technology and
culture?
• The Future: What these thought leaders see as their vision
of what lies ahead?
The first report in the series examines IT Security. The major issue
facing government decisionmakers is not whether there should be IT
security; but how do you balance today’s demand for open
communications, enhanced collaboration and increased mobility with the
absolute necessity of closing off data and sensitive information from
terrorists, criminals and nations that threaten our safety. Inside,
read:
• Know IT Security: Security expert Jim Litchko provides plain
talk on securing computers and networks.
• Up and Down At The Same Time: Security is still a moving
target for government managers.
• Your Best Friend: Don’t laugh, but the IG
community says it is on your side.
• FISMA, Phase II: The focus is on credentialing programs for
organizations to demonstrate core competencies for
offering security services to federal agencies.
• Fine Tuning FISMA: For FISMA reporting, just who has
“significant information security responsibilities”?
|
|
