Obama’s Cybersecurity Push: What It Means for CIOs

Happy Birthday, America. We’re not as safe as we think. From the electricity grid to the banking system to the defense contractors building our most sophisticated weapons, computers running the nation’s critical infrastructure see relentless attacks from criminals and countries alike. Sometimes we hear about it, sometimes we don’t.

In the last year, the Federal Aviation Administration (FAA), the Department of Defense (DoD) and the ATM banking system have all been attacked in concerted, organized ways by people who have yet to be apprehended. Hardening critical infrastructure systems in industries as diverse as defense, electricity, financial services and telecommunications will take millions of dollars, perhaps many years and massive political clout. President Barack Obama says he wants to do it. IT leaders want to know how.

“I would be looking for a path and partnership,” says Bruce Larson, former security director at American Water Works, a $2.3 billion utility that serves 32 states and part of Canada. Part of the problem is that government and industry don’t share enough information, he says. “Government needs information from the private sector about how bad [corporate vulnerabilities are] and what the impact could be. And the private sector needs information about what the real threat might be.”

To read more, see Obama’s Cybersecurity Coordinator Has Broad Agenda and System Security: 5 Ways to Improve Your Defenses Against Attack.

CIOs know that addressing security problems is expensive and largely thankless. Few leaders get pats on the back for preventing crimes and breaches. Some CIOs are wary of government getting too involved in dictating technology standards and choices. But increasing threats bring an urgent need for change in both corporate and government realms, says Paul Kurtz, a partner at security and counterterrorism firm Good Harbor Consulting. Kurtz is a former senior advisor to former Presidents Bill Clinton and George W. Bush on national and homeland security.

“For every month that passes without real leadership and decisive action on part of government, we hemorrhage billions in intellectual property stolen,” Kurtz says. “Critical systems that support power, oil and gas, aviation, military operations—they are all placed at risk.”

What’s Going Wrong

Last November, in what the Federal Bureau of Investigation (FBI) calls a “coordinated attack” on automated teller machines in major cities, a “criminal organization” used 100 fake payroll and gift cards to steal $9 million in 30 minutes. The FBI has issued a plea for help identifying men in images caught on video surveillance cameras in Atlanta.

U.S. financial systems, of course, are a favorite target of both casual and serious hackers. The worry is that focused attacks will hit the 17 other sectors deemed critical infrastructure, which include energy, agriculture, transportation, telecommunications, health care, defense contractors and nuclear facilities. As companies collaborate over the Internet, and core IT systems rely more on the public network, vulnerabilities increase. Threats to federal and infrastructure IT systems “are evolving and growing,” says the Government Accountability Office (GAO). Security incidents reported to US-CERT, a government organization that tracks security, tripled from 5,500 in 2006 to 16,800 last year.

In April, for example, government officials confirmed that since 2007, hackers have been slipping into computer systems behind the Joint Strike Fighter weapons project. They gained access through defense contractors on the project, which Lockheed Martin is leading. Through these private-sector entry points, the spies have gotten away with several terabytes of design and electronics system data, the officials told The Wall Street Journal. The invaders are thought to be in China.

In February, a FAA website was hacked, exposing data on 48,000 current and former employees, according to a recent audit by the Office of Inspector General (OIG). And in 2008, the OIG says, hackers took over FAA servers in Alaska, discovered the password of an administrator in Oklahoma and got access to 40,000 FAA user names and passwords. Security testing as part of the audit identified 763 high-risk vulnerabilities, such as computers that allowed the remote execution of commands that could shut systems down or reveal sensitive data.

The Central Intelligence Agency has revealed that hackers have caused power outages by breaking into the electricity grid in unnamed countries outside the United States. This month, the North American Energy Reliability Corp. (NERC)—the U.S. electricity industry’s biggest trade group—starts auditing power companies to ensure they register critical cyberassets and comply with federal and NERC’s own measures to protect them. In an April letter to members, NERC’s chief security officer warns of “the potential for the simultaneous manipulation of all devices in the substation or, worse yet, across multiple substations.”

“I’m not trying to be a doomsdayer,” says John Gilligan, former CIO of the U.S. Air Force and a former executive specializing in telecommunications security at SRA International. “But I can’t think of anyone with real knowledge of what’s going on who would say he feels confident in our ability to defend ourselves.”

Now an independent consultant, Gilligan recently produced what he calls the Consensus Audit Guidelines, one of many proposals for fixing federal and critical infrastructure security now zinging around Washington (see System Security: 5 Ways to Improve Your Defenses Against Attack). What has bothered Gilligan throughout his decades in IT, he says, is how many different computing standards, mandates, regulations and laws govern different parts of the government as well as critical infrastructure companies.

At least 34 federal mandates, regulations and laws apply to the IT inside companies that touch critical infrastructure in the United States, according to the GAO. What’s more, it’s a collection of rules that no one person, or even one agency or department, oversees. The assortment includes the Food and Drug Administration, Office of the Comptroller of Currency, Securities and Exchange Commission, Federal Energy Regulatory Commission and the Departments of Treasury, Homeland Security and Interior. Fragmentation means security standards across industries, measured and monitored uniformly, don’t exist. Therefore, neither does a good answer to the question, “How secure is the U.S. digital infrastructure?”

Gilligan, like other security gurus, supports the idea of an official to coordinate cybersecurity and related efforts, but warns it’s a big, political job to rationalize the crazy quilt of security mandates. The official must coordinate various federal bodies as well as private industry and academia. “Doing this, we would begin to have a cohesive strategy,” Gilligan says. “Right now, it’s free agents” working for their own organizations’ interests.

Formulating long-term strategy gets pushed aside when the focus is on dealing with daily tactical issues or “Whac-A-Mole security,” says Daniel Mintz, a CTO at consulting firm CSC and former CIO at the U.S. Department of Transportation (DoT). “The current approach of trying to do everything, everywhere, results in accomplishing little, anywhere,” he says.

Last year, under George W. Bush, the government devised a cybersecurity plan called the Comprehensive National Cyber Security Initiative, aimed mainly at protecting systems related to the Department of Homeland Security. That’s a narrow swath of cyberspace and, because the work is classified, it’s hard to tell how effective it’s been. Obama has pledged to be “transparent” about the process and seek out advice from the private sector. But the idea of government imposing new rules for industry sends up a red flag for some. Industry can usually patrol itself, maintains Larson, the former security director at American Water, provided there are market incentives to do so. “If you’re a large, publicly owned entity, your board is not going to let you get away without identifying risks and mitigating them. That’s market forces at work.”

The Changing Threat

When government officials officially talk security, most of the scenes they paint involve malicious people taking down major systems. In turn, we are assured that government and corporate entities have reliable backups.

But that’s not the way cyberattackers are behaving, says Eugene H. Spafford, executive director of the Center for Education and Research in Information Assurance and Security. The center is affiliated with Purdue University where a year ago, then-Senator Obama held a summit on security challenges. A trend security experts say is more insidious is attacks that come as subtle changes to data rather than complete denial of service.

Corrupting data in the financial system by introducing errors would spread fear about the accuracy of bank records. People, perhaps countries, now distrustful of the system would pull their money out en masse. Computer break-ins that mess with the electric grid or the healthcare system or the air traffic control system could kill people, Spafford says.

“Suppose all the flight control systems get altered to direct planes into each other rather than have the screens go blank,” he says. So far, such a calamity hasn’t happened. But if it did, Spafford adds, “the result would be a lack of confidence in the system even when it was restored.”

Covering the most critical security gaps, not just the obvious ones, then, becomes imperative, Gilligan says. “Especially in today’s environment,” he says, “it wouldn’t take much to push us even further into recession or depression.”

Corporate IT leaders can adopt some protection methods commonly used by government, such as encrypting sensitive data as well as application software when doing backups. But other tactics don’t make sense in the corporate realm.

At the U.S. Department of Defense, for example, just 10 of its thousands of computing sites are connected to the Internet, says Rear Admiral Elizabeth Hight, vice director of the Defense Information Systems Agency, which supplies much of the infrastructure IT to the DoD.

Fewer connections to the public networks mean fewer points of vulnerability, Hight says. But today, keeping a company off the Internet probably means putting a company out of business.

Practical Solutions

So what to do? One proposal gaining attention in Washington is the Consensus Audit Guidelines. Gilligan worked to develop them with security research and training group The SANS Institute, the Center for Strategic and International Studies, as well as other security experts and practitioners inside and outside government. The guidelines emphasize simplicity. Rather than dive deep into technology or debate which agency should oversee another, the guidelines put forth 20 basic management and process ideas, the underlying principle of which is frequent monitoring and measuring of whatever you’re doing to thwart the most common patterns of cyberattack.

The guidelines, says Eugene Schultz, CTO of consulting firm Emagined Security, “are about how you perceive the problem and how you manage it with limited resources. It’s very real-world.”

That’s a good approach, security experts say, as cybercriminals continually adjust their patterns and tools. Not only that, but most are steps that every CIO could take today without spending a ton of money.

Within each of the 20 controls is an explanation of how attackers can exploit the area and steps you can take to prevent that, ranging from quick-win, simple tasks to advanced methods.

The U.S. Department of State has been testing the guidelines for several months. John Streufert, State’s chief information security officer and the deputy CIO for information security, has mapped real security attacks that he has recently experienced to Gilligan’s controls to determine whether, if a given recommendation had been in place, it would have had any effect. No private-sector companies have tested the guidelines, Gilligan says, but he is talking with several federal CIOs about doing so. The Nuclear Regulatory Commission is also piloting the guidelines.

Malware is one problem lately at State, Streufert says. Control number 12—malware defenses—calls for such tasks as checking machines daily for updated malware protections and pushing out updates every day. IT should also configure machines to scan removable devices for malware upon insertion into a laptop or PC. Also suggested is taking a firm stand: deploying network access control tools to verify security configurations and patch compliance before granting network access.

State also ran scans for unauthorized hardware and software on its networks, which are controls number one and number two. Streufert is reluctant to say how much malware or how many unauthorized devices he found, or estimate the cost of the problem. But by using Gilligan’s 20 techniques, and regularly measuring and improving how the State Department staff proactively manages security, State has reduced the internal risk scores it gives itself in several critical areas by 83 percent over 11 months, Streufert says.

An End to Checklist Security

Existing federal IT security regulations—namely the Federal Information Security Management Act, or FISMA—often mandate hundreds of items to check off on a list, including such basics as password protection for sensitive applications. But FISMA doesn’t guide IT managers about what kind of password works best (the Consensus Audit Guidelines call for 12 semirandom characters and two-factor authentication).

“You end up filling out long forms showing you comply but you’re not necessarily secure,” says Schultz of Emagined Security. He tells the story of a national laboratory that didn’t have firewalls protecting its network, as mandated. But the lab passed the audit by convincing the auditor that routers were a worthy substitute, Schultz says.

“FISMA is a waste of taxpayer money,” he says. “These are not standards that help an organization stand up to the kinds of attacks that occur nowadays.”

None of Gilligan’s 20 critical controls “is advancing the state of the art,” Gilligan acknowledges, meaning that many security experts could come up with a similar recommendations. But the fact that it’s spelled out in a prioritized list and known to be effective in protecting IT systems removes the guesswork. Organizations have a clear rule to follow and a procedure for implementing it, monitoring it and measuring it to improve ongoing security protections.

That’s different from checklist compliance. “It’s a culture shift we’re advocating,” Gilligan says. Measurement of progress is key. In many organizations—government and private sector alike—fights emerge over basic definitions of “secure,” never mind how to achieve it, adds CSC’s Mintz. When he was CIO at the DoT, he says, “it became clear that there was no generally agreed to way of measuring how secure we were. If you considered perfectly secure as a 10 and no security at all as a one, we knew we were above a one and below a 10, but that was about it.”

That’s the kind of situation Obama has criticized. “It’s now clear this cyberthreat is one of the most serious economic and national security challenges we face as a nation,” he said in May. “It’s also clear that we’re not as prepared as we should be, as a government or as a country.” (See Obama’s Cybersecurity Coordinator Has Broad Agenda).

Bigger thinking is needed, Obama said. “Just as we failed in the past to invest in our physical infrastructure—our roads, our bridges and rails—we’ve failed to invest in the security of our digital infrastructure.”

Gilligan knows his is one of dozens of proposals vying for attention from the Obama administration, including ones from various industry trade groups aimed to influence whatever new rules emerge.

The Cost of Being Secure

In government and in corporate America, concerns about immediate cost can outweigh concerns about long-term safety. “There is concern that fixing some of the security problems will be expensive and harmful in the economy,” Spafford says. The Department of Homeland Security, for example, has requested $918 million for fiscal 2010 for information technology. That’s 15 percent more than 2009 and that’s before Obama has made any cybersecurity moves.

In health care, to spur providers to enter the 21st century, Obama has designated $19.2 billion in stimulus money as available in return for building electronic medical records, computerized order entry and other tech-enabled medical processes. Providing such incentives to banks, power companies and transportation providers in return for updating their security is a good start, says Kurtz of Good Harbor, but it promotes too much short-term thinking.

“That would bring us back to checklists again,” he predicts, as companies could scramble to meet minimum requirements by a deadline rather than plan a larger, longer-term strategy.

Short-term thinking is a national problem, agrees Spafford. Banks please shareholders quarter by quarter. Carmakers can’t think much beyond the current model. And look what happened to those industries. To average citizens, cybersecurity is less pressing on any given day than paying the mortgage, keeping or finding a job and avoiding swine flu. Obama has to make cyberpolicy urgent enough to overcome “the real world,” as Spafford puts it. Spafford and other security experts praise Obama for bringing attention to the digital world upon which the United States so depends. But Obama’s report, which urges government and industry to work together to unify security practices and metrics, espouses nothing new. They’re hoping, rather, for inspiration to reach new heights.

“We need high-intensity, long-term development efforts,” Spafford says. “Think of the Manhattan Project or the space race. We need that in cybersecurity.”

Do you tweet. Follow me on twitter @knash99. Follow everything from CIO Magazine @CIOMagazine.