Open Letter to New Obama Infosec AdviserLongtime Central Intelligence CISO Offers Michael Daniel Advice
Dear Mr. Daniel:
The occasion of your appointment as the White House cybersecurity coordinator is a good opportunity to take a moment to reflect on where the United States stands in relation to the goal of establishing a society in which everyone can use computers and the Internet with a reasonable degree of security and privacy. After multiple millions of well-meaning dollars spent on cybersecurity initiatives, such as the Comprehensive National Cybersecurity Initiative, and endless debates about legislation, any objective analysis would conclude that we are losing ground.
Failing to address the cause of computer system misuse and only focusing on the effect is simply a recipe for a well-managed response to a disaster that could have been avoided in the first place.
As you begin your job [see Who Is Michael Daniel?], organized criminal cyber gangs continue to run roughshod through the Internet and internal systems of America's public and private institutions. Every day, citizens' personal, financial and health records are hacked and misused; as a former U.S. government employee, I anxiously await my letter regarding the status of my thrift saving account. The Chinese government continues to save billions in research and development costs by sending U.S. government employees and their contractors minimally sophisticated phishing attacks. Nobody really knows the state of our national infrastructure and SCADA (supervisory control and data acquisition) systems, but clearly there is good reason to worry. Consumer confidence in Internet security and privacy is at an all-time low, as citizens are rejecting online banking in increasing numbers
What went wrong?
It begins with understanding cybersecurity cause and effect. Close to 100 percent of the millions of dollars applied to address the problem were spent on the effect. The American government spent almost all of the defensive technology dollars to better identify and respond to attacks. Federal regulation (e.g., Federal Information Security Management Act) and legislative initiatives (e.g., Cybersecurity Act of 2012) mostly focus on better system security monitoring, testing and malware incident coordination and response. While clearly important issues, they are largely the effect of the cause, which is that our computer networks, operating systems and application software are not up to the security challenge in the first place. No amount of dollars and legislation can move us in the right direction if we continue to focus only on fixing the result of inherently insecure computer technology that still has its roots in pre-Internet government and college laboratories. We must focus attention on building secure systems and networks and establishing standards for secure coding of software.
Tackling the Product of Imperfect Humans
It is time to add a new prong to our cybersecurity strategy by establishing a national initiative to address directly the cause of the problem. While we can never build completely secure computer systems - they are, after all, the product of imperfect humans - we can considerably raise the security bar by establishing a national initiative that brings together the best and brightest minds in government, industry and academia. Unlike previous efforts, today we have a unique opportunity to bring together innovative thinkers from a broad spectrum of computer engineering and science disciplines with information and network security private enterprises that fully understand the nature of the problem.
Yes, many will tell you that it was tried before and failed. That is only somewhat true. Beginning in the early 1980s and continuing into the mid-1990s, the National Security Agency spent considerable time developing a colorful collection of guides known as the Rainbow Series that established standards for developing trusted systems, networks and applications. The Rainbow series was focused narrowly on the national security agencies and contractors. It didn't amount to much. However, this initiative was more than 20 years ago and was a product of exclusively inside-the-beltway thinking. At the time, there were only a handful of people who really understood the problem and, as we learned, even fewer who truly cared. Even with these limitations, the Rainbow Series provided a roadmap for the development of SELinux, a highly trustable set of extensions that are available in many commercial and open source Linux operating systems.
We need a three-path approach:
- Path one looks at technology that could be applied within three-to-five years to enhance the security of existing commercial networks and operating systems such as the Trusted Platform Module, a secure processor that can store cryptographic keys.
- Path two looks further into the future and may even need to fundamentally rethink concepts like TCP/IP, operating system architectures and how applications use computer resources.
- Path three attacks insecure programming and looks at short- and long-term measures to enhance the security of high-level languages.
Making Hacking a Burdensome, Risky Endeavor
The result of these initiatives is a roadmap that, with the buy-in of industry, articulates a national technical computer security strategy; a strategy that, for the first time, gives us a realistic chance to make hacking a burdensome and risky endeavor instead of an easy opportunity for profit or geopolitical gain. The government can use the strategy to develop standards for protecting sensitive (e.g., classified) and national infrastructure (e.g., regulated) systems. Private institutions can use the strategy to mandate computer system procurement requirements and the computer industry marketplace can use the strategy to gain competitive advantage for their products.
The future of a seamlessly interconnected society, where government agencies can provide services to their citizens, where e-commerce is fully integrated from business applications to all consumer devices and where everyone can collaborate via social media is not assured. It will not be for a lack of network bandwidth or killer applications. Industry is well on their way to addressing these issues. No, the one issue that will derail our interconnected future is a loss of trust by the public.
As you begin your new job and immediately get swallowed up dealing with effect issues like national incident response strategy, please take time also to consider focusing attention to the cause of insecure computer systems, networks and applications. Failing to address the cause of computer system misuse and only focusing on the effect is simply a recipe for a well-managed response to a disaster that could have been avoided in the first place.
Robert Bigman retired this spring after serving for 15 years as chief information security officer of the Central Intelligence Agency and is now chief executive officer of 2BSecure LLC.