|
The Cybersecurity
Challenge
Michael Rasmussen
VP for Standards and Public Policy, Information
Systems Security Association
Friday, December 5, 2003; 10:00 AM
Defending the Internet is one of the most important
issues facing the nation's businesses and the U.S.
government in the 21st century. One of the most
authoritative voices on this subject is Michael
Rasmussen, the vice president of standards and
public policy for the Information Systems
Security Association and is the Giga Director of
Research for Information Security at Forrester
Research, Inc.
Rasmussen discussed
the role of the U.S. government and the private
sector in promoting cybersecurity.
washingtonpost.com security reporter Brian Krebs
moderated the discussion.
An edited transcript follows.
Editor's Note: Washingtonpost.com moderators retain
editorial control over Live Online discussions and
choose the most relevant questions for guests and
hosts; guests and hosts can decline to answer
questions
___________________________________________
Brian Krebs: Good morning, Michael, and thank
you for joining us today. Your organization
represents more than 10,000 computer security
professionals worldwide, so you have a unique
perspective on security from the front lines of the
people responsible for putting corporate security
policy into action. Do you get a sense that
corporate executives are taking security seriously
enough? It seems traditionally that many companies
have invested in security technology but done little
to ensure that technology and resources are being
used the best way.
Michael Rasmussen: Our corporate executives
taking security seriously . . . really, it is all
over the map. Legislation and regulation is holding
corporate executives feet to the fire -- such as
HIPAA, GLBA, PIPEDA, EU Data Protection, California
SB 1386, and on and on and on. This is forcing
accountability for information security from the top
down in many organizations. However, there are still
many organizations that do not have corporate
executive buy-in and understanding of information
security. Additionally, particularly in the US, we
tend to view information security only through the
technical lenses. Technology is a tactical and
important part of information security -- but it is
only part of it. Technology cannot solve all of our
information security problems. Executives who tend
to focus on information security as only being a
technical problem have a big wake up call coming to
them.
_______________________
Brian Krebs: As you know, Homeland Security
officials met this week in California for a
cybersecurity summit with the high-tech industry.
The event was sponsored by a number of high-tech
trade groups that are trying to forestall federal
cybersecurity legislation by demonstrating that
industry is taking concrete steps to improve the
security of their products and protect businesses
and consumers from hackers. What was your read on
that meeting? Will it produce any results, or was
this just more window dressing and lobbying by the
tech sector to keep costly new laws at bay?
Michael Rasmussen: You ask questions that get
right to the heart of the issue, and build on the
previous one. The DHS Summit was impressive but
daunting -- they have a lot to accomplish. However,
the issue that I brought up previously remains . . .
security is much more than a technical problem. You
have a lot of IT vendors lobbying Capital Hill
trying to convince legislatures that security is
completely technical and what we need is more
products. While products help, they are not the
complete answer. I can build an impenetrable
technical fortress to have my investment fail when
my employee behind the desk violates policy or is
the subject of social engineering.
DHS and legislatures need to get more input from the
people in the trenches. The summit did reach out to
many, but it was organized by the high tech sector.
I would have liked to have seen more end-user
organization involvement. Particularly Chief
Information Security Officers or Chief Risk
Officers.
The tech industry is interested at keeping some laws
at bay, such as Putnam's Corporate Information
Security Accountability Act -- there is a fear from
IT vendors that people will spend more time on
assessment and managing security than on new
products. Security is a process however, not a
product. While products are an important part --
they are only a part of the bigger picture.
_______________________
Alexandria, Va.: Did the reorganization of
the U.S. cybersecurity agencies into DHS result in
any setbacks to the government's ongoing cyber
protection activities?
Michael Rasmussen: I would say that there was
only some minor confusion. NIST and DHS are the
entities ultimately responsible for the enforcement
of FISMA and they have continued to push that agenda
throughout the past year. What has stalled with DHS
was the direction the Federal Government is heading
with the Public-Private sector cooperation on
information security. We are only now seeing a
direction in this area. A direction was being
clearly laid by Howard Schmidt and Richard Clarke,
but the creation of DHS and integration of this
component into it stalled it big time.
_______________________
Brian Krebs: Just to clarify, "FISMA"
as referenced above stands for the Federal
Information Security Management Act," a law
that requires all federal civilian agencies to test
their systems for cyber-vulnerabilities and report
annually to Congress on their progress.
_______________________
Brian Krebs: With the growing threat of
worms, viruses, software patches, backdoor Trojans
and online scams, many consumers find themselves at
a loss of how to keep up with the complexity of
today's technologies, even as they depend more upon
them for everyday tasks. Is there any hope that
things will get simpler for consumers - through more
secure technology - or is the situation only going
to get more confusing?
Michael Rasmussen: Things have to get simpler
for the consumer . . . there is no alternative. My
mother-in-law loves the Internet, but has no clue
about information security and privacy risks.
Security needs to be built in and automated for the
consumer or we are going to fail. Microsoft is
working hard in this area as are many other
companies to improve things, but it takes a lot to
turn this ship around.
_______________________
Washington, D.C.: What was the mood at the
cyber summit? Are industry and government really at
loggerheads over regulations, or is the media
overplaying that?
Michael Rasmussen: My view is that the
relationships are just starting to be established.
The National Strategy to Secure Cyberspace did a
good job of highlighting the issues and starting the
conversation. The creation of DHS stalled everything
for a time. However, we see the administration
moving forward now with efforts to build these
bridges. The challenge, as I stated before, is that
these bridges need to be built with many industries
-- not just the tech sector. DHS has to engage CISOs
from across industries. I recommend that they
strongly avoid the IT vendor marketing types and
work with the CISOs in the trenches. Even the IT
vendors have great CISOs that need to have their
voice heard.
_______________________
Arlington, Va.: Are there any exciting
developments in security research that promise to
make it easier for network administrators to protect
systems from new threats?
Michael Rasmussen: As we build more security
into operating systems and applications through
stronger architecture and integration of security
controls -- the management burden should become
easier. The band-aid approach to security by buying
6 different products to secure a host fails -- it
does not scale and is unmanageable. Organizations
need stronger security built into operating systems
and applications, and for the products they do buy
they need breadth of functionality to minimize what
they have to support.
We also need to build security training into more
network administrator and system administrator
curriculums. Security admins are limited in number
and cannot bear the burden of securing all systems
within the organization. Just as security technology
needs to be integrated and distributed throughout
the technologies we buy -- the same goes for the
roles and responsibilities of those who manage it.
_______________________
Rapid City, S.D.: Do you buy the current
prevailing wisdom that home broadband users are the
weakest link in the Internet security chain? Who
should be responsible for the breakdowns that allow
the spread of worms and viruses, the users or the
companies who push broken software out the door?
Michael Rasmussen: A very difficult question
. . .
The answer is we need stronger security by default
in applications and operating systems.
As for vendor liability, I am very cautious . . . do
we want to go there. Organizations that promote this
do not realize that this can come back to bite us.
If we hold IT vendors accountable for software bugs,
what about all of the applications internally
developed in organizations -- do we hold all
organizations accountable for software bugs. Then
what about configurations, what if I buy a product
and make a configuration mistake?
While I think accountability and liability is good,
we need to be cautious in how we approach this.
_______________________
Dulles, Va.: Did the White House miss an
opportunity to make a big statement on cyber
security when it released its "strategy"
last January? Why didn't the President read the
document at a Rose Garden announcement? Until the
big chiefs start talking about this topic more
frequently, I don't believe it's going to sink in
with the public.
Michael Rasmussen: You are right. There is a
big need for communication, not just from our
political heads -- but also from IT vendors and
others in the industry. We need a massive awareness
campaign.
_______________________
Washington, D.C. : Conventional wisdom seems
to be that the tools we have to defend the Internet
are more than up to the task and it's just a
question of using them properly. Do you accept that
at face value, or does Internet security technology
need to advance to keep pace with intrusion tools?
Michael Rasmussen: Vulnerabilities and
exposures evolve, we have seen the evolution in
worms and viruses. We definitely need to keep up
with technology in this area. However, tools are not
enough. We need the appropriate management and
processes in place as well. If we can build the
ideal and perfect IT security architecture -- we
will still have information security and privacy
incidents. That is because we have people involved
who are human, make mistakes, and succumb to greed
and other motives.
_______________________
Brian Krebs: Most federal agencies have for
the past three years consistently flunked computer
security tests, and new report cards are expected to
come out within the next two weeks. One of the
amazing things about these reports is that
government auditors say they're told time and again
that agency officials don't even know how many
computers or systems they have on their watch, much
less who has access to them. Doesn't the government
have a responsibility to lead by example? What is
the fundamental problem here? Is it merely a lack of
training and funding, or is there a more systemic
problem at issue?
Michael Rasmussen: It takes time, but it also
is a culture battle. FISMA does a lot of good things
in bringing management oversight and enforcing a
security architecture in government agencies.
However, some feel that it creates to much
bureaucracy and reporting at the sake of providing
more security.
FISMA can be successful. It is all about mindset. If
an agency goes into FISMA compliance looking just to
get by at a minimum without taking true ownership of
information security -- they will fail. However, if
an organization embraces FISMA and aims higher by
embracing the principles and building it into the
culture and architecture of the agency -- they will
succeed.
_______________________
Brian Krebs: The Bush administration has
always held that the market will reward companies
that make security a priority, and that those whose
products consistently put consumers and businesses
in harm's way will lose out in the long run,
particularly in government contracts. Have we seen
that dynamic at work at all, or does software
functionality still trump security needs in the
marketplace?
Michael Rasmussen: I believe that we have
seen this work moderately, but it has not been
overwhelmingly successful. Functionality is still
the number one buying criteria for organizations,
and will continue to be. Security has become an
important secondary consideration for most products.
However, secure products are not the complete
answer. I can buy the strongest and most secure
operating system or firewall but install and
configure it in a very insecure manner.
Accountability is what is needed for both vendors
and end-user organizations to make sure they manage
security appropriately. It is about due diligence.
We will have mistakes, but that does not mean we
drag someone before the firing squad because of the
mistake . . we need to investigate to look at the
effort and alignment with generally accepted
information security principles and practices.
However, the economic pressure is one area that has
had an impact. It is just not complete in and of
itself. There is no silver bullet here.
_______________________
Brian Krebs: Microsoft has recently been
making investments in anti-virus technology. Do you
see this as a positive development, or is it more
like the fox guarding the henhouse?
Michael Rasmussen: It can be a good thing, it
can be a bad thing.
If Microsoft takes the technology and integrates it
into the operating system and applications to
provide more advanced levels of protection -- that
is a good thing as long as they are not aimed at
making money from selling security products. But, if
Microsoft wants to be a security vendor selling
security solutions that it is vulnerable to, that
does not sit well with me.
The world wants Microsoft to build secure products,
not sell security products.
_______________________
Arlington, Va.: Do you think the federal
government is going to mandate industry to do
anything related to cybersecurity and if so, is it
just going to come from Congress? It seems the DHS
doesn't want to come out as the "heavy"
here, so they are just saying things are guidelines,
not must-dos. What gives?
Michael Rasmussen: We already have industry
mandates . . . HIPAA, GLBA, PATRIOT, California SB
1386, Sarbanes-Oxley (to a degree), and many more.
We have the FTC taking action against organizations
that fail to live up to their privacy and security
policies (in re Eli Lily, in re Microsoft Passport,
in re Guess.com).
What we do need is accountability. That is key. We
do not need more mandates of specific controls, but
a mandate that executives and board of directors are
responsible and accountable for information
security. That is at the heart of Putnam's draft
legislation. However, there are holes in it. It only
hits the publicly traded companies. It gives a lot
of control to the SEC and auditors.
On the other hand, certain legislation needs to be
consolidated. We have HIPAA and GLBA -- both with
privacy components. We have the FCRA with privacy
and identity theft components. We have CA SB 1386,
and Feinstein's US SB 1350 going through congress.
In many respects this is to many mandates to manage.
I believe we need broader all encompassing privacy
legislation such as in Canada or Europe as opposed
this complex mixture of legislation we have now.
_______________________
Arlington, Va.: What is the No. 1 thing that
companies can do to comply with the federal
government's cybersecurity guidelines?
Michael Rasmussen: It is hard to find a
number 1 thing. As there are many components.
But, I will go back to what I stated before. See it
as an opportunity to change the culture of the
agency and integrate it into the architecture. See
is more as a way to improve quality and service by
providing a more secure environment.
_______________________
Washington, D.C.: In a recent magazine
interview with Bill Gates (Fast Company, -I think-)
they asked him if Microsoft's software was to blame
for the recent security and virus problems plaguing
the internet. His response was, and has been, that
MS makes patches available and that users should be
more diligent about patching their operating system.
Other operating systems don't suffer from this
scourge, what can be done to hold Microsoft more
accountable for not producing a more secure product?
They market their software to businesses and
consumers as if it was as easy to deal with as a
microwave oven, yet it's not. Isn't it unreasonable,
and dare I say rude, to blame the user?
Michael Rasmussen: Microsoft is the dominant
player - they are a big target. That is the primary
reason that they come under fire so much. But when
they do, holes are found.
To answer this has to get into the tactical and
strategic battle for Microsoft. Bill Gates statement
is the tactical statement for their current public
relations battle - we are doing all we can to secure
and provide fixes for what is out there today. They
are dealing with already installed systems and
legacy code support. All Microsoft can do is get
patches and notifications out their in a timely
manner. They have also provided more tools.
As for stronger and more secure products --
Microsoft is working on this, that is their claim
and their strategic battle long run. Build secure
products. However, we cannot judge Microsoft for
their current development efforts of integrating
security into Microsoft operating systems and
applications until the release of Longhorn. That is
where the heart of their battle will be won if they
are doing things correctly. That is what is in
development now and going through the intense
scrutiny.
_______________________
Brian Krebs: That about does it for our
discussion today. Thank you, Michael, for helping us
tackle these complex issues so thoughtfully. And a
big thanks to all of our readers who submitted
questions.
|
