I am a big fan of the Monty Python troupe. Their silly take on several topics helped point out the absurd and pompous, and still do, but sometimes were simply lunatic in their own right.
One of their sketches, about a group of sailors stuck in a lifeboat came to mind as I was thinking about this post. The sketch starts (several times) with the line "Still no sign of land." The sketch then proceeds to a discussion of how they are so desperate that they may have to resort to cannibalism.
So why did that come to mind?
We still do not have a national Cyber Cheerleader in the Executive Office of the President. On May 29th, the President announced that he would appoint one – that cyber security was a national priority.
Three months later – nada.
Admittedly, there are other things going on: health care reform, a worsening insurgency problem in Afghanistan, hesitancy in the economic recovery, and yet more things going on that require attention from the White House. Still, cyber continues to be a problem area with huge issues. See some of the recent news to see that there is no shortage of problems – identity theft, cyber war questions, critical infrastructure vulnerability, supply chain issues, and more.
Rumor has it that several people have been approached for the Cheerleader position, but all have turned it down. This isn't overly surprising – the position has been set up as basically one where blame can be placed when something goes wrong rather than as a position to support real change. There is no budget authority, seniority, or leverage over Federal agencies where the problems occur, so there is no surprise that it is not wanted. Anyone qualified for a high-level position in this area should recognize what I described 20 years ago in "Spaf's First Law":
If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.
I wonder how many false starts it will take before it is noticed that there is something wrong with the position if good people don't want it? And will that be enough to result in a change in the way the position is structured?
Meanwhile, we are losing good people from what senior leadership exists. Melissa Hathaway has resigned from the temporary position at the NSC from which she led the 60-day study, and Mischel Kwon has stepped down from leadership of US-CERT. Both were huge assets to the government and the public, and we have all lost as a result of their departure.
The crew of the lifeboat is dwindling. Gee, what next? Well, funny you should mention that.
Last week, I attended the "Cyber Leap Year Summit," which I have variously described to people who have asked as "An interesting chance to network" to "Two clowns short of a circus." (NB. I was there, so it was not three clowns short.)
The implied premise of the Summit, that bringing together a group of disparate academics and practitioners can somehow lead to a breakthrough is not a bad idea in itself. However, when you bring together far too many of them under a facilitation protocol that most of them have not heard of coupled with a forced schedule, it shouldn't be a surprise if the result in much other than some frustration. At least, that is what I heard from most of the participants I spoke with. It remains to be seen if the reporters from the various sections are able to glean something useful from the ideas that were so briefly discussed. (Trying to winnow "the best" idea from 40 suggestions given only 75 minutes and 40 type A personalities is not a fun time.)
There was also the question of "best" being brought together. In my session, there were people present who had no idea about basic security topics or history. Some of us made mention of well-known results or systems, and they went completely over the heads of the people present. Sometimes, they would point this out, and we lost time explaining. As the session progressed, the parties involved seemed to simply assume that if they hadn't heard about it, it couldn't be important, so they ignored the comments.
Here are three absurdities that seem particularly prominent to me about the whole event:
I raised the first two issues as the first comments in the public Q&A session on Day 1. Aneesh Chopra, the Federal Chief Technology Officer (CTO), and Susan Alexander, the Chief Technology Officer for Information and Identity Assurance at DoD, were on the panel to which I addressed the questions. I was basically told not to ask those kinds of questions, and to sit down. although the response was phrased somewhat less forcefully than that. Afterwards, no less than 22 people told me that they wanted to ask the same questions (I started counting after #5). Clearly, I was not alone in questioning the formulation of the meeting.
Do I seem discouraged? A bit. I had hoped that we would see a little more careful thought involved. There were many government observers present, and in private, one-on-one discussions with them, it was clear they were equally discouraged with what they were hearing, although they couldn't state that publicly.
However, this is yet another in long line of meetings and reports with which I have had involvement, where the good results are ignored, and the "captains of industry and government" have focused on the wrong things. But by holding continuing workshops like this one, at least it appears that the government is doing something. If nothing comes of it, they can blame the participants in some way for not coming up with good enough ideas rather than take responsibility for not asking the right questions or being willing to accept answers that are difficult to execute.
Too cynical? Perhaps. But I will continue to participate because this is NOT a "game," and the consequences of continuing to fail are not something we want to face — even with "...white wine sauce with shallots, mushrooms and garlic."
I have a Facebook account. I use it as a means to communicate little status updates with many, many friends and acquaintances while keeping up to date (a little) on their activities. I'm usually too pressed for time to correspond with everyone as I would otherwise prefer to do, and this tenuous connection is probably better than none at all.
Sometime early in the year, either I slipped up in running a script or somehow, without authorization, Facebook slurped up my whole address book. This was something I most definitely did not want to happen, so even giving Facebook the benefit of the doubt and blaming it on operator (me) error it says something about their poor interface that such a thing could happen to an experienced user. (Of course, in the worst case, their software did something invasive without my authorization.)
Whatever happened, Facebook immediately started spamming EVERYONE with an invitation "from me" inviting them to join Facebook. There are many people in my address book with whom I have some professional relationship but who would not be in any category I would remotely consider "friend." It was annoying to me, and annoying/perplexing to them, to have to deal with these emails. A few of them joined, but many others complained to me.
I thought the problem would resolve itself with time. In particular, I didn't want to send a note to everyone in my list saying it was a mistake and not to respond. Sadly, the Facebook system seems to periodically sweep through this list and reissue invitations. Thus, I have gotten a trickle of continuing complaints, and suspect that a number of other people are simply annoyed with me.
So, what to do if this was a responsible business? Why, look for a customer help email address, web form, or telephone number to contact them. Good luck. They have FAQs galore, but it is the web equivalent of voicemail-hell: one link leads to another and back to the FAQs again with no way to contact anything other than an auto-responder that tells me to consult the FAQ system.
On July 26, I responded to a complaint from one of the unintended victims. I cc'd a set of email addresses that I thought might possibly be monitored at Facebook, including "firstname.lastname@example.org." I got an automated response back to read an inappropriate and unhelpful section of the FAQ. I replied to the email that it was not helpful and did not address my complaint.
On July 29 I received a response that may have been from a person (it had a name attached) that again directed me to the FAQs. Again I responded that it was not addressing my complaint.
August 6th brought a new email from the same address that seemed to actually be responsive to my complaint. It indicated that there was a URL I could visit to see the addresses I had "invited" to join, and I could delete any I did not wish to be receiving repeated invitations. Apparently, this is unadvertised but available to all Facebook users (see http://www.facebook.com/invite_history.php).
I visited the site, and sure enough, there were all 2200+ addresses.
First problem: It is not possible to delete the entire list. One can only operate on 100 names at a time (one page). Ok, I can do this, although I find it very annoying when sites are programmed this way. But 22 times through the removal process is something I'm willing to do.
Second problem: Any attempt to delete addresses from the database results in an error message. The message claims they are working on the problem or to check that I'm actually connected to the Internet, but that's it. I've tried the page about every other day since August 6th, with various permutations of choices, and the error is still there. So much for "working on it."
I've also tried emailing the same Facebook address where I got the earlier response, with no answer in 2 weeks.
I thought about unsubscribing from Facebook as a way of clearing this out, but I am not convinced that the list -- and the automated invites -- would stop even if I inactivated my account.
I certainly won't be inviting anyone else to join Facebook, and I am now recommending that no one else does, either.
I was talking to several people at the Cyber Leap Year Summit about how we have decades of research in computing that too many current researchers fail to look at because it was never put on line. We have all noticed the disturbing trend that too many papers submitted for publication do not reference anything before about 2000 -- perhaps because so much of that early work has not been indexed in search engines?
I mentioned that I had seen papers a few years back where the authors had implied that they had invented virtualization, despite the idea going back decades; at least the Wikipedia entry seems to avoid that mistake.
Someone jokingly mentioned that at least a few things were new, such as cloud computing.
Not so fast.
Some Cloud Computing is really nothing more than SaaS on virtualized platforms. That isn't new.
However, one view of Cloud Computing is that it provides seamless processing and storage somewhere on the net, where you don't have to know where it is stored, where it makes use of multiple platforms for performance and storage, and you don't need to worry about individual machine failures because the rest of the system continues forward.
Interestingly, that was precisely the goal of the distributed OS project where I did my PhD dissertation. I wrote the first prototype distributed OS kernel for the system. The name of the project? CLOUDS. The year? 1986 was when I defended, but the name was coined in 1984. (Cf. a summary article written in 1991.)
My kernel had virtual memory, process creation/deletion, object stores, capabilities, and a built-in debugger (that one could invoke after a crash -- no blue screen, simply the console message of "Shut 'er down Scotty, she's suckin mud agin.") I demonstrated it creating objects and invoking methods (actions) on them across the network on other machines, among other things. Three later PhD dissertations relied on it, as did at least 2 MS theses.
(Oh, and I wrote most of the code in VAX assembler language and it all ran on the bare hardware. I debugged it by stepping through memory, and found some hardware bugs in the process. I was a real programmer back then: i have programmed machine code on six architectures, and in over 25 other high-level languages. But I digress...)
My dissertation is not very good; I would not accept it from one of my students now, and do not recommend anyone read it. But circumstances were such that I didn't actually have an advisor for a big chunk of my research work, and the committee wanted to get me out. I never got a publication from the dissertation work, either. In retrospect, I'm not sure that was the best course of action, but I seem to have turned out more or less okay otherwise.
Bonus item: The first Ph.D. from the group, based on an earlier attempt at the kernel, was Jim Allchin. But don't blame the Clouds group for Windows!
Bonus item: Only about 4 people ever knew, but "Clouds" was an acronym. We liked the imagery because if you combined two clouds, you simply ended up with a cloud. Up close, you couldn't tell where the boundaries of a Cloud were. And if you took some away from a cloud, you still had a cloud. Great, huh? I'm going to reveal the acronym here: Coalescing Local Objects Under Distributed Supervision. We needed the acronym for the proposal to the funding agencies, but for obvious reasons, we never referred to it as anything other than Clouds. The acronym was coined by Bill Thibault.
Bonus item: The Clouds kernel was the third OS I had written, and the final one. The second one was also in assembly language and some custom microcode for the PR1ME 500 &750 series computers (of which Georgia Tech had five). I taught a class around machine architecture and writing an OS at Georgia Tech while a grad student. I'd love to hear from anyone who took the class.
Bonus item: Although my research work quickly moved into other areas of computing, I stayed with OS long enough to help start and chair (with George Leach) the (first WEBDMS; 1989 and) SEBDMS (1991, 1992) conferences. These later evolved into the OSDI conferences -- which I have never attended. It is unlikely that many people remember this connection.
A few people still remember me for that OS work. Others know me for the work I did in mutation testing, and yet others for the work in dynamic slicing and backtracking for debugging. That was all before I started work in security and forensics. I'm to blame for more than many people know -- and I'm not telling about the rest.
But next time someone tries to tell you about their latest "new" idea, you might check with some of us
older more seasoned computing folk, first, and let us reminisce about the good old days.
In response to my last post, several people have pointed out to me some other initiatives before Congress. Here are some brief comments on a few of them, based on what is available via the Thomas service. I am not going to provide a section-by-section analysis of any of these.
S.921, the US Information and Communications Enforcement Act of 2009
Introduced by Senator Carper and cosponsored by Senator Burris, this act would modify Title 44 (chapter 35) of the US Code to establish the National Office for Cyberspace within the Executive Office of the President (EOP). The intent is that this office would address "...assured, reliable, secure, and survivable global information and communications infrastructure and related capabilities."
There are several other provisions in the act that make agency heads responsible for security of their systems, requires annual security reviews, requires cooperation with the US-CERT, requires establishment of automated reporting, and that charges the Department of Commerce with setting guidelines and standards but allows agencies to employ more stringent standards.
The director of the office created by this bill does not have a defined reporting chain. However, the office is given explicit responsibility for coordinating policy, consulting with agencies, ad working with OMB. Note that the interaction with OMB is coordination of OMB's actions and is not a role with any direct control.
There is a very short timeline to produce some initial reports (180 days) on the effects of cost savings by using better security. It might take that long simply to begin to define what to measure!
Every Federal agency would have to appoint a CISO (Chief Information Security Officer) responsible for all the things that a CISO normally does in a large organization, including establishing monitoring and response documentation, training, purchasing, and so on. This would be a massive undertaking for some agencies, even if appropriate budget was allocated (something this bill does not do).
The bill require every agency to have an independent (external) evaluation every year! The cost and effort of such an option would be huge, and it is not clear that it would provide a return equal to cost.
Overall, there are some worthwhile ideas in here, but if passed as is, this would cripple many smaller agencies without sufficient budget, and tie up the rest in lots of red tape.
S. 1438 Fostering a Global Response to Cyber Attacks Act
Introduced by Senator Gillibrand, this bill would state a "sense of the Senate" and require the Secretary of State to report on efforts to work with other countries on cyber security and response. Section 21 of S.778 provides better coverage of the topic.
S. 946 Critical Electric Infrastructure Protection Act
Introduced by Senator Lieberman with no cosponsors, this bill directs the Secretary of DHS (working with other agencies) to direct a study and report if federally-owned elements of the power grid have been compromised in any way. It further tasks the Federal Electric Reguatory Commission (FERC) to establish interim measures to protect those resources.
It makes the Secretary of Homeland Security responsible for on-going assessments and reporting of critical infrastructure, including the electric infrastructure. Hmmm, no mention of the Secretary of Energy here. This will probably provoke a turf battle if it gets considered at length.
H.R. 2195 by Representative Bennie Thompson and 16 cosponsors is the same bill on the House side.
H.R. 2165 by Rep. John Barrow is related somewhat, in that it designates FERC as responsible for securing the power system. It goes further, however, by giving FERC some emergency regulatory powers under Presidential directive. It also creates yet another class of restricted but unclassified information. Both of those last two points make this a troubling proposal.
H.R. 266 Cybersecurity Education and Enhancement Act of 2009
Introduced by Representative Sheila Jackson-Lee, this act has two major components:
This would address some real needs in a reasonable way.
Clearly, there is growing interest in cyber within the government, and recognition of some of the weaknesses in procurement, training, response, standards, and information dissemination. However, not all of the bills being proposed really address the underlying problems, and some may cause new problems.
The legislative process does not lend itself to solutions. The House and Senate deal with issues via an established committee structure, and those committee boundaries don't match cyber, which is a cross-cutting problem. Thus, it is difficult to get a bill started that mandates changes across several Federal agencies and cabinet positions, because the bill would then need to go through a bunch of committees -- and in too many cases there are members of those committees who will feel the need to rewrite the bill. This especially comes into play thinking about the future: if there will be new programs and authorities, it is generally the rule that each committee would like to "own" those activities . Likewise, the members and staff don't like to see any authority taken away from their committees.
This makes it problematic for cyber. It will require thoughtful support across a number of areas. It will require the leadership of both houses of Congress to exert some leadership to ensure that good legislation gets through, without too much unnecessary tweaking along the way.
Let's keep our fingers crossed.
(Oh, and my post about the "cyber cheerleader" caused a reader to remind of Spaf's First Law, articulated over two decades ago:
If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.
Thus, people who are being approached for the position may not be eager to take it if they understand this. It has been demonstrated for this sort of position before.
Cyber seems to be one of the buzzwords in Washington these days, with the recent botnet attacks generating a lot of extra noise. This has included at least one rather bellicose response from a US Representative who either is reading much more interesting information than the rest of us, or is not reading anything at all.
Meanwhile, in the background, various bits of legislation are being worked on by several committees in both the House and Senate to address various aspects of the perceived problems. Two notable instances are legislation proposed by Senator Rockefeller and others that followed closely after my testimony before their committee. I have heard that at least one of these pieces of proposed legislation is being revised, and will be reintroduced. Back in April, I sent comments on both proposed bills to committee staff, but never heard a response. I hope my input had some impact.
It occurred to me that I did not blog about the legislation or my comments. So, to correct that oversight, you will find the enclosed, which are my original comments with some newer perspective gained over the last few months. You can find the text of these bills via Thomas.
(I will post a follow-up when I see what the revised bills are like.)
The National Cybersecurity Advisor Act of 2009, S. 778
This proposed legislation, cosponsored by Senators Snowe, Bayh and Nelson, was a bit of a puzzle to me when it was introduced. The timing was such that the President's 60-day review report had not yet been delivered, and so it seemed premature to me. However, in retrospect, the 60-day review didn't end up suggesting a powerful office within the EOP for cyber, and so this bill was right on target.
The bill would establish an office of National Cybersecurity Advisor , with the head of that office reporting directly to the President. That person would have authority to hire consultants, consult with any Federal agency, approve clearances of personnel related to cyber, and have access to all classified programs relating to cyber. More importantly, the advisor "...shall review and approve all cybersecurity-related budget requests submitted to the Office of Management and Budget" and would "...serve as the principal advisor to the President for all cybersecurity-related matters." Both of these would be an improvement over the suggestions in the final 60-day review.
The bill has had two readings and has been referred to the Committee on Homeland Security and Governmental Affairs.
(I note that the 60 day review would have been delivered to the President on April 9. It is now more than 3 months later, and still no appointment of the cybersecurity cheerleader proposed by that document.)
The National Cybersecurity Act of 2009, S 773
This was also introduced before the 60-day review was released. It contains 23 sections. It has been read twice and referred to the Committee on Commerce, Science, and Transportation. It also is cosponsored by Snowe, Nelson and Bayh.
Sec. 1: Title And Table Of Contents.
Pro forma material.
Sec 2: Findings
This is a section devoted to bits of information that justify the bill. Several people are cited for things they have said on the topics; I was not one of them, although Purdue was mentioned in point 13, and the PITAC report I helped prepare was listed in point 14.
Sec 3: Cybersecurity Advisory Panel
This section defines the creation of a high-level, Presidential advisory panel. The panel will be composed of individuals from a broad cross-section of society, and will provide the President with advice on strategy, trends, priorities, and civil liberties related to cyber security. The panel will be required to provide a report at least once every 2 years.
This looks to be well-designed and potentially very useful. Panels such as this depend on the alacrity with which a President appoints appropriate members, whether those members actually get something useful done, and whether the President heeds their advice. But at least this framework is off to a good start.
Sec 4. Real-time Cybersecurity Dashboard
The Secretary of Commerce is mandated to develop a "real-time dashboard" within a year. This dashboard is supposed to show the cybersecurity status and vulnerability information of all networks managed by the Department of Commerce.
This is quite puzzling. It isn't clear to me why this is restricted to Commerce, although notes I have from staff indicate that the intent is to serve as a pilot for other parts of government. But that isn't the end of the puzzle. Who is supposed to view this dashboard? What do they do after they see something on it? And what the heck does it really measure? (Hopefully not a dynamic FISMA score!)
Of course, I can't help noting that having one location to collect and display vulnerability information is a very bad idea.
Sec 5. State And Regional Cybersecurity Enhancement Program
This section describes the creation of a set of centers around the country to assist small businesses with cybersecurity. It is modeled on the Hollings Manufacturing Extension Partnership (MEP) and would be run by the Department of Commerce. The centers would receive up to 1/2 of their initial funding from the Federal government, with the rest to come from states, regional groups, and fees paid by members. The centers would provide expertise and resources to small companies.
Although I have some misgivings about this, it is the best suggestion I have seen yet on how to get cybersecurity technology out to small businesses in an affordable manner. I was not familiar with this program and had suggested something similar to our agricultural extension model, so this is in keeping with that. The questions I have are whether these will attract the necessary funding and talent to be viable. But it is probably worth the experiment.
Sec 6. NIST Standards Development And Compliance
This section sets out that, within a year, the Secretary of Commerce will establish a research plan for security metrics, establish a whole set of metrics and compliance measures for vulnerabilities and testing, set all these as standards, and apply them to all vendors and government systems. This will also constrain acceptable configurations, and provide accreditation of suppliers.
Whew! This is way off base. We don't know how to do many of these things, and I fear that setting a deadline will mean that a number of poor standards and requirements will be established. Not only that, having a set of uniform configurations (and required compliance to them) is a sure way to weaken our security rather than strengthen it -- diversity and uncertainty have protective effects when used appropriately. Requiring everyone to code the same way, and configure only approved systems the same way is not going to be helpful -- except to the bad guys.
This is also a good way to kill innovation in an area (software development and security deployment) where innovation is badly needed.
This is a bad idea.
Sec 7. Licensing And Certification Of Cybersecurity Professionals
This provision requires Commerce to develop a national licensing and certification program for cybersecurity professionals. Within 3 years, it would be unlawful to provide security services to any government or national security system without the certification.
This is worse than section 6! We don't know yet what the appropriate skills are for professionals. In fact, there are a wide range of skills, not all of which are needed by each person.
The result of this, if it gets enacted, is either that we will have a least-common denominator for skills that will get taught by a lot of training organizations that will enrich them but do nothing for the nation, or the bar will be set so high that we will have a shortage of qualified personnel. Either way, it may also stifle enhanced and unconventional training that could produce new talent.
I have been working as an educator in this field for two decades. This section presents an awful idea.
Sec 8. Review Of NTIA Domain Name Contracts
Basically requires the Advisory Panel (Sec 3) to review any contract renewal with ICANN, and gives it veto authority.
Reasonable. it doesn't address some of the problems with ICANN, but it isn't clear that Congress can do that.
Sec 9. Secure Domain Name Addressing System
Within 3 years, the Commerce Department must come up with a strategy and schedule to implement DNSSEC, and the President must require all agencies and departments to follow that plan.
Probably reasonable, and with a more realistic timetable than some of the other sections.
Sec 10. Promoting Cybersecurity Awareness
Basically, the Secretary of Commerce is charged with finding ways to increase public awareness of cybersecurity. Not a bad idea, but the real issue occurs when budgets are allocated. Commerce gets stuck with lots of unfunded mandates, and I don't see this as ranking up there with, say, maintaining the nation's atomic clocks or evaluating the next digital signature standard. So, if the budgets are cramped, this won't happen.
Sec 11. Federal Cybersecurity Research And Development
This directs NSF to provide more funding towards some specific hard research issues (assurance, attribution, insider threat, privacy protection, etc.), and to help ensure that students get some training in secure code production techniques (although that is a somewhat nebulous concept). It also authorizes significant new funding levels for research, establishment of centers, and funding traineeships.
Overall, I think the intent is good. The issue is once again one of appropriations each year to fund these initiatives. if "new" funding is available, that is great. However, if this ends up eating into other research thrusts, it is generally not good for the community as a whole.
It is also the case that when substantial blocks of money are made available, suddenly "experts" come out the woodwork to compete for it. New ideas and new blood are needed in the area, but it is almost certain that a significant part of this will not accomplish what is intended, although what is accomplished may still have value. I would hope that the NSF doesn't try to address this by tying funds to the Centers of Excellence (sic).
Sec 12. Federal Cyber Scholarship-For-Service Program
The NSF SoS program would be expanded in size and scope, and codify it in law. The Scholarship for Service program grew out of an idea I presented to Congress back in 1997. It has functioned well, although it has not attracted large numbers of students, for a variety of reasons. The expansion of the program in this draft bill doesn't really change the nature of the program, so I would be very surprised if the 1000 students per year would actually matriculate. I suppose the numbers might get pumped up if more schools participated, but we don't have the faculty or educational materials nationally to do that. Thus, I have reservations about this, too.
Sec 13. Cybersecurity Competition And Challenge
This would direct NIST to set up national competitions at different levels for cybersecurity. There is also authorization to solicit for and award prize money to winners.
I can see where this might increase interest in the field, and bring more people out to solve problems. However, the majority of challenges held in the field right now are "hacking into the opposing server" challenges, and I have contended over the years that such an approach should not be encouraged. It we are looking for employees of cyber military groups, this might be okay. But hack challenges don't really recognize the well-rounded and adept defenders and researchers. Attack challenges also don't tend to engage women, who are already badly underrepresented in the field.
So, this is another qualified "maybe" section: good intent, but a lot depends on implementation.
Sec 14. Public-Private Clearinghouse
This establishes Commerce as the home of vulnerability and threat information for government systems and critical private infrastructure. Commerce also has to come up with methods and standards for protecting and sharing this information.
Hmmm, I thought DHS was supposed to be doing all this now?
Sec 15. Cybersecurity Risk Management Report
The President is supposed to come up with a report on the feasibility of a risk and insurance market for cyber risk. The report is also supposed to include the feasibility of including that risk in bond ratings.
I've often said that if we could get the insurance industry engaged, we might well see some progress in private sector security. However, without some liability for companies (above and beyond loss risk) it still might not be enough. This bill doesn't touch the liability issue, which is likely to be a third rail issue for any legislation.
Sec 16. Legal Framework Review And Report
This section of the bill would mandate review of existing law that touches on cyber, and require recommendations for any necessary changes. This includes the ECPA, the Privacy Act, FISMA, and others. This would be a very good idea. The review would be delivered to Congress. At that point, there is no way to predict what might happen, but a review is definitely needed.
Sec 17. Authentication And Civil Liberties Report'
Briefly mandates study of a national identification and authentication program, including the civil liberties issues associated therewith.
This is another touchy topic. There are many groups advocating for strongly authenticated ID, but there are also reasons to proceed with caution. Performing an in-depth study is probably worthwhile, but I'd prefer to see the National Academies tasked with it than an agency of government.
Sec 18. Cybersecurity Responsibilities And Authority
This would give the President authority to disconnect government or critical infrastructure systems in the event of an emergency. it would also grant authority for mapping systems, setting standards, monitoring performance, and other activities to protect and defend national-interest systems. It also allows the President to designate an agency or organization to be in charge during any cyber incident – presumably including Department of Defense agencies.
This has been controversial because of the "disconnect" provision. It isn't clear to me that there are situations that would be helped by a disconnect, although I can certainly imagine some that might be made worse by disconnection. I'm not sure that the current infrastructure would even allow disconnection! So, on balance, if it were left out I don't think it would matter, but it might make some people less nervous.
Most of the other parts of the section seem reasonable.
Sec 19. Quadrennial Cyber Review
Every four years there would need to be a review of cybersecurity posture, strategy, partnerships, threats, and so on. The Advisory Panel (Sec 3) would be involved. "The review shall include a comprehensive examination of the cyber strategy, force structure, modernization plans, infrastructure, budget plan, the Nation's ability to recover from a cyberemergency, and other elements of the cyber program and policies with a view toward determining and expressing the cyber strategy of the United States and establishing a revised cyber program for the next 4 years." Wow!
This is modeled after the Defense Department's review of the same name, I assume. It would be a tremendous amount of work, and might be a huge distraction. However, it also might help to highlight some of the shortfalls and dangers in a way that would be useful for policymakers.
One consideration from the DoD side: structuring reporting in this way tends to move planning from annual or biennial cycles to quadrennial or octennial cycles. In a fast-moving field such as cyber, this might well be counterproductive.
Sec 20. Joint Intelligence Threat Assessment
it states "The Director of National Intelligence and the Secretary of Commerce shall submit to the Congress an annual assessment of, and report on, cybersecurity threats to and vulnerabilities of critical national information, communication, and data network infrastructure."
Well, that's reasonable. Hmm, where is DHS?
Sec 21. International Norms And Cybersecurity Deterrance Measures
The President is directed to work with foreign governments to increase engagement and cooperation in cybersecurity.
We can hardly argue with that!
Sec 22. Federal Secure Products And Services Acquisitions Board
This would establish a board to set and review requirements for Federal acquisitions to ensure that cybersecurity standards are met.
My comments on section 6 hold here as well.
Sec 23. Definitions
Assorted definitions to interpret other parts of the bill.
S. 778 seems like a reasonable idea, although it isn't clear that enough responsibility is given to the position. Merging with S773 might be reasonable with many of the tasks in S.773 currently delegated to the President instead delegated to the new position.
S.773 is best where it encourages new development. reporting, education and response. Unfortunately, some of the restrictions and mandates, especially Sections 6 and 7, make the bill more toxic than helpful.
The new funding required to carry everything out would be in the many hundreds of millions of dollars per year. Most of that is explicitly authorized in this legislation, but corresponding appropriation is not a certainty...and given the current economic climate, it is unlikely. Thus, there are some things contained in here that would end up as unfunded mandates on a few agencies (such as NIST) that are already laboring under a huge taskload with insufficient resources.
No mention is made of bolstering law enforcement at any level to help deal with cybersecurity issues. That is unfortunate, because it is one place where some immediate impact could definitely be made. However, given the way this will wend through committees, that is not unexpected. Commerce gets the bill first, so they get the direction.
DHS isn't mentioned anywhere. Again, that may be because of the path the bill will take through committees. However, I can't help but think it also has to do with the way that DHS has screwed up in this whole arena.
Overall, this bill evidences a great deal of careful thought and deep concern. There are many great ideas in here, as well as a few flawed ones. I have my fingers crossed that the rumored revision addresses the flaws and results in something that can get passed into law. Even a pared-down law consisting of sections 3, 5, 9, 10, 11, 12, 16 and 21 would have a lot of positive impact.
Tonight (June 27) was the annual ACM Awards Banquet. This event is where various awards and recognitions are made, although most are announced well in advance. Among other things, this is when the Turing Award is officially given (this year, to Professor Barbara Liskov), and when the new class of ACM Fellows is inducted.
Also annually, the Computing Research Association (CRA) awards a Distinguished Service Award "...to a person who has made an outstanding service contribution to the computing research community. This award recognizes service in the areas of government affairs, professional societies, publications or conferences, and leadership that has a major impact on computing research."
I was this year's recipient of that CRA award. And as this is one of the "off years" when the CRA Snowbird Conference is not held, they needed a venue for presentation. They chose the ACM Banquet.
Peter Lee, the current chair of CRA, made the presentation, as the closing award of the evening. He was gracious in his comments about why I got the award. Then I had a minute to make some brief remarks. This is approximately what I said (and meant it!):
I am still a bit surprised that I received this award, as it is in recognition of things I can't imagine I could stop doing!
There are several reasons that organizations give awards. One is certainly to recognize great achievement. Another is to set examples and encourage others to strive for similar heights. Certainly, tonight we have heard of great achievements, and there are many others recognized by awards in previous years, as listed in the booklets at our tables.
But I'd like to take advantage of this moment to be that example. Not all of us have the opportunities or wherewithal to make incredible discoveries and advance the field. But every one of us has the on-going opportunity to make a difference in the world. We are working in a field that changes the world every day. Each of us can add to those changes in a positive way. Spread the word. Go out and change the world, through discovery, education, mentoring, or engagement. Make the world a better place.
I believe the best is yet to come, but we all have to work to achieve it.
The event was fun and well attended. I got a chance to see and talk with people I have not seen in person in over 20 years, as well as some I had seen as recently as a few weeks ago. And I got to meet people in person for the first time but with whom I have corresponded for decades. That was certainly worthwhile.
And how often does one get to claim to have spoken with a half-dozen Turing Award winners in a weekend, and almost as many current & former ACM Presidents?
I dressed in my tux and black tie. No one was particularly impressed, although a few commented that I looked less rumpled than usual.
And kudos to Kelly Gotlieb who was co-chair of the Awards Committee and is celebrating his 60th anniversary as a continuous member of ACM. The man is amazing....but so were so many of the people present.
If you are in computing and not a member of ACM, you should be. There are also special rates for students.
On July 17, 2008, (then) Senator Barack Obama held a town hall meeting on national security at Purdue University. He and his panel covered issues of nuclear, biological and cyber security. (I blogged about the event here and here.) As part of his remarks at the event, Senator Obama stated:
Every American depends — directly or indirectly — on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it's no secret that terrorists could use our computer networks to deal us a crippling blow. We know that cyber-espionage and common crime is already on the rise. And yet while countries like China have been quick to recognize this change, for the last eight years we have been dragging our feet.
As President, I'll make cyber security the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me. We'll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information — from the networks that power the federal government, to the networks that you use in your personal lives.
That was a pretty exciting statement to hear!
On February 9, 2009, (now) President Obama appointed Melissa Hathaway as Acting Senior Director for Cyberspace and charged her with performing a comprehensive review of national cyberspace security in 60 days. I interacted with Ms. Hathaway and members of her team during those 60 days (as well as before and after). From my point of view, it was a top-notch team of professionals approaching the review with a great deal of existing expertise and open minds. I saw them make a sincere effort to reach out to every possible community for input.
If you're keeping count, the report was delivered on or about April 10. Then, mostly silence to those of us on the outside. Several rumors were circulated in blogs and news articles, and there was a presentation at the RSA conference that didn't really say much.
Until today: May 29th.
Shortly after 11am EDT, President Obama gave some prepared remarks and his office released the report. In keeping with his July 2008 statement, the President did declare that "our digital infrastructure -- the networks and computers we depend on every day -- will be treated as they should be: as a strategic national asset." However, he did not appoint someone as a National Cyber Advisor. Instead, he announced the position of a "Cybersecurity Coordinator" that will be at a lower level in the Executive Office of the White House. No appointment to that position was announced today, either. (I have heard rumor from several sources that a few high-profile candidates have turned down offers of the position already. Those are only rumors, however.)
The President outlined the general responsibilities and duties of this new position. It apparently will be within the National Security Staff, reporting to the NSC, but also reporting to OMB and the National Economic Council, and working with the Federal CIO, CTO and the Office of Science and Technology Policy.
The new Coordinator will be charged with
The President also made it clear that privacy was important, and that monitoring of private networks would not occur.
There were a number of things that weren't stated that are also interesting, as well as understanding implications of what was stated.
First of all, the new position is rather like a glorified cheerleader: there is no authority for budget or policy, and the seniority is such that it may be difficult to get the attention of cabinet secretaries, agency heads and CEOs. The position reports to several entities, presumably with veto power (more on that below). Although the President said the appointee will have "regular access" to him, that is not the same as an advisor -- and this is a difference that can mean a lot in Washington circles. Although it is rumor that several high-profile people have already turned down the position, I am not surprised given this circumstance. (And this may be why it has been two months since the report was delivered before this event — they've been trying to find someone to take the job.)
The last time someone was in a role like this with no real authority -- was in 2001 when Howard Schmidt was special adviser for cyberspace security to President G.W.Bush. Howard didn't stay very long, probably because he wasn't able to accomplish anything meaningful beyond coordinating (another) National Plan to Secure Cyberspace. It was a waste of his time and talents. Of course, this President knows the difference between "phishing" and "fission" and has actually used email, but still...
Second, the position reports to the National Economic Council and OMB. If we look back at our problems in cyber security (and I have blogged about them extensively over the last few years, and spoken about them for two decades), many of them are traceable to false economies: management deciding that short-term cost savings were more important than protecting against long-term risk. Given the current stress in the economy I don't expect any meaningful actions to be put forth that cost anything; we will still have the mindset that "cheapest must be best."
Third, there was no mention of new resources. In particular, no new resources for educational initiatives or research. We can pump billions of dollars into the bank accounts of greedy financiers on Wall Street, but no significant money is available for cyber security and defense. No surprise, really, but it is important to note the "follow the money" line -- the NEC has veto power over this position, and no money is available for new initiatives outside their experience.
Fourth, there was absolutely no mention made of bolstering our law enforcement community efforts. We already have laws in place and mechanisms that could be deployed if we simply had the resources and will to deploy them. No mention was made at all about anything active such as this -- all the focus was on defensive measures. Similarly, there was no mention of national-level responses to some of the havens of cyber criminals, nor of the pending changes in the Department of Defense that are being planned.
Fifth, the President stated "Our pursuit of cybersecurity will not -- I repeat, will not include -- monitoring private sector networks or Internet traffic." I suspect that was more than intended to reassure the privacy advocates -- I believe it was "code" for "We will not put the NSA in charge of domestic cyber security." Maybe I'm trying to read too much into it, but this has been a touchy issue in many different communities over the last few months.
There are certainly other things that might be noted about the report, but we should also note some positive aspects: the declaration that cyber is indeed a strategic national asset, that the problems are large and growing, that the existing structures don't work, that privacy is important, and that education is crucial to making the most of cyber going forward.
Of course, Congress ("pro is to con as Progress is to Congress") is an important player in all this, and can either help define a better or solution or stand in the way of what needs to be done. Thus, naming a Cyberspace Coordinator is hardly the last word on what might happen.
But with the perspective I have, I find it difficult to get too excited about the overall announcement. We shall see what actually happens.
I've read the report through twice, and read some news articles commenting on it. These comments are "off the top" and not necessarily how I'll view all this in a week or two. But what's the role of blogging if I need to think about it for a month, first?
It is important to note that the President's remarks were not the same as the report, although its issuance was certainly endorsed by the White House. The reason I note the difference is that the report identifies many problems that the President's statement does not address (in any way), and includes many "should"s that cannot be addressed by a "coordinator" who has no budget or policy authority.
What is both interesting and sad is how much the new report resembles the largely-inconsequential National Plan to Secure Cyberspace issued under the Bush Administration (be sure to see the article at the link). That isn't a slam on this report -- as I wrote earlier, I think it is a good effort by a talented and dedicated team. What I mean to imply is that the earlier National Plan had some strong points too, but nothing came of it because of cost and prioritization and lack of authority.
There are a number of excellent points made in this report: the international aspects, the possibility of increased liability for poor security products and pratices, the need for involvement of the private sector and local governments, the need for more education, the problems of privacy with security, and more.
I was struck by a few things missing from the report.
First, there was no mention of the need for more long-term, less applied research and resources to support it. This is a critical issue, as I have described here before and has been documented time and again. To its credit, the report does mention a need for better technology transfer, although this is hardly the first time that has been observed; the 2005 PITAC report "Cyber Security: A Crisis of Prioritization" included all of this (and also had minimal impact).
The report had almost nothing to say about increasing resources and support for law enforcement and prosecution. This continues to puzzle me, as we have laws in place and systems that could make an impact if we only made it a priority.
There is no discussion about why some previous attempts and structures -- notably DHS -- have failed to make any meaningful progress, and sometimes have actually hindered better cyber security. Maybe that would be expecting too much in this report (trying not to point fingers), but one can't help but wonder. Perhaps it is simply enough to note that no recommendations are made to locate any of the cyber responsibilities in DHS.
There is some discussion of harmonizing regulations, but nothing really about reviewing the crazy-quilt laws we have covering security, privacy and response. There is one sentence in the report that suggests that seeking new legislation could make things worse, and that is true but odd to see.
As an aside, I bet the discussion about thinking about liability changes for poor security practices and products -- a very reasonable suggestion -- caused a few of the economic advisors to achieve low Earth orbit. That may have been enough to set off the chain of events leading to reporting to the NEC, actually. However, it is a legitimate issue to raise, and one that works in other markets. Some of us have been suggesting for decades that it be considered, yet everyone in business wants to be held blameless for their bad decisions. Look at what has played out with the financial meltdown and TARP and you'll see the same: The businessmen and economists can destroy the country, but shouldn't be held at fault.
There is discussion of the supply-chain issue but the proposed solution is basically to ensure US leadership in production -- a laudable goal, but not achievable given the current global economy. We're going to need to change some of our purchasing and vetting habits to really achieve more trustworthy systems — but that won't go over with the economists, either.
There is no good discussion about defining roles among law enforcement, the military, the intelligence community, and private industry in responding to the problems. Yes, that is a snake pit and will take more than this report to describe, but the depth of the challenges could have been conveyed.
As David Wagner noted in email to an USACM committee, there is no prioritization given to help a reader understand which items are critical, which items are important, and which are merely desirable. We do not have the resources to tackle all the problems first, and there is no guidance here on how to proceed.
I didn't intend for this to be a long, critical post about the report and the announcement. I think that this topic is receiving Presidential attention is great. The report is really a good summary of the state of cybersecurity and needs, produced by some talented and dedicated Federal employees. However, the cynic in me fears that it will go the way of all the other fine reports -- many of which I contributed to -- including the PITAC report and the various CSTB reports; that is, it will make a small splash and then fade into the background as other issues come to the fore.
Basically, I think the President had the right intentions when all this started, but the realpolitik of the White House and current events have watered them down, resulting in action that basically endorses only a slight change from the status quo.
I could be wrong. I hope I'm wrong. But experience has shown that it is almost impossible to be too cynical in this area. In a year or so we can look back at this and we'll all know. But what we heard today certainly isn't what Candidate Obama promised last July.
[Note: the following is primarily about U.S. Government policies, but I believe several points can be generalized to other countries.]
I was editing a section of my website, when I ran across a link to a paper I had forgotten that I wrote. I'm unsure how many people actually saw it then or since. I know it faded from my memory! Other than CERIAS WWW sites and the AAAS itself, a Google search reveals almost no references to it.
As background, in early April of 2002, I was asked, somewhat at the last moment, to prepare a paper and some remarks on the state of information security for a forum, Technology in a Vulnerable World, held on science in the wake of 9/11. The forum was sponsored by the AAAS, and held later that month. There were interesting papers on public health, risk communication, the role of universities, and more, and all of them are available for download.
My paper in the forum wasn't one of my better ones, in that it was somewhat rushed in preparing it. Also, I couldn't find good background literature for some of what I was writing. As I reread what I wrote, many of the points I raised still don't have carefully documented sources in the open literature. However, I probably could have found some published backup for items such as the counts of computer viruses had I spent a little more time and effort on it. Mea culpa; this is something I teach my students about. Despite that, I think I did capture most of the issues that were involved at the time of the forum, and I don't believe there is anything in the paper that was incorrect at that time.
Why am I posting something here about that paper, One View of Protecting the National Information Infrastructure, written seven years ago? Well, as I reread it, I couldn't help but notice that it expressed some of the same themes later presented in the PITAC report, Cyber Security: A Crisis of Prioritization (2005), the NRC report Towards a Safer and More Secure Cyberspace (2007), and my recent Senate testimony (2009). Of course, many of the issues were known before I wrote my paper -- including coverage in the NRC studies Computers at Risk: Safe Computing in the Information Age (1991), Trust in Cyberspace (1999) and Cybersecurity Today and Tomorrow (2002) (among others I should have referenced). I can find bits and pieces of the same topics going further back in time. These issues seem to be deeply ingrained.
I wasn't involved in all of those cited efforts, so I'm not responsible for the repetition of the issues. Anyone with enough background who looks at the situation without a particular self-interest is going to come up with approximately the same conclusions -- including that market forces aren't solving the problem, there aren't enough resources devoted to long-term research, we don't have enough invested in education and training, we aren't doing enough in law enforcement and active defense, and we continue to spend massive amounts trying to defend legacy systems that were never designed to be secure.
Given these repeated warnings, it is troubling that we have not seen any meaningful action by government to date. However, that is probably preferable to government action that makes things worse: consider DHS as one notable example (or several).
Compounding the problem, too many leaders in industry are unwilling to make necessary, radical changes either, because such actions might disrupt their businesses, even if such actions are in the public good. It is one of those "tragedy of the commons" situations. Market forces have been shown to be ineffective in fixing the problems, and will actually lead to attempts to influence government against addressing urgent needs. Holding companies liable for their bad designs and mistakes, or restricting spending on items with known vulnerabilities and weaknesses would be in the public interest, but too many vendors affected would rather lobby against change than to really address the underlying problems.
Those of us who have been observing this problem for so long are therefore hoping that the administration's 60 day review provides strong impetus for meaningful changes that are actually adopted by the government. Somewhat selfishly, it would be nice to know that my efforts in this direction have not been totally in vain. But even if nothing happens, there is a certain sense of purpose in continuing to play the role of Don Quixote.
Sancho! Where did I leave my horse?
Why is it that Demotivators® seem so appropriate when talking about cyber security or government? If you are unfamiliar with Despair.com, let me encourage you to explore the site and view the wonderfully twisted items they have for sale. In the interest of full disclosure, I have no financial interest or ties to the company, other than as a satisfied and cynical customer.
On a more academic note, you can read or purchase the NRC reports cited above online via the National Academies Press website.
On March 19, I had an opportunity to testify before the Senate Committee on on Commerce, Science, and Transportation. The hearing was entitled Cybersecurity -- Assessing Our Vulnerabilities and Developing An Effective Defense.
I was asked to include information on research problems, educational initiatives, and issues regarding the current state of cyber security in the nation. As is usual for such things, the time between the invitation and the due date for written testimony was short. Thus, I didn't have the time to delve deeply into the topic areas, but could only address the things that I already had on hand -- including some posts from this blog that I had written before. The result was a little longer than the other statements, but I think I covered more ground.
One hint for people testifying before Congress on such things: you can't depend on how long you will have for spoken remarks, so be sure any points you want to make are in your written testimony. In this case, the hearing was limited to about 75 minutes because there were several votes scheduled on the Senate floor, and the committee needed to adjourn to allow the Senators to attend the votes. And, as is common for too many hearings, there weren't many of the committee members present; I believe the hearing began with only two of the 25 members present, and some movement of members in and out to reach a maximum of four seated at any one time. In this case, the chair (Senator Jay Rockefeller of West Virginia) apologized to us several times for the low turnout. However, many (all?) of the staff and aides were present, so I'm certain the gist of the testimony presented will be considered.
The Senator made a nice introductory statement.
My written testimony is available on my website as well as the committee site. My oral statement was from rough notes that I modified on the fly as I listened to the other testimony (by Jim Lewis, Eric Weiss and Ed Amoroso). That statement, and the whole hearing, are available via the archived hearing webcast (my remarks start at about 46:30 into the webcast). If I get a transcribed version of those remarks, I will post them along with my written testimony on my website in the "US government" section.
Comments by the other speakers were good overall and I think we collectively covered a lot of ground. The questions from the Senators present indicated that they were listening and knew some of the problems in the area. The comments from Senator Nelson about the intrusions into his systems were surprising: several Senate security staff were present at the hearing and indicated to me that his remarks were the first they had heard of the incidents! So, the hearing apparently set off an incident-response exercise -- separate from responding to my presence in the building, that is.
Will this hearing make a difference? I don't know. I've been testifying and saying the same things for over a dozen years (this was my 8th Congressional hearing testimony) and things haven't gotten that much better...and may even be worse. Senator Rockefeller has indicated he intends to introduce legislation supporting more funding for students studying cyber security issues. There was some good news coverage of all this (e.g., FCW and CNet).
I am told that there will be more hearings by this committee. Some House committees have been holding hearings too, and the President's 60 day review continues apace. The added attention is great, but with the sudden interest by so many, the result may be more confusion rather than resolution.
Also as a reminder, there is my tumble blog on security issues, with links to items on the news and WWW of possible interest to those who find my ramblings and rants of interest.