Today, and Before

On July 17, 2008, (then) Senator Barack Obama held a town hall meeting on national security at Purdue University. He and his panel covered issues of nuclear, biological and cyber security. (I blogged about the event here and here.) As part of his remarks at the event, Senator Obama stated:

Every American depends — directly or indirectly — on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it's no secret that terrorists could use our computer networks to deal us a crippling blow. We know that cyber-espionage and common crime is already on the rise. And yet while countries like China have been quick to recognize this change, for the last eight years we have been dragging our feet.

As President, I'll make cyber security the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me. We'll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information — from the networks that power the federal government, to the networks that you use in your personal lives.

That was a pretty exciting statement to hear!

On February 9, 2009, (now) President Obama appointed Melissa Hathaway as Acting Senior Director for Cyberspace and charged her with performing a comprehensive review of national cyberspace security in 60 days. I interacted with Ms. Hathaway and members of her team during those 60 days (as well as before and after). From my point of view, it was a top-notch team of professionals approaching the review with a great deal of existing expertise and open minds. I saw them make a sincere effort to reach out to every possible community for input.

If you're keeping count, the report was delivered on or about April 10. Then, mostly silence to those of us on the outside. Several rumors were circulated in blogs and news articles, and there was a presentation at the RSA conference that didn't really say much.

Until today: May 29th.

Shortly after 11am EDT, President Obama gave some prepared remarks and his office released the report. In keeping with his July 2008 statement, the President did declare that "our digital infrastructure -- the networks and computers we depend on every day -- will be treated as they should be: as a strategic national asset." However, he did not appoint someone as a National Cyber Advisor. Instead, he announced the position of a "Cybersecurity Coordinator" that will be at a lower level in the Executive Office of the White House. No appointment to that position was announced today, either. (I have heard rumor from several sources that a few high-profile candidates have turned down offers of the position already. Those are only rumors, however.)

The President outlined the general responsibilities and duties of this new position. It apparently will be within the National Security Staff, reporting to the NSC, but also reporting to OMB and the National Economic Council, and working with the Federal CIO, CTO and the Office of Science and Technology Policy.

The new Coordinator will be charged with

1. helping develop (yet another) strategy to secure cyberspace. This will include metrics and performance milestones;
2. coordinating with state and local governments, and with the private sector, "to ensure an organized and unified response to future cyber incidents."
3. to strengthen ties with the private sector, with an explicit mandate to not set security standards for industry.
4. to continue to invest in cyber (although the examples he gave were not about research or security
5. to begin a national campaign to increase awareness and cyber literacy.

The President also made it clear that privacy was important, and that monitoring of private networks would not occur.

Reading Between the Lines

There were a number of things that weren't stated that are also interesting, as well as understanding implications of what was stated.

First of all, the new position is rather like a glorified cheerleader: there is no authority for budget or policy, and the seniority is such that it may be difficult to get the attention of cabinet secretaries, agency heads and CEOs. The position reports to several entities, presumably with veto power (more on that below). Although the President said the appointee will have "regular access" to him, that is not the same as an advisor -- and this is a difference that can mean a lot in Washington circles. Although it is rumor that several high-profile people have already turned down the position, I am not surprised given this circumstance. (And this may be why it has been two months since the report was delivered before this event — they've been trying to find someone to take the job.)

The last time someone was in a role like this with no real authority -- was in 2001 when Howard Schmidt was special adviser for cyberspace security to President G.W.Bush. Howard didn't stay very long, probably because he wasn't able to accomplish anything meaningful beyond coordinating (another) National Plan to Secure Cyberspace. It was a waste of his time and talents. Of course, this President knows the difference between "phishing" and "fission" and has actually used email, but still...

Second, the position reports to the National Economic Council and OMB. If we look back at our problems in cyber security (and I have blogged about them extensively over the last few years, and spoken about them for two decades), many of them are traceable to false economies: management deciding that short-term cost savings were more important than protecting against long-term risk. Given the current stress in the economy I don't expect any meaningful actions to be put forth that cost anything; we will still have the mindset that "cheapest must be best."

Third, there was no mention of new resources. In particular, no new resources for educational initiatives or research. We can pump billions of dollars into the bank accounts of greedy financiers on Wall Street, but no significant money is available for cyber security and defense. No surprise, really, but it is important to note the "follow the money" line -- the NEC has veto power over this position, and no money is available for new initiatives outside their experience.

Fourth, there was absolutely no mention made of bolstering our law enforcement community efforts. We already have laws in place and mechanisms that could be deployed if we simply had the resources and will to deploy them. No mention was made at all about anything active such as this -- all the focus was on defensive measures. Similarly, there was no mention of national-level responses to some of the havens of cyber criminals, nor of the pending changes in the Department of Defense that are being planned.

Fifth, the President stated "Our pursuit of cybersecurity will not -- I repeat, will not include -- monitoring private sector networks or Internet traffic." I suspect that was more than intended to reassure the privacy advocates -- I believe it was "code" for "We will not put the NSA in charge of domestic cyber security." Maybe I'm trying to read too much into it, but this has been a touchy issue in many different communities over the last few months.

There are certainly other things that might be noted about the report, but we should also note some positive aspects: the declaration that cyber is indeed a strategic national asset, that the problems are large and growing, that the existing structures don't work, that privacy is important, and that education is crucial to making the most of cyber going forward.

Of course, Congress ("pro is to con as Progress is to Congress") is an important player in all this, and can either help define a better or solution or stand in the way of what needs to be done. Thus, naming a Cyberspace Coordinator is hardly the last word on what might happen.

But with the perspective I have, I find it difficult to get too excited about the overall announcement. We shall see what actually happens.

The Report

I've read the report through twice, and read some news articles commenting on it. These comments are "off the top" and not necessarily how I'll view all this in a week or two. But what's the role of blogging if I need to think about it for a month, first?

It is important to note that the President's remarks were not the same as the report, although its issuance was certainly endorsed by the White House. The reason I note the difference is that the report identifies many problems that the President's statement does not address (in any way), and includes many "should"s that cannot be addressed by a "coordinator" who has no budget or policy authority.

What is both interesting and sad is how much the new report resembles the largely-inconsequential National Plan to Secure Cyberspace issued under the Bush Administration (be sure to see the article at the link). That isn't a slam on this report -- as I wrote earlier, I think it is a good effort by a talented and dedicated team. What I mean to imply is that the earlier National Plan had some strong points too, but nothing came of it because of cost and prioritization and lack of authority.

There are a number of excellent points made in this report: the international aspects, the possibility of increased liability for poor security products and pratices, the need for involvement of the private sector and local governments, the need for more education, the problems of privacy with security, and more.

I was struck by a few things missing from the report.

First, there was no mention of the need for more long-term, less applied research and resources to support it. This is a critical issue, as I have described here before and has been documented time and again. To its credit, the report does mention a need for better technology transfer, although this is hardly the first time that has been observed; the 2005 PITAC report "Cyber Security: A Crisis of Prioritization" included all of this (and also had minimal impact).

The report had almost nothing to say about increasing resources and support for law enforcement and prosecution. This continues to puzzle me, as we have laws in place and systems that could make an impact if we only made it a priority.

There is no discussion about why some previous attempts and structures -- notably DHS -- have failed to make any meaningful progress, and sometimes have actually hindered better cyber security. Maybe that would be expecting too much in this report (trying not to point fingers), but one can't help but wonder. Perhaps it is simply enough to note that no recommendations are made to locate any of the cyber responsibilities in DHS.

There is some discussion of harmonizing regulations, but nothing really about reviewing the crazy-quilt laws we have covering security, privacy and response. There is one sentence in the report that suggests that seeking new legislation could make things worse, and that is true but odd to see.

As an aside, I bet the discussion about thinking about liability changes for poor security practices and products -- a very reasonable suggestion -- caused a few of the economic advisors to achieve low Earth orbit. That may have been enough to set off the chain of events leading to reporting to the NEC, actually. However, it is a legitimate issue to raise, and one that works in other markets. Some of us have been suggesting for decades that it be considered, yet everyone in business wants to be held blameless for their bad decisions. Look at what has played out with the financial meltdown and TARP and you'll see the same: The businessmen and economists can destroy the country, but shouldn't be held at fault.

There is discussion of the supply-chain issue but the proposed solution is basically to ensure US leadership in production -- a laudable goal, but not achievable given the current global economy. We're going to need to change some of our purchasing and vetting habits to really achieve more trustworthy systems — but that won't go over with the economists, either.

There is no good discussion about defining roles among law enforcement, the military, the intelligence community, and private industry in responding to the problems. Yes, that is a snake pit and will take more than this report to describe, but the depth of the challenges could have been conveyed.

As David Wagner noted in email to an USACM committee, there is no prioritization given to help a reader understand which items are critical, which items are important, and which are merely desirable. We do not have the resources to tackle all the problems first, and there is no guidance here on how to proceed.

Summary

I didn't intend for this to be a long, critical post about the report and the announcement. I think that this topic is receiving Presidential attention is great. The report is really a good summary of the state of cybersecurity and needs, produced by some talented and dedicated Federal employees. However, the cynic in me fears that it will go the way of all the other fine reports -- many of which I contributed to -- including the PITAC report and the various CSTB reports; that is, it will make a small splash and then fade into the background as other issues come to the fore.

Basically, I think the President had the right intentions when all this started, but the realpolitik of the White House and current events have watered them down, resulting in action that basically endorses only a slight change from the status quo.

I could be wrong. I hope I'm wrong. But experience has shown that it is almost impossible to be too cynical in this area. In a year or so we can look back at this and we'll all know. But what we heard today certainly isn't what Candidate Obama promised last July.

(And as I noted in a previous post, Demotivators seem to capture so much of this space. Here's one that almost fits.)

[Note: the following is primarily about U.S. Government policies, but I believe several points can be generalized to other countries.]

I was editing a section of my website, when I ran across a link to a paper I had forgotten that I wrote. I'm unsure how many people actually saw it then or since. I know it faded from my memory! Other than CERIAS WWW sites and the AAAS itself, a Google search reveals almost no references to it.

As background, in early April of 2002, I was asked, somewhat at the last moment, to prepare a paper and some remarks on the state of information security for a forum, Technology in a Vulnerable World, held on science in the wake of 9/11. The forum was sponsored by the AAAS, and held later that month. There were interesting papers on public health, risk communication, the role of universities, and more, and all of them are available for download.

My paper in the forum wasn't one of my better ones, in that it was somewhat rushed in preparing it. Also, I couldn't find good background literature for some of what I was writing. As I reread what I wrote, many of the points I raised still don't have carefully documented sources in the open literature. However, I probably could have found some published backup for items such as the counts of computer viruses had I spent a little more time and effort on it. Mea culpa; this is something I teach my students about. Despite that, I think I did capture most of the issues that were involved at the time of the forum, and I don't believe there is anything in the paper that was incorrect at that time.

Why am I posting something here about that paper, One View of Protecting the National Information Infrastructure, written seven years ago? Well, as I reread it, I couldn't help but notice that it expressed some of the same themes later presented in the PITAC report, Cyber Security: A Crisis of Prioritization (2005), the NRC report Towards a Safer and More Secure Cyberspace (2007), and my recent Senate testimony (2009). Of course, many of the issues were known before I wrote my paper -- including coverage in the NRC studies Computers at Risk: Safe Computing in the Information Age (1991), Trust in Cyberspace (1999) and Cybersecurity Today and Tomorrow (2002) (among others I should have referenced). I can find bits and pieces of the same topics going further back in time. These issues seem to be deeply ingrained.

I wasn't involved in all of those cited efforts, so I'm not responsible for the repetition of the issues. Anyone with enough background who looks at the situation without a particular self-interest is going to come up with approximately the same conclusions -- including that market forces aren't solving the problem, there aren't enough resources devoted to long-term research, we don't have enough invested in education and training, we aren't doing enough in law enforcement and active defense, and we continue to spend massive amounts trying to defend legacy systems that were never designed to be secure.

Given these repeated warnings, it is troubling that we have not seen any meaningful action by government to date. However, that is probably preferable to government action that makes things worse: consider DHS as one notable example (or several).

Compounding the problem, too many leaders in industry are unwilling to make necessary, radical changes either, because such actions might disrupt their businesses, even if such actions are in the public good. It is one of those "tragedy of the commons" situations. Market forces have been shown to be ineffective in fixing the problems, and will actually lead to attempts to influence government against addressing urgent needs. Holding companies liable for their bad designs and mistakes, or restricting spending on items with known vulnerabilities and weaknesses would be in the public interest, but too many vendors affected would rather lobby against change than to really address the underlying problems.

Those of us who have been observing this problem for so long are therefore hoping that the administration's 60 day review provides strong impetus for meaningful changes that are actually adopted by the government. Somewhat selfishly, it would be nice to know that my efforts in this direction have not been totally in vain. But even if nothing happens, there is a certain sense of purpose in continuing to play the role of Don Quixote.

Sancho! Where did I leave my horse?

Why is it that Demotivators® seem so appropriate when talking about cyber security or government? If you are unfamiliar with Despair.com, let me encourage you to explore the site and view the wonderfully twisted items they have for sale. In the interest of full disclosure, I have no financial interest or ties to the company, other than as a satisfied and cynical customer.

On a more academic note, you can read or purchase the NRC reports cited above online via the National Academies Press website.

History

Back in 1997, the year before CERIAS was formally established, I testified before Congress on the state of cyber security in academia. In my testimony, I pointed out that there were only four established research groups, and their combined, yearly PhD production was around 3 per year, not counting cryptography.

Also in that testimony, I outlined that support was needed for new centers of expertise, and better support of existing centers.

As a result of that testimony, I was asked to participate in some discussions with staff from OSTP, from some Congressional committees (notably, the House Science Committee), and Richard Clarke's staff in the Executive Office of the President. I was also invited to some conversations with leadership at the NSA, including the deputy director for information security systems (IAD) (Mike Jacobs). Those discussions were about how to increase the profile of the area, and get more people educated in information security.

Among the ideas I discussed were ones expanded from my testimony. They eventually morphed into the Scholarship for Service program, the NSF CyberTrust program, and the NSA Centers of Academic Excellence (CAE). [NB. I am not going to claim sole or primary credit for these programs. I know I came up with the ideas, briefed people about them, discussed pros & cons, and then those groups took them and turned them into what we got. None of them are quite what I proposed, but that is how things happen in DC.]

The CAE program was established by the NSA in late 1998. The CAE certification was built around courses meeting CNSS requirements. Purdue was one of the first seven universities certified as CAEs, in May of 1999. We remained in the CAE program until earlier this year (2008). In 2003, DHS became a co-sponsor of the program.

Why Purdue is No Longer a CAE

In 2007, we were informed that unless we renewed our CNSS certifications by the end of August, we would not be eligible for CAE renewal in 2008. This prompted discussion and reflection by faculty and staff at CERIAS. As noted above, the mapping of CNSS requirements to our classes is non-trivial. The CAE application was also non-trivial. None of our personnel were willing to devote the hours of effort required to do the processing. Admittedly, we could have "faked" some of the mapping (as we know some schools have done in the past), but that was never an option for us. We had other objections, too (see what follows).As a result, we did not renew the certifications, and we dropped out of the CAE program when our certification expired earlier this year.

Our decision was not made lightly -- we nearly dropped out in 2004 when we last renewed (and were not grandfathered into the new 5 year renewal cycle, much to our annoyance), and there was continuing thought given to this over intervening years. We identified a number of issues with the program, and the overhead of the mapping and application process was not the only (or principal) issue.

First, and foremost, we do not believe it is possible to have 94 (most recent count) Centers of Excellence in this field. After the coming year, we would not be surprised if the number grew to over 100, and that is beyond silly. There may be at most a dozen centers of real excellence, and pretending that the ability to offer some courses and stock a small library collection means "excellence" isn't candid.

The program at this size is actually a Centers of Adequacy program. That isn't intended to be pejorative -- it is simply a statement about the size of the program and the nature of the requirements.

Some observers and colleagues outside the field have looked at the list of schools and made the observation that there is a huge disparity among the capabilities, student quality, resources and faculties of some of those schools. Thus, they have concluded, if those schools are all equivalent as "excellent" in cyber security, then that means that the good ones can't be very good ("excellent" means defining the best, after all). So, we have actually had pundits conclude that cyber security & privacy studies can't be much of a discipline. That is a disservice to the field as a whole.

Instead of actually designating excellence, the CAE program has become an ersatz certification program. The qualifications to be met are for minimums, not for excellence. In a field with so few real experts and so little money for advanced efforts, this is understandable given one of the primary goals of the CAE program -- to encourage schools to offer IA/IS programs. Thus, the program sets a relatively low bar and many schools have put in efforts and resources to meet those requirements. This is a good thing, because it has helped raise the awareness of the field. However, it currently doesn't set a high enough bar to improve the field, nor does it offer the resources to do so.

Setting a low bar also means that academic program requirements are being heavily influenced by a government agency rather than the academic community itself. This is not good for the field because it means the requirements are being set based on particular application need (of the government) rather than the academic community's understanding of foundations, history, guiding principles, and interaction with other fields. (E.g., Would your mathematics department base its courses on what is required to produce IRS auditors? We think not!) In practice, the CAE program has probably helped suppress what otherwise would be a trend by our community to discuss a formal, common curriculum standard. In this sense, participation in the CAE program may now be holding us back.

Second, and related, the CNSS standards are really training standards, and not educational standards. Some of them might be met by a multi-day class taught by a commercial service such as SANS or CSI -- what does that say about university-level classes we map to them? The original CNSS intent was to provide guidance for the production of trained system operators -- rather than the designers, researchers, thinkers, managers, investigators and more that some of our programs (and Purdue's, in particular) are producing.

We have found the CNSS standards to be time-consuming to map to courses, and in many cases inappropriate, and therefore inappropriate for our students. Tellingly, in 9 years we have never had a single one of our grads ask us for proof that they met the CNSS standards because an employer cared! We don't currently intend to offer courses structured around any of the CNSS standards, and it is past the point where we are interested in supporting the fiction that they are central to a real curriculum.

Third, we have been told repeatedly over the years that there might be resources made available for CAE schools if only we participated. It has never happened. The Scholarship for Service program is open to non-CAE schools (read the NSF program solicitation carefully), so don't think of that as an example. With 100 schools, what resources could reasonably be expected? If the NSA or DHS got an extra $5 million, and they spread it evenly, each would get $50,000. Take out institutional overhead charges, and that might be enough for 1 student scholarship...if that. If there were 10 schools, then $500,000 each is an amount that might begin to make a difference. But over a span of nearly 10 years the amount provided has been zero, and any way you divide that, it doesn't really help any of us. Thus, we have been investing time and energy in a program that has not brought us resources to improve. Some investment of our energy & time to bolster community was warranted, but that time is past.

Fourth, the renewal process is a burden because of the nature of university staffing and the time required. With no return on getting the designation, we could not find anyone willing to invest the time for the renewal effort.

Closing Comments

In conclusion, we see the CAE effort as valuable for smaller schools, or those starting programs. By having the accreditation (which is what this is, although it doesn't meet ISO standards for such), those programs can show some minimal capabilities, and perhaps obtain local resources to enhance them. However, for major programs with broader thrusts and a higher profile, the CAE has no real value, and may even have negative connotations. (And no, the new CAE-R program does not solve this as it is currently structured.)

The CAE program is based on training standards (CNSS) that do not have strong pedagogical foundations, and this is also not appropriate for a leading educational program. As the field continues to evolve over the next few years, faculty at CERIAS at Purdue expect to continue to play a leading role in shaping a real academic curriculum. That cannot be done by embracing the CAE.

We are confident that people who understand the field are not going to ignore the good schools simply because they don't have the designation, any more than people have ignored major CS programs because they do not have CSAB accreditation. We've been recognized for our excellence in research, we continue to attract and graduate excellent students, and we continue to serve the community. We are certain that people will recognize that and respond accordingly.

More importantly, this goes to the heart of what it means to be "trustworthy." Security and privacy issues are based on a concept of trust and that also implies honesty. It simply is not honest to continue to participate in (and thereby support) a designation that is misleading. There are not 94 centers of excellence in information and cyber security in the US. You might ask the personnel at some of the schools that are so designated as to why they feel the need to participate and shore up that unfortunate canard.

The above was originally written in 2008. A few years later, the CAE requirements were changed to add a CAE-R designation (R for research), and several of our students did the mapping so we were redesignated. Most of the criticisms remain accurate even in 2012.

This evening, I was watching—again—the classic John Carpenter movie, “Escape from New York.” What struck me about this movie (made in 1981) was how many things seem to somewhat correspond to more recent events.

For instance, the film begins with an airliner hijacked by terrorists and crashed into a building in Manhattan. There is a new, major government bureaucracy with law enforcement capabilities ala DHS (Lee Van Cleef even looks a little like Michael Chertoff). And there is a major prison on an island where people—especially terrorists and political prisoners—are sent and cannot get out. Trials seem to be abbreviated and maybe not even held. There is a long, unresolved war going on. And so on….

There are other parallels, but it depends on how you view the movie. I hadn’t seen it in years, so it really struck me how many items seemed ... eerily familiar. I’m a bit reluctant now to rewatch other Carpenter movies, such as Escape from LA, The Thing, and Ghosts of Mars!

It’s a great movie, so let me recommend that you watch it again if you haven’t seen it recently ... or at all: I know that many of my students haven’t seen it yet, and they should. They might be surprised—Snake Plissken isn’t dead yet.

If you watch it, let me know what you think!

[tags]DHS,MS Word,threats[/tags]
Earlier, I wrote about the security risks of using Microsoft Word documents as a presentation and encoding format for sending files via email (see posts here and here).  Files in “.doc” format contain macros, among other things, that could be executable.  They also have metadata fields that might give away sensitive information, and a lot of undocumented cruft that may be used in the process of exploiting security.  It is no wonder that exotic exploits are showing up for Word documents.  And only today it was revealed that the latest version of Office 2007 may not have even gotten the most recent patch set.

Want to find some vulnerabilities in Word?  Then take a look at the list of US-CERT alerts on that software; my search returns almost 400 hits.  Some of these are not yet patched, and there are likely many as-yet unpatched flaws still in there.

Clearly, the use of Word as a document exchange medium is Bad (that’s with a definite capital B).  People who understand good security practices do not exchange Word files unless they are doing collaborative editing, and even then it is better to use RTF (if one continues to be beholden to Microsoft formats).  Good security hygiene means warning others, and setting a good example.

Now, consider that DHS has released BAA07-09 to solicit research and prototypes to get fixes for current cyber infrastructure vulnerabilities.  I could rant about how they claim it is for R&D but is really a BAA for further product development for fundamentally flawed software that cannot be fixed.  But that isn’t the worst part.  No, the BAA is only available as Word documents!

Can you say “irony”?  This is the agency charged with helping guide us to a more secure infrastructure?  If so, electronically KYAG.

Update: A response from Dr. Douglas Maughn at DHS points out that the site I indicated for the BAA is actually FedBizOps rather than DHS.  The DHS posting site actually has it in PDF…although the FedBizOps link is the one I’ve seen in several articles (and in a posting in SANS NewsBites).

Of course, it would be great if DHS could get the folks at FedBizOps to clean up their act, but at least in this case, DHS—or rather, DHSARPA—got it right.  I stand corrected.