SoundOff is a new section of The New New Internet featuring the thoughts and perspectives of top industry experts and thought leaders on the biggest issues facing the cyber marketplace. These executives are drawn from the U.S. government contracting industry.
We hear a lot about best practices for responding to a cyber attack, but some say that detecting that a breach has occurred can be the real challenge. In the Computer Security Institute’s Computer Crime and Security Survey 2010/2011 respondents were asked what security solutions ranked highest on their wish lists. Many named tools that would improve their visibility—better log management, security information and event management, security data visualization, security dashboards and the like. Many organizations – especially federal agencies entrusted with critical data and the personal information of our nation’s citizens – are particularly vulnerable to cyber attacks. Without the appropriate solutions and tools in place, we are still running defense when it comes to detecting cyber attacks before the damage is done. Here is how one cybersecurity expert responded on the issue.
Leigh Palmer, VP advanced programs – information technology & cybersecurity solutions, BAE Systems
Leigh Palmer — To be proactive, government entities and agencies must explore the motives behind the unique attacks that they will likely encounter. This examination entails a thoughtful assessment of the data they hold, an evaluation of the data their adversary is pursuing, and most importantly, developing a clear understanding of how the stolen data will be used for financial profit or tactical/strategic gain.
Looking at an enterprise from this risk-based framework allows agencies to spend limited resources, providing greater protection to the most prized (and most at risk) assets. While many attacks are easily thwarted, the process is still a human-intensive task to separate “evidence of concern” from the rest of the attack data collected. Analytic methodology to triage incoming alerts will allow limited human capital to be focused on the issues of most concern.
Bill Luti, vice president for cybersecurity, DMI
Bill Luti — From a contractual point of view, it’s essential that exit considerations be built into the agreement up front, with a strong emphasis on ensuring your continuity of operations. What are the appropriate Service Level Agreements that need to be in place? Under what conditions does a violation of those SLAs trigger a potential exit? What happens if the cloud service vendor goes into receivership? What assurances do you have that once your data is transferred to you or to some other cloud service provider that it has been completely removed from your old vendor’s servers? What is your liability if some of your data is stolen from the service provider after you’ve left?
Technically, this may seem counterintuitive, but for many government agencies a winning strategy might be to specify that the agency actually owns the equipment being used by the service provider. It might also be useful to specify no multitenancy for your equipment. Again, this may seem to run counter to the idealized view of cloud computing, but it may become very important in the event of a default on the part of the service provider, or to facilitate a clean migration if you need to move your data.
Finally, procedures need specified to cover exactly what happens if you decide that you want to make a transition. It’s unwise to assume that this will be a smooth, easy process, unless it’s laid out in advance. Whom do you contact if your vendor goes out of business? How will data or your equipment be transferred back to you or to some other service provider? How will your service provider make certain that all of your data is thoroughly removed?
The cloud service model offers tremendous advantages. At DMI, we’ve used it to enable incredibly rapid deployment of applications and services for our clients. But for many agencies, this is uncharted territory, and it’s important to go in thinking carefully about all the possible outcomes.
Emily Stampiglia, senior director, federal sales, VCE
Emily Stampiglia – The transition to cloud services is a journey rather than an end state, and careful consideration of both risks and benefits must be weighed. The reality is that there are many paths to cloud, and many reasons why CIOs may opt for measured journeys rather than aggressively moving to subscription based Software-as-a-Service models. Most CIOs are now driving virtualization programs as a first step on the path to cloud computing. Virtualized environments enable organizations to start delivering cost-effective IT that can be rapidly provisioned, while still offering high availability and dynamic scaling. Deploying virtualization on a standardized converged infrastructure platform enables rapid implementation with dramatic reductions in operations and maintenance costs.
The biggest barriers to cloud computing stem from uncertainties around security and privacy and other trust considerations like compliance, performance and availability. Federal CIOs must build a risk mitigation plan to ensure their responsibility to protect the organization’s information is fulfilled. The reality of today’s cyber threats makes us realize that information anywhere, whether in existing physical environments or private clouds or on a public infrastructure, has the potential to be hacked if proper precautions are not taken. Unlike commercial data where the risk can usually be measured in loss of dollars, the risk of losing sensitive federal government data can potentially have much more significant consequences. Technologies exist to prevent data breaches; however, it is frequently not a failure in technology but rather human interaction with the technology that causes problems. Government CIOs should explore public clouds for appropriate use cases and should ensure that the cloud provider is providing Service Level Agreement assurances to demonstrate their ability to secure information, satisfy regulatory and compliance requirements and provide performance and availability guarantees.
The cloud provider must have policies to address mandatory reporting of a data breach, and mitigation plans on how they would remediate a spill. For more mission-critical applications or information that is highly sensitive, a more pragmatic approach may be to build a converged infrastructure as a foundation for a private cloud model, where agencies can own and control their own infrastructure but provide cloud services to their internal and community customers. This path may allow government to better leverage their existing security and governance processes and technologies as they move on their journey to cloud computing.
Michael Mikuta, VP of technology strategy–cloud computing and mobile, HPTi
Michael Mikuta — It is interesting to consider the conversations about cloud exit strategy given most customers are in their earlier adoption phase of cloud implementations. Being concerned with lock in is nothing new, which HW vendor should we choose, which database technology should we choose, which application development framework should we choose, and so on.
The point is just because it is wrapped in cloud moniker, don’t forget the same principals used in the past still apply and subsequent selection criteria should be leveraged where possible. Portability can be maintained through the proper application of virtualization and decoupling patterns. On the flip side, for those customers utilizing MapReduce as an emergent data processing paradigm, consider how we may be able to share data processing algorithms across clouds ushering in a much more sophisticated mechanism for smart data sharing. Exit simple search, enter communitywide analytics — across intel solutions, across financial solutions, across security log analysis, etc.
In an effort to strengthen U.S. cybersecurity, the Obama administration last month released a strategy that stresses international collaboration and provides guidelines on what action to take against adversaries who use the Internet to launch attacks on the nation. Here, seven industry experts share their insight on and why they believe the framework is a step in the right direction.
“The White House is taking a positive step in proposing both a domestic initiative on cybersecurity and a strategy that calls for international cooperation in protecting global networks. Congress has already recognized the seriousness of closing security gaps by introducing nearly 50 cyber-related bills in the last session. Given that cybersecurity protects our critical infrastructure, financial networks and the personal information of our citizens, moving ahead with legislation is a necessary next step. The White House and the State Department have also begun to address the need for international cyberspace cooperation, focusing initially on norms of behavior for states. “
JR Reagan, principal, Federal Solutions Group leader
Deloitte and Touche LLP
“With young and brilliant leaders like Andy Ozment, Jason Silver and veteran Sameer Bhalotra pushing the White House cyber policy for Howard Schmidt, a key and illustrative point being made is that there will no longer be impunity for threatening critical infrastructure in the United States or stealing our intellectual property. Without this, there is no consequence for the relentless attacks by nefarious parties on our .com, .gov and .mil domains. Now that the Department of Defense has publicly stated that such activities will be considered acts of war, we are recalibrating the discussion on cyber threats that impact our national interests with the legal and political backing needed to reinforce the security experts fighting on the frontlines of this new war.
To successfully manage central oversight of smaller civilian agencies, the Department of Homeland Security requires the funding, staff and tools to effectively protect these agencies against sophisticated and persistent threats. With DHS gaining more authority and oversight, it is easier for the larger cybersecurity community to identify the appropriate personnel to engage with and that clarity is vital to set the direction of these activities moving forward.
Some concern has been raised on removing the emphasis on commercial, market-based cybersecurity products, thus giving the impression of a step back from reliance on market solutions. In my opinion, the market will be balanced with government solutions as well as commercial. There are several pilots that have proven new technologies in the commercial space will bring the government domains visibility and capabilities quickly. I believe this must be balanced with the governments existing systems, leaving us with a layered hybrid solution.
Lastly, for the international aspect of this new war, understanding regulatory frameworks of jurisdictions outside the U.S. will be key, and there is no brighter mind than that of Melissa Hathaway to help us through this, and I hope to see her utilized in policy setting for the future.”
Jamie Dos Santos, president & CEO, Terremark Federal Group
“The president’s International Strategy for Cyberspace is an important first step for federal policy and international cooperation. However, it misses an important feature that must be included as the cyber world evolves: individual identity, credentialing and access management. To protect our critical infrastructure systems from cyber attack, protect our citizens from identity theft and protect potential victims from cyber crime, we must develop a verifiable system for accurately correlating online digital identities with real-world individuals.
Since Sept. 11, 2001, our collective energies have been focused on protecting our homeland with increased capabilities of determining who is entering the country, conducting illegal activities and coordinating with enemies of the state. We cannot let cyberspace evolve into the badlands for terrorist activities by ignoring this need to reliably identify bad actors.
Ironically, the U.S. federal government is a thought leader in identity technologies and is well-positioned to bring proven successes into consideration by our commercial financial, healthcare and information service providers. No single advancement espoused in the president’s International Strategy for Cyberspace would provide greater benefit to our own citizens than knowing that the people leveraging our critical technology infrastructures are reliably identified, accurately authenticated and duly authorized.”
Burke Cox, COO, Sevatec, Inc.
“The Obama administration’s recent release of two important strategies, the International Cybersecurity Strategy and proposed legislation for national cybersecurity, are critical efforts to engage the American public in the latest debate to manage the vastness of cyberspace. Just as we have national and international laws, treaties and agreements for maritime, airspace and outer space environments, cyberspace should be considered the highest priority for legislation and the development of case law. Cyberspace has such a significant role in the conduct of trade, the education of our people, and the way we work that it has become the underlying foundation of our daily lives.
What makes the debate over cybersecurity in this decade unique is the context within which it must take place. For instance, there are concerns over privacy, but privacy today is less understood because so much information about people, their activities, relationships and personal information is readily available ‘on the net.’
The complexity introduced by the Internet is here to stay and should be understood in context while debating the path to introduce a legal framework, both domestically and internationally. The legislation will take many years to develop and transform as the online world continues to transform our lives.”
Betsy Hight, retired U.S. Navy rear admiral, vice president, Cybersecurity Practice, HP Enterprise Services, U.S. Public Sector
“Symantec is very appreciative of the leadership shown by President Obama on the very important issue of cybersecurity. Today’s online threats are growing at a rapid pace and many of the recommendations — such as FISMA reform and sentencing guidelines for cyber crimes — are long overdue.
We are strongly encouraged by the initiative of the administration and Congress to protect the online livelihoods of all Americans and look forward to working with them closely throughout the legislative process.”
Tiffany Jones, director of public sector strategy and programs, Symantec
“The Chinese have a proverb about the longest journey beginning with a single step. Certainly, the administration’s International Strategy for Cyberspace is more than merely the first step. This important public policy document begins to lay out the basic parameters and important metrics of the new Internet. Our U.S. strategy insists that this infrastructure be ‘open, interoperable, secure and reliable.’ The document begins to lay out certain consequences if governments or nongovernment organizations diverge from these objectives. These consequences include military force. Further, the strategy defines certain ‘fundamental freedoms’ associated with the current and future Internet and strongly advocates evolving the ‘rule of law’ consistent with the recent Budapest Convention. Like the early 19th-century evolution of maritime law, there needs to be an international movement toward common ‘language’ of the new Internet.
There are a number of cultural sensibilities underlying this important U.S. attempt to move the international debate forward. America‘s view on Internet policy comes from a uniquely American sense of democracy which includes an assumption of the separation of church and state and of personal privacy. But the nations of the world vary widely on these points. For example, in many respected democracies there is a known mingling of religious doctrine with affairs of state.
These doctrinal issues impact that country’s view of appropriate content and access.
Even we in America continually grapple with their separation. At the very heart of the threat in our War on Terrorism is a fundamental religious viewpoint that most feel is misguided but nevertheless is real. In the privacy realm, a number of highly populous countries that do not define privacy or openness of the Internet as a fundamental right…quite the opposite.
As the G8 countries ponder Internet regulation this week, it is important that we begin this journey from rhetoric to action, but ultimately the evolution of international Internet policy has to embody pluralism, reflecting the diverse cultures of the world. To evolve an international rule of law we must start with an appreciation of the great range of issues and perspectives across the global. The concept of the global village and the implied interdependencies has never been more real or important. I applaud the administration’s efforts to launch this necessary journey.
Jim Payne, senior vice president/general manager, National Security and Cyber Infrastructure, Advanced Technology Solutions, Telcordia
“We applaud the president for his leadership in asserting a clear set of guiding principles for international cyberspace. The policy is broad, but specific in its purpose. It is critical for world leaders to realize that the time for coordinating international, public and private sector collaboration on cyberspace issues is now. The threats are real. The sophistication of cyber attacks is growing at an alarming pace, but can we effectively combat those who wish harm?
Sufficient evidence exists of entire organizations strictly focused on malicious acts and growing more and more due to the low entry barriers to this crime. Does the strategy sufficiently outline the consequences of violation, how the legal entities can prove the source of the compromise, how enterprises can effectively collaborate within standards and assurances that those standards are sufficient to protect? The strategy is an important step in the right direction, but there are still many other critical questions that need to be addressed. Above all, will competitive nations work together to protect our joint interests in commerce, security and shared freedoms?”
Denise Harrison, CIO, GTSI Corp.