Emerging Threats? Agency CISOs Stuck on Old Problems

Organizations’ boundaries are blurring and so are their software applications, which “could very well now announce themselves as a service to the world” over the Internet, said Commerce Department CISO Michael Castagna. “How many seams are we going to open up” by, say, mashing up sales data with Google Maps, he asked. Declining storage costs, increased outsourcing and expansion of devices with IP addresses are opening new threats, said Ed Roback, Treasury Department CISO. “Internal competency” is his biggest worry for keeping data away from unauthorized users, he said.

Quantum computing will pose a risk, especially for the government’s Advanced Encryption Standard cryptography, said Patricia Titus, Transportation Security Administration CISO. A more mundane task is for agencies to find vulnerabilities built into firmware they buy from vendors, she said. Amid a “massive technical refresh,” agencies must know better than their hacking antagonists where holes could be, and that means pressing vendors to make systems more transparent, Titus said.

The “rush to production” of many applications, by programmers who “don’t necessarily take security into consideration,” tends to undermine security professionals’ gains in perimeter security, said Patrick Howard, Department of Housing and Urban Development CISO. The rush includes inadequate testing, which can backfire, particularly for government entities. “You can’t just patch things like this. This is custom code we're talking about,” not off-the-shelf applications with common fixes, he said. Castagna warned that testing is “just a point in time” and depends heavily on the tester’s competence. He rattled off a list of worries: Client-side attacks, botnets and IT security issues in IPv6, such as autoconfiguration and tunneling, not to mention virtualization, voice and data convergence and applications that run from a mobile device like a USB stick. “I just implore industry to stop creating portable media,” Titus joked.

Agency management rarely listens to pitches by information technology staffers, so they must sneak in improvements, Howard said. Technology modernization efforts that have already been approved should include state-of-the- art security systems, or else “you got a real strong likelihood of being shot down” in asking for security expenditures a la carte, he said. Staff with technical backgrounds, such as Titus has, have trouble conveying the importance of security in business language, so they must convince higher-ups that it costs more to clean up a security breach than to buy new systems, she said.

Audience members questioned whether anything CISOs discussed was truly “emerging,” as the panel was advertised. One said that outsourcing software development and nanotechnology pose future risks, and another called the threats raised by CISOs “hype” -- after all, “virtualization” is just a new form of partitioning. Dennis Heretick, Justice Department CISO, acknowledged that so-called emerging threats usually are well-established by the time the government learns of them.

Agencies need a “parallel track,” perhaps a 10-year plan apart from their 5-year strategic plans, for managing technological security so they're not just “firefighting” known threats, Titus said. TSA has done this well because it’s a young agency, she said. Castagna said agencies are busy enough in “basic blocking and tackling,” with budgets ill-equipped for heavy research into new threats. An audience member suggested asking universities to do the R&D, because they're not focusing on market success.

Titus said she scares off some contractors who offer a service by asking to see the service installed on the vendor’s own network. “That way I know that you've been able to go through that implementation planning, and I know what you're talking about,” she said. The alternative is requiring every business partner to follow the same Federal Information Security Management Act rules as agencies. “This is a pretty easy sell” if vendors can show they're FISMA- compliant, she said. -- Greg Piper

ITAA CISO Workshop Notebook…

Greg Garcia, the Department of Homeland Security’s top cyber official, is relishing the congressional spotlight despite the negativity of questions he has faced in hearings over the past two weeks, Garcia said in response to our question. Garcia -- who created the CISO workshop as an ITAA official before his jump to DHS -- will testify Wednesday in the House for the third time in October, including his second time in the House Homeland Security Cybersecurity Subcommittee. Once describing his job as assistant secretary for cybersecurity and communications to a confused lawmaker as “outreach” )WID Oct 24 p1(, Garcia said in a keynote that Congress was just another target audience for his gospel. “I am heartened, and they should be asking hard questions,” since cybersecurity concerns all government and private organizations, not just DHS and its role in coordinating other agencies. He rattled off the DHS cybersecurity office’s work the past year, including writing an IT security “essential body of knowledge” )EBK( document and designing a self-assessment tool for control systems, and finishing sector-specific cybersecurity plans, which are the subject of Wednesday’s subcommittee hearing. A software assurance EBK is due this year from DHS. The Lessons Learned Information Sharing portal, a restricted-access, peer-validated site offering best practices for emergency response and homeland security officials at llis.gov, recently went live, he said. Cyber Storm 2, the March followup to DHS’s first cyberattack simulation exercise with government and private partners )WID Sept 14/06 p5(, has been in development for a year and will involve 150 organizations, Garcia said. The Einstein network analysis tool developed by DHS, which reduced from 4 to 5 days to 4 to 5 hours the time needed to gather and share cyber incident data, has been adopted by 13 agencies, and DHS plans to cover all cabinet-level agencies “as soon as possible.” Agency incident reports to the U.S. Computer Emergency Readiness Team jumped from 5,100 in FY2006 to 13,000 in FY2007, partly from “greater situational awareness” by agencies but also from continued economic opportunity for the organized crime behind today’s hacking, which is bigger than the illicit narcotics trade at $100 billion a year, Garcia said. The federal line of business program for cybersecurity now includes 45 agencies in task forces developing common training, reporting and incident response standards, he said. “We're going to have a very busy year going forward,” because “our adversaries’ desire to harm us continues.”