Clarity and Execution: The Next Steps in Cyber-Security

Clarity and Execution: The Next Steps in Cyber-Security

by / June 3, 2004
Paul Kurtz is a former special assistant to the president and senior director for critical infrastructure protection on the White House's Homeland Security Council (HSC). He was responsible for developing the White House's strategy for protecting critical physical and cyber assets across the U.S. economy. Before joining the HSC in 2003, Kurtz served on the White House National Security Council (NSC) as senior director for national security in the Office of Cyberspace Security, and was a member of the President's Critical Infrastructure Protection Board, where he developed the National Security and International Cyberspace Security Cooperation section of the President's National Strategy to Secure Cyberspace. Kurtz currently is executive director of the Cyber Security Industry Alliance, a public-policy advocacy group composed of security software, hardware and service vendors addressing key cyber-security issues.

Q: Given your extensive experience dealing with national cyber-security issues, what is your assessment of the current state of cyber-security?

A: A couple of thoughts come to mind. First, I would say the cyber-attacks we are seeing are increasingly sophisticated. They are multipronged. They morph. They spread more quickly. And they are causing significant damage in terms of downtime and having to rebuild systems, and in terms of the loss of intellectual property and identity-related information -- in other words, identity theft. So the gravity or severity of what's going on is increasing.

My second point would be that while there is an increasing awareness that we have cyber-security problems, there is little understanding of what to do about it.

Q: Based on the viciousness of the attacks we are seeing, are the attacks exploiting vulnerabilities at a much faster rate?

A: Speed of propagation is one issue. Then the virus writers' ability to identify and take advantage of vulnerability -- that period of time is going down as well. I think this is occurring because virus writers are starting to take advantage of technology to improve their capabilities. For example, they are sharing files in peer-to-peer networks in what you might call the underground.

Q: That computer underground has existed for many years. In your assessment, is this expanding and becoming more sophisticated?

A: Yes. Which gets back to the second point I made. Now people are talking about cyber-security problems, and there is a heightened sense of awareness about this. People on the street are aware cyber-attacks are taking place. They are concerned about it, but there isn't an understanding about what to do. There is confusion at multiple levels. There is confusion at the large enterprise level. There is confusion at the small- or medium-size enterprise level. And there is confusion among home users as to exactly what they need to do. The Cyber Security Industry Alliance would like to bring clarity to the situation -- not simply increase awareness of the problems, but increase understanding about what can be done to make systems more secure.

Q: It seems to me this increased understanding would require a better differentiation of the threats so reasonable strategies could be adopted based on security concerns.

A: To be frank, it would be extremely difficult to educate all users on the nature of threats and how they are evolving. Things are moving too fast. I think they will always move too fast. You have to create a level of understanding and offer solutions to those in a position to affect overall security. That means working with large enterprises, Internet service providers, governments -- federal, state and local -- and large educational institutions to improve cyber-security. In other words, it is going to be difficult to educate 250 million Americans -- not to mention the rest of the world -- on what they need to do every day to secure their systems. So I would argue that a vast majority of this is going to need to be built in. That doesn't mean we ignore the issues or we don't need good cyber-citizens -- people who understand more about appropriate use of computer systems and that you don't download attacks into your system and launch them against your neighbor. We also need to work on that educational component, but I think most efforts need to focus on raising understanding in large enterprise systems.

Q: Which comes back to the point you raised about the urgent need to reduce confusion about what to do.

A: Yes. And let me clarify what I mean by that. A lot of good work has been done over the past several years by organizations seeking to raise awareness of cyber-security problems. These organizations have put ideas, recommendations and solutions on the table. For example, several sets of best practices related to cyber-security have been proffered. But we now have so many that there is confusion as to which best practices to follow, so that is one area where the Cyber Security Industry Alliance would like to assist. By working with others, I think we could come up with a common set of security practices that gave a base line for adequate security, rather than having 50 sets of cyber-security best practices. Obviously, sector by sector, you might also have more specific things that need to be done.

Q: Many government agencies turn to security consultants, which can add to the general confusion, since consultants have their own approaches and views. That isn't meant to badmouth security consultants or lessen the value of their expertise.

A: Sure. And while I'm sure most of them are well intentioned, I think consumers are left with confusion as to what exactly they need to do. Take another area for example, the legislation that currently exists: Section 404 of the Sarbanes-Oxley Act and HIPAA -- the Health Insurance Portability and Accounting Act. Both have sections that relate, at least indirectly, to information security and information assurance. There isn't a great deal of clarity out there on what it means to comply with those two pieces of legislation. Additionally there is a third piece of legislation -- the Gramm-Leach-Bliley Act. Banking and finance sectors are most affected by Gramm-Leach-Bliley. And here, in fact, there has been some progress in determining what compliance should entail. But generally speaking, I think much more clarity is needed. That is a role the Cyber Security Industry Alliance, working with others, can play: to help clarify what it means to comply with these pieces of legislation.

A third area, though perhaps not strictly a confusion, is looking at all the recommendations put forward over the past several years. You have the President's National Strategy to Secure Cyber Space. I think it's a good document. Of course, I had something to do with it. And you have entities like the National Information Assurance Council [NIAC], a presidential council initiated by President Bush where a myriad of cross-sector industries is working on issues. They have just put together a set of solid recommendations on how to improve vulnerability disclosure. And there was the National Cyber Security Summit held in December. There, we had a series of working groups that are now relaying their findings to the Department of Homeland Security and the public. Additionally you have Congressman Adam Putnam, chairman of the House technology subcommittee, who put together working groups that issued a series of recommendations.

So take those three or four efforts, just as an example, and there are lots of recommendations. Yet are we capitalizing on all the good work that's been done? Are we seeking to take all these recommendations on the table and bring them to fruition, actually making them happen? Part of the problem has been that we have not sought closure on the recommendations. We have not tried to execute on them. This is where the Cyber Security Industry Alliance can work to help drive the process forward. We think we are uniquely placed to focus on cyber-security 24/7, not necessarily to create new initiatives, but to capitalize on what's been done -- raise the overall bar in terms of understanding and executing many of these cyber-security recommendations.

Q: Can you elaborate on what you mean by execution?

A: A good example is the recent report from the National Cyber Security Summit's working group on information security corporate governance. They issued a series of very solid recommendations. One recommendation is to encourage corporations to post their information security policy on their Web sites, similar to the way organizations post their privacy policy. That is a good idea. And they have offered a template, if you will, of what might be included in that policy. But they haven't stated this is what must be in the policy. They are leaving it to corporations to define.

This is an area where the Cyber Security Industry Alliance, working with other organizations such as National Information Assurance Council or whomever, can help get that pushed through and adopted widely. Another area is in vulnerability disclosure. Once again, the President's NIAC has put solid recommendations on the table, and it is worthwhile to try to drive forward on those recommendations.

Q: Regarding vulnerabilities, is it part of your objective to try to improve software so there are fewer vulnerabilities?

A: The National Cyber Security Summit had a working group that looked at software assurance, and they came up with some recommendations. The Cyber Security Industry Alliance will obviously look at those recommendations, but we are not going to focus primarily on improving software.

All folks out there producing software need to look closely at their quality control, if you will. Microsoft and others are taking a very close look at this to work out how they can do better. We will hopefully see that manifest with Longhorn when it comes out in '05. But from our perspective at the Cyber Security Industry Alliance, we realize there are always going to be imperfections in software systems. This is why the alliance is unique. No matter how secure Microsoft or another operating system might be, even an open source system, we are still going to have glitches. We are still going to have people try to exploit those vulnerabilities and problems.

This is why the security industry is so important, because we are going to think 24/7 about how to protect these computers. How do we protect these information systems -- not only those that support our critical infrastructure, but also those that are supporting small- and medium-size businesses, and even down to the home user? That's where we want to focus our energy.

Q: Can you describe the Cyber Security Industry Alliance a little more fully?

A: Today we sit with 13 members, all of whom have substantial business lines related to cyber-security or whose core business is cyber-security. For example, Symantec, Network Associates, PGP, Computer Associates with their eTrust, and RSA. I won't mention them all.

The CEOs of these corporations decided they needed to come together and speak with a common voice on cyber-security public-policy issues. Our goal is to push forward cyber-security public policy, and also raise understanding and awareness so the overall cyber-security situation improves. We are not seeking to go after the federal dollar or secure more federal contracts for our members. They are quite capable of doing that on their own. Our focus is more on public policy. How do we bring clarity to existing legislation? How do we execute on it? How do we work on vulnerability disclosure? How do we improve research and development in cyber-security? How do we improve corporate governance in relation to cyber-security so it benefits users at all levels?

Q: I assume part of your mission is to make sure the public policy is actually going to accomplish what it sets out to accomplish. It is possible for us to head in the wrong direction on this as well.

A: You are quite right. For example, there are some very good, well intentioned efforts on the Hill to address specific aspects of cyber-security, such as legislation on spyware. It is well intentioned, but what would the ultimate effect be if that legislation was implemented? At the end of the day, would it stifle innovation? Would it be cumbersome to the users you seek to protect -- cumbersome to the point that they put a work-around into place? What impact would it have on the cyber-security industry? What impact would it have on the cyber-security vendors and their ability to do their jobs efficiently and quickly? Spyware is an area where we definitely want to work with the Hill. But we want to do it in such a way that it doesn't complicate matters in the future, and so the net effect is not to set us back rather than move us forward.

Q: Which goes back to assessing the risk. All threats are not of the same level and magnitude of concern.

A: There is truth to what you are saying. There are certain systems that must be as locked down as possible because they support critical infrastructure -- such as in the finance, transportation, or energy industries -- or they contain vast amounts of individual information. We need to ensure we are taking greater steps to secure those systems because the potential loss is so much higher.

Some systems are not as critical. If they go down for a short time, it won't have such a serious effect. So that involves differentiating between these systems.

There has been good work done in that area. The Office of Management and Budget working closely with NIST [National Institute of Standards & Technology] put together some guidelines in assessing this. Once again, going back to what we're about, what is needed is to capitalize on all the good work that has been done out there, driving it to closure or fruition.

Q: That means large enterprises, including governments, must have far more savvy in terms of what they need to protect and how they need to protect it.

A: Exactly. People know there is a cyber-security problem. They are clear about that. But when you step into the executive suites of many big corporations, for example, the understanding of what to do about it is not as clear. That is where we need to focus. We need to raise the overall level of understanding and offer that roadmap of how they move forward in cyber-security and how to measure success.

Q: What can local and state governments expect to see from the Cyber Security Industry Alliance? How do they utilize the work you do as you move forward?

A: It is a combination of things. One is pushing forward in the area of information security corporate governance -- encouraging corporations to establish and adopt policies about their information security posture. You'll see us move as swiftly as we can to offer guidance in the area of compliance with Sarbanes-Oxley Section 404. Of course, this is not something the alliance can do on its own. We obviously have to work with accounting firms and others to put together that guidance.

Also, we would like to work on establishing an R&D agenda for cyber-security. Right now the federal government doesn't have a common R&D agenda. The Department of Homeland Security is looking at this. The Office of Science and Technology Policy has looked at this. The Department of Defense has, if you will, its cyber-security R&D agenda. But there isn't a common agenda that has been proffered on the Hill that says, "Look, we think these are the top 10 things that need to be addressed. And to maintain our edge in IT and move ahead down the line, this is where we think cyber-security funding would be helpful." That's the kind of thing we can bring to the table. So local and state governments can keep an eye on our Web site.

And we will be launching a modest newsletter midsummer that they will be able to sign up for on our Web site to stay informed about our progress.

Q: Much of the focus here has been on the United States. But as everyone knows, there are no borders in cyber-space. If there is confusion nationally, that is even more exaggerated internationally where you have many different priorities and policies in different countries. Some aspects of cyber-security can't be approached at just a national level.

A: Absolutely. While the most of our discussion has been focused on the United States, I don't want to be misunderstood. We want to become the global security industry association. Currently we do not have firms based overseas, but we are interested in developing a global membership. After all, we have a global information grid. And there are solution providers overseas just as there obviously are people launching attacks from overseas. At the end of the day, we need to work not only here in the United States, but also with partners all over the world. That is very important, especially when you look at the privacy issue in Europe -- how they are handling it there versus how we are handling it here -- or in Asia, which is now developing its privacy policies. It is important we do our best to try to link all this together. I believe the Cyber Security Industry Alliance with a global membership can be a positive force to help formulate effective and workable policies internationally -- what will improve cyber-security as we move forward.
Blake Harris Contributing Editor