It's Everybody's Business

When it comes to protecting citizens from cyber-disasters, government must rethink its role.

by / May 11, 2004
America's increasing dependence on the Internet is requiring governments everywhere to rethink their role in protecting citizens. Securing a borderless cyber-space presents unique challenges we are only beginning to meet, and experts say security is far from adequate.

"Cyber-security cuts across all aspects of critical infrastructure protection," said Homeland Security Secretary Tom Ridge in a statement about the National Cyber Security Division's launch less than a year ago. "Most businesses in this country are unable to segregate the cyber-operations from the physical aspects of their business because they operate interdependently."

At their core, cyber-security challenges have not changed much in recent years, save for perhaps the increased sophistication of some attacks. Following the horrific events of Sept. 11, 2001, the Computer Science and Telecommunications Board of the National Research Council revisited its reports relevant to cyber-security from the last 10 years. According to its review, Cybersecurity Today and Tomorrow, issued in 2002, "Not much has changed with respect to security as it is practiced, notwithstanding further evolution of the public-policy framework and an increase in our perception of the risks involved."

Now with a broad policy framework and an oversight body in place at the federal level -- and with many significant cyber-security initiatives under way at the state level -- the fundamental question still remains: How secure is our cyber-infrastructure, and what must we to do to make it more secure?

William Pelgrin, director of the New York State Office of Cyber Security & Critical Infrastructure Coordination, argues that nothing less than broad cultural change will alleviate many of the more serious cyber-security concerns.

"I don't want to stereotype everybody in this, but when you have kids growing up -- some of whom believe they have a right to download pirated software, or when being a 'script kiddy,' passing along viruses becomes almost a right of passage -- you really have to look at it as a cultural problem," Pelgrin said.

"If we don't get down to the kernel of cyber-ethics and cyber-security in technology -- if the right use of technology does not become as second nature as buckling your seat belt -- we are going to sink deeper into the kind of situations we find ourselves in today," he continued. "We could easily become virtually a patch management society as far as cyber-security is concerned."

In overseeing one of the most progressive and far-reaching cyber-security operations of any state, Pelgrin sees limitations in what government entities can do on their own.

"Responsibility for cyber-security ultimately comes down to individual responsibility," he said. "It should not be centralized. For example, in New York state, agencies have their own information security officers. Each agency is responsible for the cyber-security within that entity. My job is to provide more guidance and oversight relative to moving that forward."

It is the very nature of cyber-space that necessitates this approach. The National Strategy to Secure Cyberspace, a report issued by the Bush administration in 2003, recognizes the difficulties posed by the Internet's distributed nature. "Most critical infrastructures, and the cyber-space on which they rely, are privately owned and operated," the report stated. "The technologies that create and support cyber-space evolve rapidly from private-sector and academic innovation. Government alone cannot sufficiently secure cyber-space."

So official administration policy is to rely, at least in part, on American citizens, according to the National Strategy. "Every American who can contribute to securing part of cyber-space is encouraged to do so."

However, Pelgrin, along with others, charged with cyber-security at the state level, goes beyond this. They argue that without the active participation and awareness of all Internet users, adequate cyber-security will be impossible.

In the view of some state officials, a concrete program to expand the existing cyber-security umbrella at federal and state levels, down to local governments, and out to businesses and citizens is still needed. But with ever-improving cyber-security initiatives at the federal and state levels, one concern is that other entities may become less vigilant.

"My worry is that if people lose sight of the fact that they are responsible, you are going to become more vulnerable, not less," he said. "That responsibility has to stay localized, and I say that across the board. Government's role relative to outreach and awareness is absolutely critical. But if someone breaches the security of citizens at home or in a business, they aren't going to be able to call the cyber-police the way you would call the police in a physical break-in."

Threat Analysis
As with any security undertaking, there will never be 100 percent security assurance in cyber-space, so efforts must be directed at mitigating risks.

"The threats are numerous and come from three main vectors," said Larry Brennan, information security officer for the Iowa Department of Administrative Services. "We borrow this from Homeland Security. First, there are natural disasters. A lot of people don't understand that natural disasters can have a great impact on IT systems. Then there are unintentional man-made disasters. And finally, there are intentional man-made disasters. Our approach is to apply risk management to all three and see what we can do with the resources we have."

Focusing just on the high-profile attacks can be a big mistake, according to Brennan. "We don't really rate threats based on whether they are intentional or not," he said. "Damages from the loss of services that are critical to citizens can have a severe impact whatever the cause."

In Brennan's view, all cyber-security should start with a sensible strategy to mitigate damage wherever possible. "We approach it from the concept of defense in depth. Or to put it simply, from the view that it is better to be an onion than to be an egg. An egg doesn't have defense in depth. It has a hard outer shell, and once you penetrate that hard shell, it is all soft and squishy inside. You can get around inside with no difficulty. Whereas an onion has layers. So when we address critical systems, we find out where we are weak. Then we put appropriate layers of protection around those where we can."

Cyber-security is an ongoing process that requires constant evaluation, awareness and up-to-date information sharing among users and system administrators, he added.

For this reason, Brennan was responsible for Iowa's joining the Multi-State Information Sharing and Analysis Center (MS-ISAC) hosted by the New York State Office of Cyber Security & Critical Infrastructure Coordination. The MS-ISAC provides a state-based central resource for gathering information on threats. It seeks to provide a mechanism for two-way information sharing among states, and eventually with local governments. Currently 49 states and the District of Columbia are participating. Given the current environment, intentional attacks are the main focus of states and the MS-ISAC's monthly meetings.

"We try to stay pretty low to the ground to listen to what is happening in the cyber-underground," explained Mel Mireles, director of Enterprise Operations for Texas' Department of Information Resources. "Then we get that information out to our government and share it with other states."

Such intelligence gathering is predicated on the notion that intentional cyber-attacks will not abate anytime soon. "When it comes to cyber-security," said Mireles, "there will always be people out there who think they know more than anybody else, and that they can develop some script and bring down the Web. Luckily that hasn't happened yet, although there have been some close cases."

Another priority in Texas is connections with critical infrastructure. "As you go around the country, you see a lot of security efforts focused on critical infrastructure," added Mireles. "Well, I tell you that if there is a physical facility, guess what? There is probably an automated system that controls that infrastructure. In this country, we rely so much on automation, it is just unreal. So if I'm a hacker, and a port in there broadcasting allows me to take access, I can work to try to hack into it and take control of that thing. If I'm successful, now I own it."

To better prepare for this eventuality, Texas began organizing tabletop exercises with first responders, EMS, local governments, and local FBI and Secret Service that simulate cyber-attacks that impact critical physical infrastructure.

New York state's cyber-security activities are now also firmly tied into physical security efforts. "I think because the World Trade Center had huge cyber-consequences -- knocking out phone and Internet services in the area -- we understood very quickly there was that relationship," explained Pelgrin. "And because of this, right from the get go, we partnered with our Office of Public Safety, which is responsible for physical security. That has been a wonderful relationship. So I'm privy to the physical stuff that goes on, and they are always privy to the cyber-stuff going on. You never know when there is a piece of that mosaic or puzzle out there that looks unimportant from a cyber-perspective, but could be very important from the physical perspective."

Now New York state's cyber-monitoring center has a geographic component that allows officials to rapidly assess the impact any cyber-event might have on critical physical infrastructure.

Linking cyber-incidents in real time with potential physical consequences is a challenge many states are only beginning to tackle. Nevertheless, even given the importance of this while moving forward, both Pelgrin and Mireles agree that the paramount cyber-security issue continues to be user awareness. "With the recent viruses like MyDoom, Netsky, all those variants that co-existed in the wild since Jan. 26 this year, there would have been far less impact if more end-users had a higher degree of security awareness," said Mireles. "Even the simple thing of knowing that if you see an e-mail you don't recognize, don't open the attachment."

The Human Factor
User vigilance is often the greatest weakness of cyber-security efforts. Recognizing this, virtually all state governments have some form of security awareness program. The same is generally true for federal agencies. But when it comes to local governments or businesses, this is often not the case.

In September 2002, the Human Firewall Council, a group of professional security practitioners, introduced an online survey called the Security Management Index. The vast majority of organizations taking the survey failed to meet minimally acceptable standards for managing security across their enterprise, according to the council. In fact, most organizations scored a failing grade in all but one of the 10 key security areas -- physical security.

"We appear to be losing the battle to secure our organizations properly, even as reported security vulnerabilities and incidents have been increasing at an exponential rate," the council's 2003 report noted. "Organizations worldwide are more vulnerable to inside and outside attacks than ever before, and the cost of security breaches continues to escalate."

Additionally the survey found that most organizations still tended to rely on reactive, techno-centric solutions to security and ignore the human factor. That, according to Iowa's Brennan, can be a big mistake. "You can have the best technology in place," he said. "You can have the best procedures. But if users choose to open that zipped file that contains a virus, all the technology and procedures do you little good. So you need to hit it from all three sides. And people are the most important, certainly in terms of user behavior, both end-users and system administrators."

Public Awareness Programs
The National Strategy firmly calls for a public/private partnership to meet the challenges of cyber-security. New York state started such an initiative in 2002, through a cyber-security task force organized by Gov. George Pataki and chaired by Pelgrin.

Here, the first priority was to bring together multiple sectors within state government to discuss problems and general vulnerabilities. "But my concern was that this was just going to remain with those entities at the table," said Pelgrin. "In my view, we needed to reach out and spread the word if the needed cultural change ever had a chance of success."

So the next stage was to bring in what Pelgrin described as major players from a number of different sectors -- financial institutions, insurance companies, educational institutions and telecoms -- to share information and strategize as a group about how to better protect New York state.

This was then expanded to include medium-size companies. And finally, Pelgrin began to consider how to reach local governments, and even mom and pop stores and home users.

"We looked at the problem as a series of concentric circles," explained Pelgrin. "The last outer ring is probably the toughest problem, because no matter how hard you work and no matter how many incredible hours you put in, you are never going to physically touch everybody.

"The goal has to be raising the bar for everybody. Larger organizations generally have the resources to hire their own cyber-security specialist," he continued. "But when you go around the state talking to local governments, you discover that often, the city clerk is also the IT person, as well as wearing many other hats. And for many of these people, when you start talking about applying a patch, they start looking for the duct tape. They simply don't know what you are talking about."

One solution Pelgrin has pursued -- first as a state project, then as a project under the auspices of the MS-ISAC, and finally under the umbrella of the National Cyber Security Summit task force on state and local government awareness -- has been to arrange for different vendors to produce generic, nonpromotional webcasts on different aspects of cyber-security. Microsoft has now completed the first of these webcasts, and at press time, it was scheduled to go into limited testing.

"Initiatives like this are part of an effort on the part of industry and government to improve public awareness around computer security," explained Microsoft spokesperson Keith Hodson. He added that Microsoft was delighted to participate because of the importance of fostering a more informed view of the security landscape and today's threats.

However, Mireles argues that while valuable, webcasts alone will not bring about the broad security awareness necessary. "Personally I think you touch most people in two ways," he said. "You are going to touch a big spectrum through television. And you are going to touch the other spectrum through radio. If we are really going to leverage the resource and the communication channels we have in this country, we have to use the broad media."

To achieve this in any significant way, Mireles believes it will take federal funding to pay for airtime. "That's where I would look back at Department of Homeland Security and say, 'Either you fund it and distribute it, or you fund it through the states and allow the states to distribute it in major metro areas.' That is something I am adamant about. Otherwise, we are chasing our tail."

The National Strategy identifies five national priorities, one of which is a national cyber-security awareness and training program. It calls for the DHS, working in coordination with appropriate federal, state and local entities, and private-sector organizations, to facilitate a comprehensive awareness campaign.

The dimensions such a campaign should take, however, are still being debated. Meanwhile, the undeniable fact is that a great many users don't know how to protect themselves or to help protect the cyber-infrastructure they are plugged into.
Blake Harris Contributing Editor