Issue No. 06 - Nov.-Dec. (2012 vol. 10)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2012.155
Gary McGraw , Cigital
Howard Schmidt, former cyber-security coordinator for the Obama administration, discusses the differences between doing security work in the public and private sectors, the difficulties of establishing cybersecurity in the government, and how the actions of Anonymous and Wikileaks square with the notion of free speech.
You've served in both the public and private sectors as a security executive. Which one is harder, which one is easier, and what are the challenges?
Over the years, I've had people say, "I'm doing a book on government security for information security specifically," or "I'm doing one for the private sector, and I want to get your thoughts on that." Bottom line, when you look at the evolution of ICT systems, which is the international term we use, they've all evolved from somebody saying, "We need something to supplement a business unit, so let's put in a VPN connecter to the back-end network," or "We need a mail server over here, so we need some Web services over there." They all build the same way, whether you're in the government or the private sector.
The other commonality is that as this transition takes place, not many people say, "That's great, but how do we make these systems secure? How do we use them to protect privacy?" After everything is built, it's like, "Wait a minute, people are doing things that we didn't think they would do. Now we have to go back and fix that."
Let me dive into the private sector a little bit and just say Microsoft versus eBay. You worked at both—different cultures?
Very much different cultures in one sense and one sense only. Microsoft was about creating really great stuff for the masses, and the eBay experience was the flip side, with customers basically building the company. That's a lot different than selling software to an enterprise to run its business on.
But there's another distinction between the two on the consumer side. Back when phishing emails were just becoming popular, a lot of people who fell victim to them said, "You guys need to do more to protect me." It ended up flipping around to where we had an education requirement to get customers more to where they're better protected, in addition to the business model of posting and selling things.
Same question, but for the public sector—police department versus the White House?
When you look at law enforcement not only in the US but around the world, you have to deal with crimes against people, against property—even with somebody's barking dog. At the same time, in the constantly digital world in which we live, the evidence of some of these crimes is often found on a mobile device or a computer.
That's actually what got me focused on the security side of things. I've always been into technology. I built my first radio when I was probably 17 and my first computer in the 1970s. The technology has always been there, but how do you marry it up from a security perspective? For any police department, it's about investigating things and trying to do some level of crime prevention. For the White House, you have a set of constituents that is just unbelievable: the executive branch of departments and agencies, the legislative branch, and the judiciary branch. If you expand that out to the international footprint, not only are you dealing with the technology of securing things, but you're also looking at international policy.
What are some of the different norms in these constituencies when it comes to computer security?
That's the real question, how do you harmonize all those things? What we cherish here as a First Amendment free speech issue, other countries say, "Not so fast." People always talk about the power grid as being one big wire that's run everywhere and you can sort of tap off it. In reality, it's small companies, medium-sized companies, large companies, generating plants—it's all kinds of different pieces. Complicating that even further is the whole issue of industrial control systems, digital control systems, and SCADA systems.
I spoke with a group of control systems engineers about how things were going and how to build security in, and they said, "Great, but we already spent our capital budget, and we have nine years to go before we can replace our computers."
A lot of people don't understand the impact it would have on you, me, our family, our friends, everybody to change that model and all of a sudden say, "Okay, go out and retrofit everything because these devices weren't originally designed to work in a network environment." And those that were, weren't connected to the Internet. To rip everything out and replace it, the number is just staggering, I can't even begin to estimate it, but if you were to do that, what's going to happen to our electricity bills, our services that use electricity? There's a cost, and you have to weigh it.
Everybody talks about public-private partnership. What's your opinion on that, having lived in the middle of it?
I think back to 1998, when President Clinton publicly released presidential decision directive number 63. It was during a graduation speech to a naval academy, and he stated that the government wasn't organized, the private sector wasn't organized, and the third thing, voluntarily encourage private sector to create information sharing analysis centers, or ISACs. The financial service ISAC is the first one that got established. I was fortunate to work with a great team of people to create the first IT ISAC. Back then, we weren't quite sure how it would work. We knew we would have meetings with the government. We knew we would share information for threats and vulnerabilities and best practices among ourselves. But our companies weren't engaged in it, just the security professionals. It was like, "Don't let our business people find out we're talking."
But you could pick up your phone and call your counterpart because you had met him or her.
That's absolutely correct, and it's where the birds of a feather sessions made a big difference. If you look at the evolution of it, you start with the dry period, where private-public partnerships were all about meetings. But we've matured a lot since that time. One thing that was helpful in the past was the private sector saying, "Here's what we can do now that's fundamentally part of our business model. Here's what we're working on, and here's how long it's going to take us to do that." The government says, "Okay, well, here's what we need you to do now, and here's what you need to do in the future." It'll never be a complete 3D overlay that says, "Yes, you're doing the things we need you to do." It's always a matter of negotiation.
I have a little worry about that, though, because in my view the government is pretty far behind the private sector when it comes to building security in or any software security type of stuff. What do you think about the state of computer security in the government at large?
You're worried, I'm worried, a lot of people are worried about this. We have tremendous talent within the government, particularly the CISOs, but they're in high demand, and they often inherit something that was never designed for a small team to secure. The second problem is in the private sector, which has a fair amount of turnover. The saving grace is that, right now, there's better organization within the government. You can do a better job today of leveraging that great expertise without leaving a big hole someplace else.
How involved is the Obama administration in counterespionage? It's not as big a story as cyberwar, but certainly we've had some issues with the Google hacks and so on.
I think the government is always concerned from a whole number of layers. If you look at one end of the range as cybercrime and the other end as the espionage that has gone on since governments first existed, those are the boundaries in which we work. One thing that government focused on when I was there was the theft of intellectual property. How do we design and protect documents for aircraft, software, or the next great technology for mobile devices? It's really tough, particularly since the vast majority of it is generated in the private sector, through small startups and medium-sized companies. Obviously, I'm not speaking for the government, but when the government looks at all intelligence gathering, whether it's for commercial or government purposes, it needs to apply a lot of attention on all aspects of it.
But if you had to rank the three, cybercrime, cyberespionage, and cyberwar?
Cyberwar is just a term that's convenient for people to use, it doesn't necessarily reflect reality. Anytime you have a conflict, communications command and control is a core piece of it, so it goes back to the old days when people were climbing up telephone poles and clipping wires. Going after command and control using cybertechnology during a conflict, that's reasonable—anybody would expect that. I think cybercrime is a major issue, but the theft of intellectual property is still a crime, so it's hard to rank them.
You took a thankless job that was at the same time critically important—someone once called it the "cyber bag holder in chief." Does the shift of your position to Michael Daniel, who's a member of the intelligence community, seem like the right way to go?
Michael is a great guy, and I see this almost like a startup, where you start with an entrepreneurial-minded CEO who comes in, takes something, gets it up to a good place, and then you turn it over to a business guy to run.
So you see him as kind of an ops guy?
He's the guy who will build the next generation. We had to do some basic blocking and tackling when I started—that was important. We had tremendous talent, with people from law enforcement, from intelligence, from Homeland Security, and from Commerce. Michael now has the ability, the expertise, and the intellectual capital to take that to the next level. I don't see anything changing. All I was doing was helping to guide the ship, I'm not the one who barks out orders.
You reported to the national security advisor with a dotted line to the national economic council, which caused an interesting kerfuffle in the beginning. Did that work?
It did, and that's one of the things that I think put us on a different level when we started putting this office together. You can't just do national security and ignore the economic impact, you can't do the economic and trade without taking into account the national security side of it, so the ability to wear two hats, to be able to sit in a meeting and say, "Great idea, this will make us more secure, but here's the negative impact on the economy, here's the negative impact on business relationships, here's the negative impact on international trade," to bring these perspectives together and get people thinking about this with the backing of the national security advisor, the national economic advisor, and ultimately the President is not about imposing your will on somebody who says, "Go do this." It's about how we solve this really complex problem by getting all the smart people together and figuring out a consensus to the extent that we can, to move forward.
I guess it's partially getting your hands around the threat, too, right? Because if you look at it from an intelligence perspective, a threat may seem completely different than when you look at it through an economic lens.
When you look at a threat, it's traditionally extremely successful because of the vulnerabilities that our systems express. That's one of the challenges. I've been told by really sharp people that about 80 to 85 percent of successful intrusions and subsequent exfiltrations of data have occurred because somebody wasn't practicing basic good hygiene. If we could collapse that down a little bit, we could get into really hardcore threats that we need to worry about from a national security and economic perspective and get a better handle on them.
What are the main security challenges that a government faces when it's dealing with a threat like Anonymous?
When you look at any group that wants to become a hacktivist, you look at their motivations and think, "Wait a minute, that's the same thing that's constitutionally protected, only with one exception." When you start committing crimes, it's a different scenario. We have freedom of speech, but it's not free enough to yell "Fire!" in a crowded theater. Those things have been worked out in the physical world, but when you start getting into the online world, it's one of the many ways people get their voices heard. Free speech should not involve committing crimes or hurting individuals, because a lot of cascading effects can happen. For example, look at what could happen with a DDoS [distributed denial-of-service] attack on a particular government website that has people waiting for their paychecks. A lot of cascading effects can happen that people attacking a system to "help other people" just don't think about.
It's the difference between having an adult dialogue and a childlike dialogue when you have a difference of opinion.
That's a perfect description. I found a picture when I was moving from when I was in Osan, Korea, with the Air Force. We're all carrying pictures of Martin Luther King. It's 1972. We were on a military base, marching in memory of Dr. King. When you start looking behind the scenes, a lot of things led up to that moment that basically weren't good, including people being injured, but it got us to a point where we were more cognizant of the way we should act in society, and I think at some point, we'll get a better handle on the way we need to act online. The cyber domain is new enough that we haven't had societies growing up with it as we've had with the physical world.
What can we do to shift the government away from computer security as a compliance exercise that really amounts to a bunch of box checking?
There's a compliance component created by Congress in the Federal Information Security Management Act that says, "You must do this." Back when I was at the White House, we saw that checking the boxes and creating a mountain of paperwork meant you could be FISMA compliant and still be insecure. Instead, we wanted to flip that around so that by becoming secure, we become FISMA compliant.
This compliance issue is not only about the government; there are also some industry standards that, if you turned them around, might actually be useful. Sometimes, though, they just amount to pretend security or making people feel like they're secure.
That's correct, and that's where we start looking at some of the ISOs and PCI standards. The SEC recently came out with some guidelines that say you have to take into account cybersecurity issues and the value of the company. Consequently, you have to have that mindset that says, "Great stuff, we're going to provide it, but we're going to provide it securely and protect privacy."
Without security, you have no privacy—the data goes to whomever. And there's so much data out there. I used to joke before I went to the government that we should just create a law that says, "Everybody's Social Security number will be publicly available and not used for identification." Let's redo the system.
We could do that with credit card numbers, too. There's only six or seven that haven't been stolen yet, so we might as well just publish those and get it over with. But what about trying to remain anonymous when strong credentialing is the norm?
Strong credentialing has to be by choice. Look at the Arab Spring last year—people should be able to publish things that in other people's minds are controversial, but they should be able to do that anonymously. On the flip side, if you're booking a trip, you should be able to use a separate credential that isn't tied to an anonymous credential.
I'm optimistic that we've made great progress in software security in the past 10 years, especially in the private sector. Do you share that optimism, that sense that we're moving forward in security?
I've been criticized for being an optimist. I have, like you, watched the evolution of software, from someone just throwing it out there and if it doesn't work, saying they'll fix it later, without much attention paid to security. IT's far from -perfect—we're still seeing old things like buffer overruns and libraries that were out there 10 years ago being compiled, but we're much better now. There's a defined process on how to do this. A new generation is growing up that says, "I'm going to develop the next really cool app that protects privacy and is secure at the same time." It's actually possible, and that's why I'm so optimistic.
The Silver Bullet Podcast with Gary McGraw is cosponsored by Cigital and this magazine and is syndicated by SearchSecurity.
Gary McGraw is Cigital's chief technology officer. He's the author of Software Security: Building Security In (Addison-Wesley, 2006) and eight other books. McGraw has a BA in philosophy from the University of Virginia and a dual PhD in computer science and cognitive science from Indiana University. Contact him at firstname.lastname@example.org.