The Plunge into Cybersecurity - What Does it Mean for Us ?

President Obama, in a recent address, made it clear that cybersecurity was going to be a priority for his administration. He said "Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient. We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage." At the same time, following a 60-day review of US cybersecurity status and issues, the White House released details of a short-term action plan called the Cyberspace Policy Review, Assuring a Trusted and Resilient Information and Communications Infrastructure. The report acknowledged that the status quo in cybersecurity could not be maintained and outlined priority areas for immediate work.

We picked up the some of the key issues mentioned in the report and talked to two senior government officials to get a better understanding of the work already going on in these areas, and where the policy challenge lies. We first spoke with Doug Maughan, Program Manager, Cyber Security R&D Center, Department of Homeland Security (DHS), Science and Technology (S&T) Directorate, and then with Dan Risacher, Associate Director, Information Policy, Office of the Assistant Secretary of Defense (Networks and Information Integration), in a conference organized by Meritalk, where both were speakers for sessions on issues related to innovation in technology and the federal government.

We need to acknowledge the extent of the cyber-threat from the outside world

President Obama, in his address, highlighted the fact that in today's world, acts of terror could come not only from a few extremists in suicide vests, but from a few key strokes on the computer. Unfortunately, even in today's cyber-age, a lot of people do not realize that the cyber security threat is as real as the terrorist threat that President Obama described. Also unacknowledged, is the fact that an act of malice in cyberspace could cause a lot of damage in the physical world, ranging from electricity outages, traffic accidents on the ground and in the air, to deaths of our soldiers on the battlefield. Doug Maugham acknowledges that we need to be prepared for threats to our internet infrastructure coming from anywhere, including rogue states, hackers, human errors, and others. He talked about the Pakistan YouTube incident from last year (2008), "where Pakistan telecom in trying to cut off access to YouTube internally within the country, basically cut off access to YouTube for the entire internet".

Around 24^th February 2008, the Pakistan telecommunications ministry directed Pakistan Telecom that YouTube.com should be blocked. Pakistan Telecom then, effectively told the rest of the world that they were the correct destination for anyone typing in YouTube.com. When a user types in YouTube.com in his or her browser, the browser identifies a number that represents the address for YouTube. This address, called the IP address, is then passed on to my gateway to the internet (called a router), which then uses a lookup table that the network provider provides to find out the url that it should go to. If the network provider provides the wrong url/range of IP address combination then you end up wherever they send you. If this sounds insecure, it is. Although an organization called Internet Corporation for Assigned Names and Numbers (ICANN) maintains the list of numbers and addresses, it does not police them, thus leading to possible security glitches, just like the one that happened in Pakistan. In this case, the Hong Kong-based network provider, called Pacific Century CyberWorks (PCCW), did not correct the false message transmitted by Pakistan, and the misinformation spread, bringing down YouTube access across the world for almost two hours.

Doug acknowledged, "YouTube is not really considered critical infrastructure but if they can do that for YouTube, and that was a mistake then imagine what you could do if you were trying to take out parts of the infrastructure".

The Federal government needs to build partnerships with the private sector and academia

Building partnerships is the cornerstone of the administration's cyber-security policy. President Obama said "we will work with all the key players, including state and local governments and the private sector". As the cyberspace policy review also pointed out, addressing cyberspace technology issues such as network security requires a concentrated effort to build and secure public-private partnerships. The policy document recommends that the Federal government examine existing public-private partnerships to optimize their capacity to identify priorities and enable efficient execution of concrete actions.

Doug Maughan described how DHS, in particular, has made an effort to work with both academia and the private sector. DHS works on partnerships with businesses, particularly small businesses, by enabling a collaboration between academia, small businesses, research labs, and larger. The DHS program is different, in that they try to help academics or business, through the entire valley of death, through nurturing, and development, and implementation. DHS R&D provides support for research, development costs, test and evaluation, transition environments, till the technology becomes a commercial product which then comes back to the government or private sector as new and usable security technology.

When asked about specific examples of one of the companies that they nurtured in this way, without much hesitation, Doug cited the example of IronKey in the area of cybersecurity. Ironkey is a mobile data security organization that caters to enterprise and government organizations by combining "the world's most secure USB flash drive" with the ability to remotely manage thousands of IronKeys, and enforce security policies across these devices from a centralized administrative console. Doug described how they went from a two person company in 2005 to an 80-100 employee company in 2009 that sells across private sector markets and government markets. Although the company also received $6m of venture money, DHS S&T funded the initial research and development, put them into an operational environment and testing, to the stage where they actually had a product that would be useful for the government, and others. DHS S&T uses IronKey as a product for their own employees. "So that's the whole spectrum from the start of an idea to a product in use, not only in the government but also in the commercial sector. The model works, and it is important to get the technologies back to the government", said Doug.

When asked if the model was similar to that of an incubator approach, Doug said, that they were not a VC because they don't invest for equity, but in the end that's what they are doing - incubation and innovation, and then bringing products back into use. One of the biggest problems that businesses face is getting a real product out and getting it in the door of the government. So that is one of the things that DHS does, that they feel makes a real difference - helping these companies through that difficult journey and making sure that their products can be commercialized.

Another problem in the area of cybersecurity, and the larger field of information technology, is that academics are often focused on the research. Not too many organizations attempt to resolve the silos created between academics and practitioners. DHS is involved in the difficult tasks of building bridges between the two. Doug explained, how in their solicitations for R&D, they require that applicants have a commercialization plan, or have at least thought seriously about commercialization as a part of their solicitation for research. This has helped create a number of cases when an academic institution has partnered with a company like IBM, or Symantec, knowing that they, as an academic institution, are not used to commercializing a product, so if they partner with someone who already has a commercial product, then that research can be transitioned into a next generation product. In the end when the university or think-tank comes to the table they will have thought about the commercialization and it is no longer just about the research. In this way, the link between the private sector, academia, and business in general, is built right from the get go.

Cybersecurity through Quality and Open source

Many software practitioners say that the best ways to improve cybersecurity is through improved quality in general, and one way to improve quality (and security) is through increased use of open source. While the policy document did not explicitly mention open source, many of the objectives that it outlined, could be facilitated through open source. A hint that they did their homework regarding open source was the citation of Open Source Software and Cyber Defense, by Bob Gourley from Crucial Point LLC. Bob Gourley on his blog says proprietary software products have a much higher security risk than their open source equivalents, and agrees with the COO of Sun Federal, who has written a blog entry entitled "The No. 1 Reason to Move to Open Source is to IMPROVE Security". To explore this issue further we spoke with Dan Risacher, who is the lead on Open Source issues in the Department of Defense, and is also well versed with security issues.

Dan acknowledged that some people had a hard time understanding how open source software could be secure. "There is a perceived risk of open source from a security standpoint, people are very concerned about using software and it's either "I don't know where it comes from", or "what backdoors have been put in the software". I think it is largely a red herring, people don't know where their proprietary software was written either nor do they know where the backdoors are in that. In open source, there is usually very robust version control, and you can see every line of code where it came from, who put it there and who made changes to it. The ability to do that inspection and do security audits is much greater in open source than in proprietary software". About the issue of foreign involvement and where the software is written - at least in Defense - with respect to influence and control, Dan pointed out that in most cases we have no idea where proprietary software is written either, and buying from a US company does not mean that it was written here.

Dan acknowledged that it was hard for people to see how the principle of openness was a keystone principle of computer security. Dan used an analogy to explain how openness could drive improved security. "You really don't want to trust your house to a puzzle lock that nobody knows how to solve but you. Sooner or later the guy is going to come along who is smarter than you are and he is going to solve the puzzle. You want that security to be part of the key. The mechanism of how the clock works is well understood but people still don't know what the key looks like, so that is a much better way to do security. The way I explain it is that I want to know how it works so that I know it is secure. If I am relying on obscurity and the fact that this is a little known system to really guarantee that there is no weakness in it - if anything that is driving in the wrong direction. The more secretive it is, the more likely it is that it was designed by one guy or a small team of people and there is probably something they overlooked, vs. if I have something that is widely publicized - algorithms code and mechanisms - then the obvious and sometimes the not so obvious flaws will be discovered by somebody if it is open. Security researchers will comb it over, looking to make a name for themselves, and you benefit from that review. So it is really the process of review helps you achieve better security and open source software enables that review to take place in a way that is very difficult or can't be necessarily matched by the proprietary software development world".

Dan made the point that the principle of openness helps drive quality into the software through that process of review, which in turn improves cybersecurity.

The compelling case for public awareness and education

When President Obama said, "And finally, we will begin a national campaign to promote cyber security awareness and digital literacy from our boardrooms to our classrooms and to build a digital workforce for the 21st century", he was acknowledging that we are far from being a nation that is educated about technology issues such as cybersecurity. New technology precipitates policy considerations and may require changes in existing processes. Equally, changes in policy can affect technology decisions regarding procurement or technological research and development. Many gurus of computer security, who advocate adoption of open source as the best possible response to security threats, also complain that the inflexibility of the policy wing of the government prevents adoption of technologies such as open source, thus exposing the government to cyber threats.

Dan agrees that technology education is especially important for government officials so that policy can be more responsive to technology. He used the example of open source, which can still be considered as new technology in much of the federal government, and the need for education among government officials, and in particular, the acquisition staff. Dan felt that a lot of education for the federal workforce was needed - he described the need to conquer fear uncertainty and doubt (FUD). There was a need to look at selected processes, decide how to adapt them, and clearly outline what the rules for acquisitions are. From Dan's perspective, the biggest education issue for open source is that open source is commercial software and we should be following mostly the same processes.

On being asked if he thought there were major problems with the response of the Procurement/Acquisitions staff in terms of responding to changing technology, he replied that he thought that the acquisition rules and processes were not broken, in the sense that they are adequate but they could be better. He pointed out that it was not so much an issue that the rules are problematic in terms of acquiring things, but the processes that have been created around the rules, and need for educating the people who were executing the rules. For instance if contracting officials are asked if they have considered open source software, they often don't know what Open Source is, and they find it hard to believe that you can get software for free, and that this can be downloaded and kept under the current acquisition rules.

An issue that is often brought up, according to Dan, is the application of the rule that only a contracting officer can obligate the Government and agree to a contract, to make a case for rejecting the use of open source. In the case of open source, you should really be looking at whether you need a contracting officer to accept an open source license, as most of the time it is not a contract, but a license. This is different from the proprietary software world, where people talk about an end user license agreements - that is a bilateral agreement.

Dan agrees with Karen Evans (OMB's former administrator for e-government and IT who retired this January) in that new technology often requires that you understand how to do a Total Cost of Ownership analysis and that you do your research on the options you have, as there is a legitimate interest on part of the government to make sure you do those trade-offs. [Total Cost of Ownership analysis typically includes lifecycle maintenance costs, the costs associated with risk issues, including security and privacy of data, and the costs of ensuring security of the IT system itself]. To help clarify the open source issues in DOD, Dan has finished a draft policy note that clarifies current policy on open source technology, however as of today, this policy has not yet been formally signed off on.

Recent cybersecurity achievements

We asked Doug what some of the important achievements had been, in the area of cybersecurity, as he has been working in this area for quite some time. Doug said that one of their most important initiatives in cybersecurity was their program on the domain name system security program - the DNSSEC. DHS S&T has been working on this for the past 4.5 years. The Domain Name System (DNS) is often mentioned as the Internet's most fundamental building blocks. The system is responsible for first locating and then translating Internet domain names into Internet Protocol (IP) addresses. In the Pakistan YouTube example we discussed earlier, when the user typed in http://youtube.com, the DNS system was responsible for locating and translation the domain name (YouTube.com) into an IP address, which is represented by a serried of numbers. DNSSEC's aim is to ensure the authenticity and integrity of DNS. DNSSEC relies on cryptography to ensure authenticity and integrity. Doug told us that last August, OMB came out with a memo that said that all government agencies will deploy DNSSEC signed .gov, led by DHS, in partnership with OMB and GSA, and others, and that in his view this is a critical element of the internet infrastructure, and the US government is now stepping out and taking a leadership role in securing that infrastructure.

Another area that they are working on is the Border Gateway Protocol (BGP) which deals with routing. Routing is the process of selecting paths in a network along which to send network traffic. For routing to work seamlessly and efficiently, it needs a routing protocol. A routing protocol is a protocol that specifies how routers communicate with each other, disseminating information that enables them to select routes between any two nodes on a computer network, the choice of the route being done by routing algorithms. BGP is the core routing protocol of the Internet. Doug told us that just like DNS is a key element of the internet infrastructure, BGP is also a key element of security and has security vulnerabilities that need to be addressed in collaboration with companies like Cisco and Juniper and ATT, Sprint, and Verizon.

DHS is involved with both DNSSEC and BGP, however with BGP; DHS faces a more uphill battle. Doug explained, "We have initiated programs with the private sector and the academics. The difference is that with DNS you have an agreed upon standard so it is pretty easy to move forward, but with BGP you don't really have an agreed upon standard, so the first step is working with the industry folks to develop an agreed upon standard, so then we move forward on the deployment and secure the routing". An important priority for DHS and others will be to work more intensively on the BGP standard.

Looking forward

To wrap up, Doug and Dan talked about key issues in cybersecurity. Doug felt that it was important to continue to push forward on research and development. Metrics, which he defined as measures that show good or how bad software is, should also be a priority. He also mentioned the usability of security software as important. According to Doug, if we wanted to see more and more security technology deployed, we are going to have to think about how it is going to be used, and what the user experience will be. At this point, he felt, most people just want software to work, and they don't care if it is secure or not, so until that situation changes, the developers need to think about it and build it into their software. Dan talked about how the emphasis on collaboration and transparency made open source a valuable option. He also emphasized the value of education, among staff involved with acquisitions and others. Dan talked about the need to focus on software quality as poorly written software is the source of a lot of problems.

Tackling cybersecurity issues highlighted by President Obama's speech and the Cyberspace Policy Review will not be easy. The conversations with both Doug and Dan helped identify some of the cybersecurity areas that the federal government would need to work on, to make the gains that they want. In the coming days, the hitherto unnamed Cybersecurity Czar and the rest of federal government will need to take a much closer look at issues such as policy (DNSSEC, BGP), alignment of policy and technology (acquisition rules), new technology adoption (open source), and partnerships (academics, public and private sector). Resolving some of these issues will be important if we, as a nation, want to move to the forefront of cybersecurity.