When the Walls, Come Tumblin' Down

By
Mark Weatherford
  on June 15, 2009 1:27 AM | | Comments (0)
Bookmark and Share

John Mellencamp sang about the walls tumbling down and this week's press release by the U.S. Army telling bases to stop blocking Twitter, Facebook, and Flickr Army Allows Access To Social Media Websites should be proof enough for anyone.  Following the US Navy US Navy Web 2.0: Utilizing New Web Tools and the US Air Force's New Media and the Air Force lead, it appears that the US military has realized the value of social media not only as a tool for boosting morale but also "to facilitate the dissemination of strategic, unclassified information." 

Wow.  Who would have ever thought that the stodgy old military would get on board with something so...hip and revolutionary?  What's next, Elvis is really alive and Robert Plant is singing country music (thanks Mike)?  Actually, I'm not all that surprised.  The military has always been out in front with technology, it's just the "non-traditional" stuff like allowing Sailors, Airmen, Soldiers, and Marines to communicate in informal channels using the evolutionary brilliance of user generated content that breaks tradition.  Should we be scared?  I don't think so.  Web 2.0 technologies provide a different means of communicating and distributing information but the risks have always be there, they're just a little more "out there" now.

One thing the military is great at is training and I think they'll be very proactive in making sure members of the military understand their responsibilities when Tweeting, blogging, and posting up on Facebook.  The challenge now will be to instill discipline in communications to everyone, not just those with a security clearance.

While the military is the latest non-traditional organization to publicly endorse social media, throughout government it's become business de jour and it's all about transparency. President Obama's (our) new federal CIO Vivek Kundra built his professional reputation on breaking out of the traditional IT mold and using new technologies to share information with his constituents.  In California, Governor Schwarzenegger has appointed a "New Media Director" to broaden and improve the state's way of communicating with the public.  Across the country, states and local governments are rushing to give the public more of what they want...information, and Web 2.0 technologies are how they are doing it.

Anyone who thinks social media is just a fad isn't paying attention.  It's a trend and it would behoove those of us in the security business to jump on the train and start thinking of solutions to the existing security issues and the new ones that are coming.  If security becomes the party pooper (thanks Dan) on implementation of social media in our organizations, it will be disastrous for our profession.  The horse has already left the barn, we just need to make sure the saddle's tight.  What do you think?

President Obama and Cybersecurity, A New Comprehensive Approach

By
Mark Weatherford
  on June 1, 2009 9:13 PM | | Comments (0)
Bookmark and Share

Last Friday, President Obama followed up on a promise he made last July during a speech at Purdue University when, as then-candidate Obama, he said "As President, I'll make cybersecurity the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me."  In a speech at the White House on Friday morning, President Obama declared that 21st century challenges can't be met without a digital infrastructure and said that, "the world of cyberspace is a world we depend on every day."  I was encouraged to hear him say that the security of our nation's infrastructure is a matter of America's economic competitiveness.

The President then went on to outline the results of the 60-day review of cybersecurity in the federal government" that Melissa Hathaway and her team completed in mid-April.  The resulting document, titled the Cyberspace Policy Review, is 76 pages of how the federal government is going to take a leadership role in "anchoring and elevating leadership for cybersecurity-related policies at the White House."

While he didn't name the "Cyber Czar" during the press conference, it is the number one item in the "Near-Term Action Plan" of the Cyberspace Policy Review and importantly, the document calls for the White House to lead the way forward.  How's that for leading with your chin?  I also think it was incredibly telling that the President plans to include staff to address privacy and civil liberties.  In fact, he specifically called out that the plan would not include monitoring private sector networks.

What does it mean?  From my view in the cheap seats, I'm ecstatic just to see security getting such high-level visibility.  We've been anticipating the president's actions for a while now and from my perspective, it's very good news to see him follow through.  

I plan to spend some time analyzing the Cyberspace Policy Review document and provide my perspective on it in a few days.  If you've already read and digested it, I'd love to hear your thoughts.

Cyber Dollars in the ARRA

By
Mark Weatherford
  on May 11, 2009 6:02 AM | | Comments (0)
Bookmark and Share

$787B. $787,000,000,000.00. Seven hundred and eighty seven billion dollars. However you say it or write it, that's a lot of dough.  That's the amount of the federal stimulus package called the American Recovery and Reinvestment Act (ARRA) of 2009.

The mission of the ARRA has several components but one of them is to "address long-neglected challenges".  Many people have been trying to make sure the technical infrastructure we depend upon to keep the lights on, help water flow, keep transportation moving and secure the financial engines in America are considered as some of those challenges. It's no surprise to anyone reading this blog that those are huge issues.  In the early days of the technology revolution we didn't give a lot of thought to security in deploying many of these systems so now we are faced with one of those "long-neglected challenges".

Interestingly enough though, the challenge that many of my colleagues and I face is how to identify the appropriate source and decipher the guidelines for applying, receiving, and executing those very same dollars. Whenever federal funds are involved in such massive amounts, you'd expect a considerable amount of oversight and this case is no exception. With about $19B identified for the Health Information Technology for Economic and Clinical Health Act (HITECH Act), $7.2B allocated for deployment of broadband and $18.3B for research and development ($580M to the National Institute of Standards and Technology) there is no shortage of issues. In fact, my strategic plan will eventually include a number of enterprise projects that capitalize on these broad categories while benefiting most of the citizens in the state of California. The goal with any of these grant programs is to identify projects with the biggest bang and as broad a scope as possible. In state government that means citizens so I'm looking at projects that can upgrade systems or provide new levels of protection to infrastructures that helps both state and local governments.

I'll let you know how it comes out but if you have any thoughts or suggestions, feel free to throw them my way. I'll be writing more on this topic soon.

Vulnerabilities in the U.S. Power Grid

By
Mark Weatherford
  on April 10, 2009 7:10 AM | | Comments (2)
Bookmark and Share

The article released by the Wall Street Journal on Wednesday has created quite a stir and I've spent a considerable amount of time the past two days asking and answering questions about it.

I think I can say without stepping too far out on a limb that the details in the article are no apocalyptic revelation to those who are paid to worry about these things.  Weaknesses in the SCADA and control system environment have been known for years and the fact that some bad guys have penetrated and mapped the electrical grid is probably not a great shock.  The fact that it was so publicly presented surely focused the issue in a lot of people's minds though so this problem may inch up the priority scale.

Not that things weren't already being done to fix weaknesses in the nation's power grid but getting such a public stage for the problem will undoubtedly get telephones ringing in legislators offices that may in turn force changes more quickly.   

The choice was made years ago, the first time that the formerly closed SCADA/control system environment was connected to the Internet through some organization's admin network or wireless connection.  That first time, when people began to see the incredible convenience of the Internet in remotely managing the switches, sensors and valves of these widely distributed systems, control was lost.  Now these same systems and networks that security professionals fight to keep secure everyday, the same ones you are reading this blog on right now, with all their warts and weaknesses, are the same ones in many cases being used to manage our nation's critical infrastructures.  Unfortunately, these control system weaknesses have been known for some time but startlingly little has been done to address them.  Pogo said it best.

I always get a little nervous when I see a quote from an 'Official' that cautions, "...the motivation of the cyberspies wasn't well understood, and they don't see an immediate threat."  Well they may be right about the immediate threat part (or maybe not) but as for the motivation part, put on your Mr. Wizard pointy hat for a second.  Just what do you think is the motivation of someone, anyone, who hacks (or waltzes unhindered) into company and government networks across the nation, maps key critical infrastructure system environments and leaves behind little presents that may go boom someday.  Here's a hint, the answer is not tea and crumpets at 2:00.

The good news is that both the government and utilities companies are beginning to take this threat seriously and devote the resources to slowly begin fixing the problems.  In fact, there are many SCADA-related conferences during the year where security issues are beginning to get as much attention as efficiency of service delivery.  While visibility is often a double edged sword, it can also be the catalyst that changes the game. 

Escape from Conficker-geddon

By
Mark Weatherford
  on April 3, 2009 6:40 AM | | Comments (1)
Bookmark and Share

So here we are again, a couple of days post-Conficker Armageddon and some people are feeling like they missed the party.  No one has said it yet but I can already see it in some eyes, "Looks like another over-blown security event, hyped by the media and exploited by the security guys."  Really?  It's the old circular question, "did Conficker just not live up to it's hype or did all of the attention we gave it mitigate what might have happened?"  Just like police who see a drop in crime after adding more officers, we always seem to be answering this question after we focus in on specific problems like this.

 

So, did all of the media hoopla and our own internal advisories, coercion and hard work to make sure our systems were patched help us dodge the Conficker bullet?  Just like Y2K, we'll probably never know for sure but you know, I don't think it matters.  Sure we had people scurrying around for a couple weeks but I'll bet all of our systems are in a little better condition now and we probably learned a few things about our IT environment that we wouldn't have ever known.  Here's a crude analogy.  In the Navy, when leadership starts noticing an increase in accidents or trends in work-related mistakes spike up, they often call for a "Safety Stand-down" where entire commands, an in some cases the entire Navy, takes a day or a ½ day to stop all regular work and regroup, focus, get some training and address whatever the major problem seems to be.  Well, I'm choosing to treat Conficker as a "Safety Stand-down."  We'll be gathering some metrics over the next few weeks that will hopefully help tell a good story.

 

I spoke with a few CIO's and CISO's yesterday who did take Conficker seriously and they certainly didn't feel like they wasted time.  In fact, a couple of them felt like they and their folks were better off because of the drills they went through to make sure their systems were clean and healthy.

 

We're not even close to declaring victory because there are still millions of Conficker infected computers out there ready to use your networks for their botnet purposes.  More importantly, all evidence points to the fact that the Conficker writers are very good and we still don't know the end game.  Some experts expect to see additional variants that are even more difficult to patch and remove.

 

For today, I'm happy to have avoided a Conficker melt-down on April Fools Day but we plan to stay vigilant and keep our shields up.  Maybe it's a good time to give your folks a pat on the back and tell them "job well done!"

Have a Conficker-Free Week

By
Mark Weatherford
  on March 29, 2009 7:08 AM | | Comments (1)
Bookmark and Share
I got a call from a reporter this week asking me about the Conficker virus.  "Are you prepared?"  "What do you think is going to happen?"  "How widespread is the virus?"  "Why is April Fool's Day important?"

I went through all of the mechanics of how we get A/V signature updates and how those updates get pushed to all of the computers in our environment on a regular basis.  I also said that there's a history of people planning bad things on days that have some significance and the irony of April Fool's Day was just too rich.  I then explained to him that it's our job to deal with this kind of thing everyday, Conficker was just getting more attention than most. I told him that bad guys and bad things are attacking us 24/7/forever from across the globe so it's our job to be ready for a Conficker every day.  He kept asking if we were 100% sure that we wouldn't have any virus infections.  This is the hard part - when you have to explain to someone that, in our business, you never achieve 100%.  There's always a machine somewhere that didn't get patched or didn't get the update for a variety of reasons and it only takes one, like the well-worn weakest link analogy. 

As I thought back on it later, the conversation reminded me of something a friend said a while back after a big security incident made national headlines.  The company had done all the right things, had all the right policies, and trained all of their people.  They did however miss one computer when configuring the OS to disable USB ports.  Guess which computer a malicious employee found to steal and download customer PII to a USB hard drive?  Yep.  My friend said "This is the perfect example of how even 1% non-compliant equals 100% vulnerable."  So true.

When the reporter saw that that there wasn't a huge, gruesome story just aching for media attention (not yet anyway), he lost a lot of interest and said he'd call me back if anything came up.  This got me thinking, and not for the first time, about how so many in the general public have such little understanding of the cybersecurity problems we all face.  I used to think it was a generational issue that would be solved by time but I'm not even sure about that anymore.  While we can't ever stop educating, I also don't think there will ever be a general understanding of security problems.

What do you think?  How can we help he general population understand the power they have over managing their own computers to prevent things like Conficker?  That's a hard one huh?  Anyway, keep your patches up and here's to a Conficker-free week and a quiet April Fool's Day.

Technical Innovation in America

By
Mark Weatherford
  on March 19, 2009 9:03 PM | | Comments (0)
Bookmark and Share
I attended the IT Security Entrepreneurs' Forum III http://publicprivatepartnerships.org/itsef/ at Stanford University yesterday where I was part of a panel discussing the current and future cybersecurity threat environment.  Moderated by the always popular and entertaining Bob Bragdon of CSO Magazine, the forum was both insightful as well as informative.

The purpose of the Forum is to bring together government, innovators, entrepreneurs, system integrators, venture capitalists,academics, and scientists to discuss and address cybersecurity issues of national interest.  Wow!  I can tell you that innovation is alive and well in America.  There were some very interesting start-ups and I kept thinking to myself, is this the next Symantec, Cisco, McAfee or Websense?

While there were presentations by a wide variety of notable security experts, as is often the case (in my personal opinion anyway), the best part of the gathering was the opportunity to chat in the hall with some of the small companies in attendance.  I talked with a variety of people about everything from federated IdM on a massive scale to vulnerabilities on the nation's critical infrastructures and DLP solutions to automated risk and compliance apps.  As the CISO for a large government organization, one of the very important things I do is try to stay up with new technologies, especially those that create efficiencies at the enterprise level.  So, while government organizations are rarely on the bleeding edge of technology, I saw a few things and talked to some people that got me excited about how we might be doing things in the future.

While all of the sessions were unique and informative, the panel discussion on "Is There An Innovation Crisis in America" was very enlightening.  When the Innovation Crisis panel was asked by moderator Pascal N. Levonsohn to identify the top two things government should do to increase innovation, the three panelists (Dr. Curtis R. Carlson, Dr. Gururaj "Desh" Deshpande, and Lesa Mitchell) were almost unanimous is saying that the government should be providing more funding for research.  Dr. Carlson also said that Sarbanes Oxley should be eliminated for small companies since it creates such a huge burden and Ms. Mitchell stated, somewhat humorously, that when we issue a PhD to a foreign student, the diploma should come with a green card to keep them working here in America.

John Thompson gave the closing keynote and got every one's attention when he said that Symantec is now seeing 15,000 new threats every day, or over 600 every hour and that "some attackers are as well financed as some of the start-ups here in Silicon Valley!"  John will certainly be missed when he retires at the end of the month.

The bottom line is that I think it's critically important for government to actively stay in the loop with technology entrepreneurs in America and support their innovation wherever possible.  What do YOU think?

A Cyber Sense of Urgency

By
Mark Weatherford
  on March 17, 2009 9:01 AM | | Comments (1)
Bookmark and Share

I recently read an article written by Lt. Gen. Harry D. Raduege, Jr., USAF (Ret.) in SIGNAL Magazine titled "Evolving Cybersecurity Faces a New Dawn" that outlined what he calls the four-stage journey of cybersecurity.  The article is located at http://www.afcea.org/signal/articles/templates/Signal_Article_Template.asp?articleid=1784&zoneid=245

While the General approaches the issue from a DoD perspective, I think it translates very nicely to the cybersecurity attitude of both government and society in general.  It's an interesting article and I'll leave it to you to read but I'd like to comment on just one of his points.  In discussing stage three, General Raduege states that "We understand the nature of the threat and the implications for our nation, and there is a growing sense of urgency."

I couldn't agree more that there is a growing sense of urgency.  In fact, we've never heard so much buzz about cybersecurity on a daily basis and it's in the top five priorities of almost all CIO's.  However, my question is whether the right people are experiencing that "growing sense of urgency."  Those of us in the security business certainly get it and there seem to be little flares of interest in government from time to time (usually the result of a data breach or malicious attack that gets headlines) but getting the attention of our policy makers still seems to be a challenge. 

The nation spends $BILLIONS every year on thousands of projects that quite frankly, are of very little interest to, and have very little impact on, the vast majority of Americans.  One man's pork may be another man's job but think about how far even a small percentage of this kind of funding would go in addressing the nation's cybersecurity and critical infrastructure weaknesses at the federal, state and local government levels.  That would benefit the overall population of America far more than some of the small special interest groups on the receiving end of these earmarks.

There are a growing number of national cybersecurity champions, including General Raduege, and I'm excited about the proactive position of President Obama and Representatives Jim Langevin (D-RI) and Michael McCaul (R-TX) but we need more people leaning forward, way forward, on cybersecurity.  This is not a FUD issue and it's our responsibility to clearly communicate the sense of urgency without making it one.  What do you think?

 

Uncertainty at the Top (of Cybersecurity)

By
Mark Weatherford
  on March 13, 2009 2:46 PM | | Comments (4)
Bookmark and Share

Rod Beckstrom resigned last Friday from his post as Director of the National Cyber Security Center (NCSC) at the Department of Homeland Security after less than one year in the role.  Citing a lack of resources and support, it's reported that Beckstrom's NCSC, which is responsible for coordinating the government's response to cybersecurity threats, received less than $500,000 in funding for the past year.  I know; you know; and the government knows that $500K isn't going to go very far in addressing these big issues so if true, why are the expectations so low?  Perhaps the most compelling comment from his resignation letter though is how having NSA playing a significant role in the nation's cybersecurity was "bad strategy."  http://www.networkworld.com/news/2009/030909-beckstrom-resignes-ncsc.html

Mr. Beckstrom's announcement has led to some interesting discussions http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129429&instrc=news_ts_head about whether or not NSA should in fact be playing a lead role in the nation's cybersecurity mission at all. While the technical expertise that resides within NSA is beyond question, in an era of transparency in government, the issue may have some validity when you look at the historically closed environment of NSA.  On the other hand, the national cybersecurity agenda hasn't really made any great strides residing within DHS in the past few years so maybe that isn't a good fit either.  While NSA has received some less than positive press as a "spy agency" over the years, Information Assurance, with a focus on vulnerability and threat analysis, is one of their core missions.

So I suppose the real question is that if a national cybersecurity initiative is truly a national priority, where should the organization directing it live?  Do you think vesting NSA with a leadership role in the nation's cybersecurity effort is the right choice and if not at NSA, where should it be?

Transition on the Securing GovSpace Blog

By
Mark Weatherford
  on March 8, 2009 8:17 PM | | Comments (0)
Bookmark and Share

As some of you have undoubtedly heard, Dan Lohrmann has moved on to bigger things and accepted the position as Chief Technology Officer and Director of the Infrastructure Services Administration for the state of Michigan.  My Herculean task is to try and fill Dan's very large shoes in blogging about the latest cyber security news in government.  Dan's blog has been one of the few links I hit consistently because it's always been timely and thought-provoking.

A little about me.  I've been in the technology business my entire life and in the cyber security business for the past 17 or so years ... what an exciting ride it's been!  I was a Cryptologist in the US Navy and left active duty in 2001 where my last job was working with the Navy's Computer Network Defense Operations, the Navy Computer Incident Response Team (NAVCIRT), and the Navy Red Team.  Those early days in cyber security were incredible and just in case you're wondering, the Navy has some of the best security professionals in the world as well as an exciting and very relevant mission!  While at the NAVCIRT I met a very smart guy named Stephen Northcutt who was doing some really interesting work at the Navy Surface Warfare Center and building cool IDS tool called Shadow...perhaps you've heard of him?  After I left the Navy I spent a couple years with Raytheon building and running a Security Operations Center and doing some Certification and Accreditation (C&A) work which brought me face to face with the limitations and weaknesses of FISMA (it's not altogether bad, it just has limitations and I'll write more about that in the coming weeks as the Consensus Audit Guidelines (CAG) gets more legs.)

In 2005 I became the State of Colorado's first CISO and had the very enviable task of building the statewide information security program.  Really now, who wouldn't leap at that opportunity?  Governor Bill Owens recognized the significance of an all-encompassing security program and gave me the executive support and resources I needed to quickly establish enterprise security governance.  After Governor Bill Ritter took office in 2007, he raised the ante by hiring Mike Locatis as his CIO to consolidate all IT and security operations in the state.  I loved working with Mike but after three years in Colorado, opportunity knocked again and I moved to California to take over as CISO when Governor Schwarzenegger hired Teri Takai as his CIO to begin revolutionizing IT in the Golden State.  Talk about timing.  I now have the best and most challenging CISO job in the world and look forward to blogging about the exciting things happening in the government cyber security space.

I'm always looking for interesting things to write about so please feel free to post whenever you get the chance and if you have something provocative, let me know. 

Archives