Rybolov Note: this is part 3 in a series about S.773.  Go read the bill here.  Go read part one here.  Go read part two here. Go read part four here.  Go read part 5 here. =)

SEC. 13. CYBERSECURITY COMPETITION AND CHALLENGE. This section of the bill creates a series of competitions for a range of ages and skills… with cash prizes!  Mostly it’s just the administration of competitions–cash prizes, no illegal activities, etc.

This goes back to the age-old discussions of glorification of illegal activities, giving tools to people who are too young to know how to stay out of jail.

But then again, I know why this section of the bill is in there.  If we want to grow enough security professionals to even remotely keep up with demand, we need to do a much better job at recruiting younger techies to the “security dark side”.  Competitions are a start, the next step is to get them into formal education and apprenticeships to learn from the gray-hairs that have been in industry for awhile.

Once again, the same verbiage about tasking Commerce with leading this effort… I’m not sure they’re the ones to do this.

Verdict: Already happening although in ad-hoc fashion.  I’m not sold on teaching high school kids to hack, but yeah, we need to do this.

SEC. 14. PUBLIC-PRIVATE CLEARINGHOUSE. Although the title of this sounds really cool, like super-FOIA stuff, it’s really just information-sharing with critical infrastructure owners and operators.

One interesting provision is this:

“The Secretary of Commerce–

(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access”

In other words, all your critical infrastructure information belong to Feds.  This is interesting because it can run the range from the Feds asking power grid operators for information and getting what they get, or it can be stretched into justification for auditing of privately-owned critical infrastructure.  I’m pretty sure that they mean the former, but I can see the latter being used at a later stage in the game.

One thing I thought was interesting is that this section only refers to information sharing with critical infrastructure.  There is a big gap here in sharing information with state and local government, local (ie, non-Federal) law enforcement, and private industry.  I think other sections–most notably  section 5–deal with this somewhat, but it’s always been a problem with information dissemination because how do you get classified data down to the people who need it to do their jobs but don’t have any level of clearance or trustability other than they won an election to be sheriff in Lemhi County, Idaho? (population 5000)  Also reference the Homeland Security Information Network to see how we’re doing this today.

Verdict: Really, I think this section is a way for the Feds to gather information from the critical infrastructure owners and I don’t see much information flow the other way, since the means for the flow to critical infrastructure owners already exists in HSIN.

Capitol photo by rpongsaj.

SEC. 15. CYBERSECURITY RISK MANAGEMENT REPORT. This small section is to do some investigation on something that has been bouncing around the security community for some time now: tying security risks into financial statements, cyberinsurance, company liability, etc.

Verdict: Seems pretty benign, hope it’s not just another case where we report on something and nothing actually happens. This has potential to be the big fix for security because it deals with the business factors instead of the symptoms.

SEC. 16. LEGAL FRAMEWORK REVIEW AND REPORT. This section requires a review of the laws, national-level policies, and basically what is our national-level governance for IT security.  As weird as this sounds, this is something that needs to be done because once we have a national strategy that aligns with our laws and policies and then is translated into funding and tasks to specific agencies, then we might have a chance at fixing things.  The one caveat is that if we don’t act on the report, it will become yet another National Strategy to Secure Cyberspace, where we had lots of ideas but they were never fulfilled.

Verdict: Some of this should have been done in the 60-day Cybersecurity Review.  This is more of the same, and is a perfect task for the Cybersecurity Advisor when the position is eventually staffed.

SEC. 17. AUTHENTICATION AND CIVIL LIBERTIES REPORT. This section is really short, but read it verbatim here, you need to because this one sentence will change the game considerably.

“Within 1 year after the date of enactment of this Act, the President, or the President’s designee, shall review, and report to Congress, on the feasibility of an identity management and authentication program, with the appropriate civil liberties and privacy protections, for government and critical infrastructure information systems and networks.”

So my take on it is something like REAL-ID and/or HSPD-12 but for critical infrastructure.

My personal belief is that if you have centralized identity management, it runs contrary to civil liberties and privacy protections: the power of identification lies with the group that issues the identification.  Hence the “rejection” of REAL-ID.

If I operated critical infrastructure, I would definitely protest this section because it gives the Government the decision-making authority on who can access my gear.  Identity and access management is so pivotal to how we do security that there is no way I would give it up.

On the bright side, this section just calls for a feasibility report.

Verdict: Oh man, identification and authentication nation-wide for critical infrastructure?  We can’t even do it in a semi-hierarchical top-down world of Government agencies, much less the privately-owned critical infrastructure.

• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 4
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 1
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 5
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 2
• The World Asks: is S.773 Censorship?

So I like reading about what people think about security and the Government.  I know, you’re all surprised, so cue shock and awe amongst my reader population.

Anyway, this week it’s Fortify and a well-placed article in NextGov.  You remember Fortify, they are the guys with the cool FUD movie about how code scanning is going to save the world.  And oh yeah, there was this gem from SC Magazine: “Fortify’s Rachwald agrees that FISMA isn’t going anywhere, especially with the support of the paper shufflers. ‘It’s been great for people who know how to fill out forms. Why would they want it to go away?'”  OK, so far my opinion has been partially tainted–somehow I think I’m supposed to take something here personal but I’m not sure exactly what.

Fortify has been trying to step up to the Government feed trough over the past year or so.  In a rare moment of being touch-feely intuitive, from their marketing I get the feeling that Fortify is a bunch of Silicon Valley technologists who think they know what’s best for DC–digital carpetbagging.  Nothing new, all y’alls been doing this for as long as I’ve been working with the Government.

Now don’t get me wrong, I think Fortify makes some good products.  I think that universal adoption of code scanning, while not as foolproof as advertised, is a good thing.  I also think that software vendors should use scanning tools as part of their testing and QA.

Fortified cité of Carcassonne photo by http2007.

Now for a couple basic points that I want to get across:

• Security is not a differentiator between competing products unless it’s the classified world. People buy IT products based on features, not security.
• The IT industry is a broken market because there is no incentive to sell secure code.
• In fact, software vendors are often rewarded market-wise because if you arrive first to market with the largest market penetration, you become the defacto standard.
• The vendors are abstracted from the problems faced by their customers thanks to the terms of most EULAs–they don’t really have to fix security problems since the software is sold with no guarantees.
• The Government is dependent upon the private sector to provide it with secure software.
• It is a conflict of interest for the vendors to accurately represent their flaws unless the Government is going to pay to have them fixed.
• It’s been proposed numerous the Government use its “huge” IT budget to require vendors to sell secure projects.
• How do you determine that a vendor is shipping a secure product?

Or more to the point, how do I as a software vendor reasonably demonstrate that I have provided a secure product to the government without a making the economics infeasible for smaller vendors, creating an industry of certifiers ala PCI-DSS and SOX, or dramatically lengthening my development/procurement schedules?  Think of the problems with common criteria, because that’s our previous attempt.

We run into this problem all the time in Government IT security, but it’s mostly at the system integrator level.  It’s highly problematic to make contract requirements that are objective, demonstrable, and testable yet still take into account threats and vulnerabilities that do not exist today.

I’ve spent the past month writing a security requirements document for integrated special-purpose devices sold to the Government.  Part of this exercise was the realization that I can require that the vendor perform vulnerability scanning, but it becomes extremely difficult to include an amount of common sense into requirements when it comes to deciding what to fix.  “That depends” keeps coming back to bite me in the buttocks time and time again.  At this point, I usually tell my boss how I hate security folks, self included, because of their indecisiveness.

The end result is that I can specify a process (Common Criteria for software/hardware, Certification and Accreditation for integration projects) and an outcome (certification, product acceptance, “go live” authorization), leave the decision-making authority with the Government, and put it in the hands of contracts officers and subject-matter experts who know how to manage security.  Problems with this technique:

• I can’t find enough contracts officers who are security experts.
• As a contractor, how do I account for the costs I’m going to incur since it’s apparently “at the whim of the Government”?
• I have to apply this “across the board” to all my suppliers due to procurement law.  This might not be possible right now for some kinds of outsourced development.
• We haven’t really solved the problem of defining what constitutes a secure product.
• We’ve just deferred the problem from a strategic solution to a tactical process depending on a handful of clueful people.

Honestly, though, I think that’s as good as we’re going to get.  Ours is not a perfect world.

And as for Fortify?  Guys, quit trying to insult the people who will ultimately recommend your product.  It’s bad mojo, especially in a town where the toes you step on today may be attached to the butt you kiss tomorrow.  =)

• Comments on SCAP 2008
• Ed Bellis’s Little SCAP Project
• Sir Bruce Mentions FDCC, World Goes Nuts
• When Standards Aren’t Good Enough
• No, FISMA Doesn’t Require That, Silly Product Pushers

They’re “armed”, they’re “dangerous”, and they’re “right around the corner”, depending on who you talk to.

• Cyber-FEMA LOLCATS Prepare for Cyber-Katrina
• IKANHAZFIZMA’s take on Security Appliances
• IKANHAZFIZMA Tackles the Consensus Audit Guidelines
• LOLCATS, CISOs, and Horror Stories
• Oh to be a Program Manager

Hot on the heels of our DAA presentation, the Guerilla CISO is proud to present our lolcat Authorizing Official.

Yes, it’s all about the budget. If you do not have a budget, you do not have the ability to change things. We have a word for people who have all the authority of an Authorizing Official but none of the budget: scapegoat.

And since I’m in Toronto for an extended stay thanks to the weather, today is a 2-fer:

• IKANHAZFIZMA and Transparency
• IKANHAZFIZMA Finds Caution Tape
• Exhaustive Security Testing is Bad For You
• CIO Council Guidelines on Social Media Meet IKANHAZFIZMA
• Cyber-Ninja Lolcats Caught on Film

Interesting article in Security Focus on President Obama and cybersecurity.  Yes, I complained on twitter because the “document on homeland security” is not really any kind of a solution, more like a bullet list of goals that sound suspiciously like a warmed-over campaign platform.

Guess what?  Every President does this, they put out their agenda for everyone to see.  With the last administration, it was the 5-point President’s Management Agenda.

Let’s be honest here, as Bubba the Infantryman would say, “There are only a couple of ways to suck an egg, and this egg has been around for a long time.”  Any cybersecurity strategy will harken back to the National Strategy to Secure Cyberspace because the problems are the same.  If you remember back to when the NStSC was first released, a horde of critics appeared out of the woodwork to say that there wasn’t enough implementation details and that the strategy wouldn’t be implemented because of that.  Well, they were partly right.

And now there’s the President stating his agenda with the same ideas that people have been saying for 6 years in more detail than what and suddenly it’s new and innovative.  That’s politics for you, folks.  =)  Bubba, in a rare fit of wisdom would say “The way you can tell the true pioneers is that they have arrows sticking out of their backs” and it might seem apropos here, if maybe a little bit cynical.

Hidden Agenda Eats Agenda photo by emme-dk.

Let’s go through each of the points with a little bit of analysis from myself:

Great idea.   Between OMB, NIST, DHS, DoD, DOJ, and a cast of thousands, there is a huge turf war over who really owns security.  Each of these groups do a phenomenal job doing what it is they do, but coordination between them is sometimes more like a semi-anarchist commune than a grand unified effort.  I seem to remember saying at one point that this was needed.  Granted, I was specifically talking about the internal side of the InfoSec Equitites Issue, so the scope here is a little different.

The Cyber Czar is literally buried deep down inside DHS with no real authority, a presidential advisor like is in the agenda would report directly to the President. 

We have a very good R&D plan in place (.pdf caveat), it just needs to be adopted and better funded.  For those of you who need a project, this is like a wishlist on things that some very smart Government guys are willing to fund.

Ouch, I cringe when I read this one.  Not that it’s needed because when it really comes down to it, every CISO in the US is dependent on the software and hardware vendors and their service providers.

Something the world outside the Beltway doesn’t understand is that “standards” are roughly equal to “regulation”.  It’s much, much better if the Government goes to industry groups and says “hey, we want these things to be part of a standard, can you guys work to put it all together?” There might be some regulation that is needed but it should be kept as small as possible.  Where the Government can help is to sponsor some of the standards and work along with industry to help define standards.

Maybe the best model for this is the age-old “lead the horse to water, demonstrate to the horse how to drink, hold the horses mouth in the water, and you still can’t get them to drink.”  We’ve tried this model for a couple of years, what is needed now is some kind of incentive for the horse to drink and for vendors to secure their hardware, software, firmware, and service offerings.

Maybe this gets down to political beliefs, but I don’t think this is the Government’s responsibility to prevent corporate cyber-espionage, nor should you as a company allow the Government to dictate how you harden your desktops or  where you put your IDS.  If you are not smart enough to be in one of these high-tech industries, you should be smart enough to keep your trade secrets from going offshore, or else you’ll die like some weird brand of corporate darwinism.

Government can prosecute evildoers and coordinate with other countries for enforcement efforts, which is exactly what you would expect their level of involvement to be.

Yes, in some cases when it’s cyber-espionage directed at the Government by hacking contractors or suppliers (the military-industrial complex), then Government can do something about it with trickle-down standards in contracts, and they usually do.  Think ITAR export controls scoped to a multi-national corporation and you have a pretty good idea of what the future will hold.

This point is interesting to me.  We already have rules to flag large transactions or multiple transactions, that’s how Elliot Spitzer got caught.  Untraceable Internet payment schemes sounds like pulp-fiction stuff and income tax tracking to me, I would like to know if they really exist.

On the other hand, law enforcement does need training.  There really is a shortage of people with the law enforcement and technical security backgrounds who can do investigations.

National data breach law == good, because it standardizes all of the state laws that are such a hodge-podge you need a full-time staff dedicated to breaking down incidents by jursidiction.  We have something like this proposed, it’s S.459 which just needs to be resurrected and supported by the Executive Branch as part of their agenda.

A common standard could be good as long as it’s done right (industry standards v/s Government regulation), see my comments above.

Note some key points I want you to take away:

Nothing is new under the sun.  These problems have been around a long time, they won’t go away in the next 4 years.  We have to build on the work of people who have come before us because we know they’ve looked at the problem and came to the same conclusions we will eventually come to.

Partnership is emphasized.  This is because as much lip-service we give to the Government solving our problems, the American Way (TM) is for the Government not to be your Internet Nanny.  Government can set the environment to support private information security efforts but it really is up to the individual companies to protect themselves.

Industry needs to solve its own problems.  If you want the Government to solve the nation’s information security problems, it means that we take US-CERT and have them monitor everything whether you want them to or not.  Yes, that’s where things are heading, folks, and maybe I just spilled the beans on some uber-secret plan that I don’t know about yet.  Trust me, you don’t want the transparency that the Government watching your data would provide.

Be careful what you ask for.  You just might get it.  When it comes to IT security, be extra careful because you’ll end up with regulation which means more auditors.

Agenda Grafitti photo by anarchosyn.

• Beware the Cyber-Katrina!
• Cyber Security coming to a boil
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 3
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 4
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 1

So rybolov asked for another guest blog and a hot topic on my mind recently is training. Training in the IT world is kind of like the chicken before the egg argument – every employer whats you to have the latest Security F00$ training but they never want to pay for it. What is an IT professional to do?

So why are the majority of employers hesitant to train their IT staff? Are they afraid they are going to bring new skills to your resume and then you will jump ship to the next “jump and bump opportunity”? Or do they really have funding shortfalls and budget cuts to to prevent you from taking that 7 day Bahamas IT training cruise you wanted wanted to take this winter? My take is that it is probably a little bit of both.

Let’s think about this for a minute. You are a cash-strapped IT Manager at $your_organization_name_here and have limited funding for a never-ending list of training requests. In your attempt to balance training with the rest of your budget, you eventually have to cut training to the bare minimum. If you do splurge and spend the money to send an employee to the latest security F00$ training, the next time he/she is unhappy they might leave. But chances are you have program requirements that dictate some level of yearly training that is required. This situation can also be double whammy if you are in a consulting or contracting role where opportunity costs also means you are not billable during your time in training.

My suggestion is to strike some kind of balance to make both the employee and IT management happy. If you are in the role of government management, consider the possibility of allowing your contracting/consulting staff to bill their training hours to the program instead of going on company overhead. Another possibility to consider is if you involved in IT management in the  consulting/private/commercial sector, consider offering a reasonable allowance each year towards training. It does not have to be huge amount of money to pay for an expensive 10 day conference out of town but enough to pay the tuition for a week long training class. This will show the employee that you are serious about keeping them current in their career field but at the same time put some effort on them to be reasonable with their training requests. Depending on your geographic location, you can usually find job related training locally, especially if you are located anywhere near the beltway.

I was recently faced with this dilemma in my current position. We were told training funding was not available this year and that we would have to wait until next year. After thinking about this for a while, I approached my manager with an idea they bought into. I identified an area within my field that I have really wanted to get into the last few years but the opportunity never presented itself. Since we have the need for this skill and the organization was planning on investing in this area in 2009, I offered to pay my own tuition to attend this training if they would allow me use PTO for the classes. They agreed and I purchased a one-year training package that will allow me to attend an unlimited number of classes from the vendor over the next year. When training funding becomes available again next year, we are planning on putting my training allowance towards travel costs.  In the end, I was able to turn the situation into a win-win for both my employer and my skills set. In a world of shrinking IT budgets, a little creativity can go a long way in meeting your training goals.

Football Training photo by melyviz

• Introducing the Government’s Great InfoSec Equities Issue
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 2
• NIST’S FISMA Pase II–Who Certifies Those who Certify the Certifiers?
• “Machines Don’t Cause Risk, People Do!”
• Split-Horizon Assessments and the Oversight Effect