If, in 2003, you had told anyone in the IT business that attacks on servers would be cut in half by 2006, they probably would have said, “Good.” If you had told them that cyber crime would, in the same period, nonetheless soar more than 50 percent to become a $10 billion per year global industry, they likely would have said, “Apps.”

And they would have been correct.

As attacks on system and network infrastructures have decreased, the attacks on the specific tools that run on those infrastructures have soared. This is partly explained by better security at the OS/network level (where most of the security action has been focused in the FISMA era) and partly explained by the fact that applications are increasingly where the “loot” is for cyber criminals whether motivated by profit or looking to breach data or system resources.

First, let’s be clear about a big part of that hefty $10 billion number. As the SANS Institute’s recent Top 20 Vulnerabilities report notes, much of the surge in the “take” follows from relatively low-impact if high volume adware infection schemes, in which zero-day attacks collect zombie systems sometimes in the hundreds of thousands for mis-use.

As most who use it know, a chief culprit in this area continues to be the extremely vulnerable Internet Explorer web surfing tool. IE is so porous, especially where adware infection is concerned, that Microsoft began issuing “cumulative security updates” (or, “patches in batches”) last year on a near-quarterly basis.

Cybercrime Surge
 

Beyond IE, the surge in cyber crime has tended to occur in middleware-type apps or utilities such as file processing software (Windows Metafile); or in the numerous media players that are increasingly implemented with only a perfunctory nod at security issues (Windows, Apple, RealPlayer, etc.); or at weak spots in DBMS systems from the likes of Oracle and Veritas, warehouses, backup repositories and through what SANS calls “SQL injection attacks,” by which crackers raid internal data systems while ostensibly entering innocuous information to front-end forms.

This year’s SANS Top 20 even cited a surge in attacks on Microsoft Office files, particularly Excel, and when we talk about “applications” MS Office is probably the one that comes more readily to mind than any other. For many government users, Office is the app that matters most. The more vulnerable it is, the more vulnerable the entirety of a business operation might be.

Some of the problems associated with applications defy software and follow from poorly protected endpoints in ever-expanding enterprise architectures. In many organizations, endpoints have proliferated at a rate no CISO was prepared for. There are just more remote operations, uplink and downlink tools, media players, PDAs, shared printers, WLANs, VoIP devices, dedicated handheld systems, SCADA links and other devices operating as file sharing, data capture, field reporting or other task-specific platforms—more of all of this than often shows up in anyone’s FISMA inventory. And, increasingly, it only takes one vulnerable pcAnywhere to compromise an entire enterprise system or network, if not all the way back to the Big Iron then all the way back to the enterprise databases.

Central Problems for Government
 

For the federal government specifically as well as the broader IT community worldwide, two central problems are implied in the latest vulnerabilities list. As SANS experts addressed it earlier this year, apps are porous because those who write them are rarely skilled in security to begin with, though in fact many programmers have a disincentive to “clutter” or slow their systems’ rush to the marketplace with security features even when they know what they are or how to use them.

Secondly, current compliance regimes and especially FISMA are not structured around “code review,” a process in which the security posture of applications can be checked. For the average agency we are talking about hundreds of applications from scores of vendors and spanning different languages and generations of software. At the highest levels of classification you might find budgets that accommodate such tough reviews. Or, perhaps not even at the highest levels.

As bad as things sometimes look in the area of IT security, the fact is that as FISMA exerted tougher compliances in the period post-9/11 to today, the vulnerabilities at system level have been reduced and the number of attacks on servers has declined accordingly. Contemporaneous with that effort at the user end, the industry was encouraged to work out, via consensus with its customers, new methods for toggling its baseline configurations to meet minimum security levels.

This effort, as coordinated by the Center for Internet Security (CIS), created benchmarks for the major OSes like Windows, Linux, Solaris, Mac OS X, HP-UX, and others. During the last two years, CIS has waded into the turbulent waters in which both network devices (or, endpoints) and applications sprout like unprotected lilies in the pond. CIS has produced three finished or fledgling benchmark standards for endpoint-related systems and similar benchmarks or planned benchmarks for seven specific applications areas.

CIS Process
 

SANS experts like Alan Paller, the group’s research director, and security-conscious officials at NSA and NIST alike, tout the CIS process in which security benchmarks are hammered out by consensus as being, if anything, a force as important as FISMA in the creation of real security for government IT. But the question needs to be raised as to just how invested government and industry are in the CIS process, especially as it relates to applications.

To date, CIS might be thought of as a plucky effort that took a good idea and established a good process for improving things in the gray area between providers of IT and users of IT. If nothing else, the CIS process proved that if you just better assure security on the day of implementation you can improve it markedly across the years of operational use that follow—at least as it is measured in total.

When measured against the work it has done in the OS area, the fact that CIS has made any headway in seven different applications tools is fairly impressive. But when measured against the number of apps tools with internal processes susceptible to corruption, well, CIS has not really even begun. That gray area between providers and users, where apps are the issue, is mammoth.

To cover so broad an area of IT endeavor with better baseline security, everyone involved in IT will have to invest more heavily in the CIS process or something like it. And that process will have to be driven by an entity with real marketplace clout, not just a plucky group with a good idea.

Paller often points to the Air Force writing CIS-generated standards and other benchmarks into a software RFP as a model. But in government and in the IT realm particularly, sometimes the model is just the latest anomaly. It’s nice someone is doing it as long as it’s not me—or so might go the refrain where bureaucracy is entrenched and budgets are stressed.

In bureaucratic Washington no fortification is as well defended as the status quo. But on the matter of vulnerability in applications and endpoints, the “as-is” state looks increasingly like a losing proposition in an arms-race with increasingly better organized black-hats driven by a significant profit motive, either in pure dollars or strategic information.

You might simply ask yourself this: in the two-year period in which CIS got the ball rolling in seven apps areas, how many apps themselves were subject to new and successful attacks by hackers, crackers, script kiddies, identity thieves, spoofers, spammers and spyware proliferators? In the same period, hasn’t there been at least seven significant upgrades in nefarious keystroke logging processes alone?

In short, ask yourself: who is winning?

Not Ready for Pandemic Flu

OPINION: RICHARD WHITE

Author of “The Department of Homeland Security”

Following the Katrina debacle, the Department of Homeland Security launched an analysis of the nation’s preparedness for future catastrophes and found “significant national concern” in its June 2006 report.  Probably nowhere is this more evident than the nation’s unreadiness to face pandemic flu.       

The November 2005 Pandemic Flu Plan -- from the Department of Health and Human Services clinically captured the magnitude of the disaster waiting to happen.

The current pandemic threat stems from an unprecedented outbreak of avian influenza in Asia, Europe, and Africa caused by the H5N1 strain of the Influenza A virus.   Although the virus has not yet shown an ability to transmit efficiently between humans, there is concern that it will acquire this capability through genetic mutation or exchange of genetic material that could lead to a human influenza pandemic.  Each of the three previous pandemics in 1918, 1958, and 1968 were preceded by similar animal influenza activity.  Depending on the severity of the virus, HHS estimates anywhere from 200 thousand to 2 million people could die in the United States.

The optimal way to control the spread of a pandemic and reduce its associated sickness and death is through vaccines.  Vaccines stimulate the immune system to recognize and destroy infected cells, halting disease in its tracks.  Pre-pandemic vaccines produced from the current avian form of the H5N1 virus may have limited effect against the human mutated form once it emerges.  Effective Pandemic vaccines can only be produced after the virus mutates, after the pandemic breaks.  The May 2006 National Strategy for Pandemic Influenza Implementation Plan set a goal of producing enough pandemic vaccine for the “entire domestic population within 6 months of a pandemic declaration”. 

Assuming production can be expanded to meet this admittedly lofty goal, there will be at least six months when the U.S. population remains vulnerable.  To prevent the U.S. medical system from being overwhelmed, HHS is stockpiling a supply of pre-pandemic vaccines and anti-viral medications to blunt the initial onset of the disease.  HHS is stockpiling enough countermeasures to treat 95 million citizens, or about one-third of the U.S. population.  The National Institutes of Health chartered the National Vaccine Advisory Committee and Advisory Committee on Immunization Practices to prioritize who should receive these initial treatments.  They submitted their recommendations July 19, 2005 identifying treatment groups predicated on the primary goal of decreasing sickness and death.  Minimizing societal and economic impacts were considered secondary and tertiary goals.

In the absence of an effective vaccine to inoculate everybody, the HHS Pandemic Influenza Plan addresses containment strategies to delay the spread of pandemic flu.  They note that individual containment and isolation may only work in the initial stages of outbreak.  The problem is people may catch and spread the flu two days before they show symptoms and realize they have it.  Community containment strategies, including “voluntary snow days” and quarantine will be difficult if not impossible to impose, and may only slow but will not stop the spread of the disease.

The HHS Pandemic Influenza Plan succinctly summarizes the unique threat posed by pandemic flu by saying “An influenza pandemic may emerge with little warning, affecting a large number of people within a short space of time.  During the first wave of the pandemic, outbreaks may occur simultaneously in many locations throughout the nation, preventing a targeted concentration of national emergency resources in one or two places – and requiring each locality to depend in large measure on its own resources to respond.” 

If, as the 2006 Nationwide Plan Review indicates, the United States is not ready for the next Katrina-like hurricane, a fairly localized, largely predictable disaster, there’s no way we’re ready for pandemic flu.

The Tech Budget: When “Never Enough” is “Too Much”

OPINION: ROBERT M. GREEN, SENIOR EDITOR

Among the accomplishments of his presidency in the first term, Bill Clinton would often cite this one: that he had put 100,000 new police officers on the streets of America’s cities and towns.

It was a stump citation, repeated wherever he went, and it eventually drew fire from Republicans and critics. At most, they said, Clinton’s program had put 60,000 new cops on the street. Probably, it was closer to 40,000.

Who was correct?

Strictly speaking, the critics were. Functionally speaking, Clinton was.

How was this possible?

Because the Clinton era federal program allocated the equivalent amount of money for 100,000 new cops. But as administered by the Justice department, the program left some discretion to police departments (PDs) as to how to spend the money most effectively.

Which is another way of saying: a lot of money ended up going to technology implementations and upgrades that, in many cases, covered shortfalls in manpower.

No matter who you are, you know what some of those technologies are if you have ever seen a traffic camera or watched a remote video feed from a squad car re-played on TV news. Some things you might not have seen are advanced tactical cellular/radio networks, quicker remote access to criminal records and databases between the field and headquarters, automated dispatch systems, command, control and analysis systems, even such things as Kevlar vests, lipstick cameras, bomb detectors, and even some remote controlled surveillance systems.

PDs use a lot of “stuff” and much of it, at least hypothetically, exerts a reduced requirement on “force.” In military parlance, when a technology supplements manpower (or replaces it altogether) it is termed a “force multiplier” for this very reason.

But do you suppose Bill Clinton would have explained any or all of this in place of his well-worn “100,000 new cops on the streets” citation?

Technology is obtuse stuff, as likely to irritate listeners as it is put them to sleep. By comparison, in politics, only the snappy explanations that fit on bumper stickers have worth. Fathom a program that in reality toggled between the addition of human resources and the implementation of cold technology… Well, you don’t get to be Bill Clinton by choosing to emphasize the dull machine when people can be cited as the accomplishment.

In fact, this essential dispute between human worth and technology acumen probably arose a moment after the first machine was ever built, and certainly arose a moment after the first computer came into an institution somewhere. During its pre-PC infancy the very word “computer” was synonymous with discussions about “human obsolescence.” After all, the first truly famous computer was the HAL 9000, which decided to kill the entire crew of a fictional space ship because it deemed itself better able to complete the mission.

Like moviemakers, politicians know that technology can be made a villain even as they rely upon it themselves either strategically or tactically. This gets very twisted if one focuses on the high-profile case of Al Gore, who gained infamous attention for the cheeky claim in 2000 of inventing the Internet.

The invention of the Internet is generally credited to the invention of its forerunner, the R&D level ARPANET system developed by the Defense Advanced Research Projects Agency (DARPA). Scroll through Al Gore’s record in the Senate and you’ll more likely find that Gore was counted among those seeking to abolish DARPA, limit its budget or alter its purpose at various milestones in which the Internet grew from a drawing table device to prominent use.

Nonetheless, Gore made his “inventor” claim in 2000. But then came 2004 and a new take on technology from Gore—the allegation that computer searches for terrorists in systems operated by the Homeland Security department and various intelligence and law enforcement agencies were being conducted by a new generation of what he called “digital brown shirts.” There you have it. America had taken his invention and become a high-tech Nazi state (even if many staffing the terminals at DHS, FBI and in PDs were otherwise registered Democrats who had voted for Gore in 2000).

Agenda-driven hysteria about warrant-less wiretapping, data mining, and other tech-based counter-terror methods employed since Sept. 11 trades on the ease with which technology can be vilified for political purposes on a case-by-case basis. Just the word “Privacy!” shouted at the correct tenor and tone can rally a new round of front- and editorial page frets, even in cases where no one has actually been brought forward as a victim. Will the PC or database become the gun of recent sloganeering lore? Maybe the “digital brown shirts” should pre-empt the debate with their own bumper sticker defense: “Computers don’t kill people, guns do.”

Digital technology is so cold and so void of moving parts that those who advocate it as easily assault it. Not everyone can be as zany as about computers as Gore but Michael Bloomberg, the mayor of New York, came close this summer during testimony before the House Homeland Security Committee. Bloomberg was there arguing that DHS short-changed NYC when reducing its grant total by about $83 million in this year’s budget.

He was joined by his own police chief and the mayor and police chief of Washington, D.C., who also said they were under funded in this year’s DHS grant.

As a general matter, the role of the federal Homeland Security department in state, municipal and local PD matters has been to encourage and fund new counter-terrorism technologies through a set of grants programs.

Both the District (as part of the broader National Capital Region) and NYC have exploited these programs since DHS launched the program in 2003 to the tune of  millions of dollars in new tech that ranges from the use of network and site-specific electronic sensors for WMD, new intelligence and analysis systems, data mining and surveillance, an opening of communication channels to other agencies, training in new technical and professional disciplines, and enterprise level re-designs of post-event “first responder” and emergency response public safety organizations and systems.

Make no mistake about it: the two high-risk regions have spent enormously in these areas since the immediate aftermath of September 11, and DHS (meaning federal taxpayers) has funded some of it.

Just as solutions to public problems sometimes can be toggled from people to technology, elected officials also toggle between discordant positions. As “policy leaders” of jurisdictions, at budget time, such leaders as the mayors of New York and the District have a compelling reason to decry all that has not yet been done because it has not yet been funded. “We are not as secure as we should be!” or so goes the refrain as state-and-locals beg for more at the federal trough.

But at re-election time, the same leaders will tout all the improvements in security they have made during their term of office. “We are more secure than ever!”

In politics and bureaucracy, there is no such thing as “enough money” though there can sometimes be too much technology. At one end of the spectrum, the assault on searches of phone logs is a digital bogeyman that must be wrestled to submission—by people (or, at least, lawyers). At the other end, the sacrifice of human intelligence (HUMINT or “boots on the ground”) to excessive reliance on satellite surveillance or other “stand-off” technologies are often cited as a pre-9/11 flaw in America’s counter-terror portfolio.

Because it is people who vote, it is easy for a politician to argue that people are better than computers, sensors or monitors. The flip argument is that such things as software-driven queries are so thorough at collecting data that they simply eliminate any of the discretionary decisions needed to guarantee civil liberties. Computers, then, either don’t work or work too well.

As it provides grants to states and localities, DHS operates a counter-terrorism formula that seeks to assess a jurisdiction’s grant request and tech plan with factors including population density, preponderance of critical targets within it (iconic locations, utilities, possibly fragile economic systems, etc.), its vulnerability/threat quotient and other issues including how much or little it has been spent to date on security. All of this is done to the purpose of determining where tech dollars should go.

Facing possible cuts this year ranging up to 40 percent as measured against last year’s federal outlay to NYC Mayor Michael Bloomberg essentially cast aspersion on the entirety of the program when he called the tech spending a “bias.”

“Crime solving is not about using the technology you see on TV shows like ‘CSI’” he said. Instead, he told the House Homeland Security Committee, it is about the “good old-fashioned boots on the ground” that “have protected New York City.”

Simply conceding the truth of Bloomberg’s assertion at a policy level, NYC could re-deploy or sell off the tech-intensive counter terror center it has built and operated since 9/11, and raise a lot more than the $83 million DHS was proposing to cut from NYC’s grant this year.

It is only in a year where NYC and the District are not going to get many tech dollars that the “bias” is noted. In fact, DHS really should not concern itself with how a municipality is going to spend its money but merely shower it upon them if they are more at risk of a terrorist attack  than the others—or so has gone Bloomberg’s refrain this year.

But this has, in fact, been the case at least where the regional part of the formula is concerned. NYC and the National Capital Region have consumed about one-third the entire DHS program since 9/11—but of course it could not ever be “enough” no matter how much it was.

Police chiefs in the District and NYC have said they would use extra money to cover such matters as overtime and all the backup required whenever a terror alert creates gaps in routine, daily law enforcement. One presumes that DHS reviewers might be intrigued by a grant application that seeks to develop technologies providing interim support when, for instance, there is a threat of a chemical attack on the subway in either city. But this year, the two cities basically blew off the idea that a program calling for tech-based solutions is worth it at all. They just want to buy boots and hire more men and women to wear them.

Moreover, Bloomberg fell back on classic New York provincialism to bolster his case for open-ended federal dollars, saying that “all Americans would feel it if New York were attacked again.” Whereas, one imagines, only one of three Americans would stress if a nuclear waste plant in Utah was raided by terrorists, or a dirty bomb went off in Chicago.

This is politicking. Get the tech dollars when you can get them, and when you can’t, well, argue that the dollars should still be yours because you are more at risk. If necessary, disparage the tech “bias,” even though it was that same bias that resulted in NYC and National Capital spending more money on counter terror systems than any other regions in the nation. In fact, most who have examined it believe the NYC counter terror center is only rivaled for robustness and efficiency by a similar set-up in Jerusalem operated by the Israelis, who more or less invented these things. This puts the 2006 version of Bloomberg in the strange position of, by default, dismissing as meaningless the very asset his city has otherwise been praised for having built. Would “hypocrisy” be in the dictionary if not for politics and politicians?

The longstanding dispute between “people power” and “technical power” never goes fully away and is always available to be finessed by politicians. The Homeland Security department was formed in the aftermath of the Sept. 11 terror attacks. While one might argue about its general worth as an umbrella atop the 22 mainly law enforcement- and public safety-related agencies it encompasses, one can also says this: it was never established as an open conduit for paying the overtime costs of local police.

In fact, mayors such as Bloomberg and the District’s Anthony Williams write these costs into the budget requests they make to their own city councils. Asking the feds to pay it too seems to be tantamount to putting a toll booth at both the entrance and exit to the ultimate bureaucratic tunnel—where you pay to use it and pay again to stop using it.

CALM (CHANGE, ADAPTATION, LEARNING MODEL)

A NEW SOLUTION

CALM (Change, Adaptation, Learning Model) solution helps organizations plan, validate, and execute strategies for organizational changes such as mergers, redesigning business processes, or introducing new enterprise software systems.

CALM defines a methodology and supporting software system and enables you to practice and compare alternate change strategies.

CALM was co-developed by Dr. Richard Adler, President of DecisionPath and Dr. David Koehn, President of D.J. Koehn Consulting Services.  Dr. Koehn has over thirty years of experience in education, organizational development, psychology, leadership, and change management. CALM is marketed through partners, who learn and get certified to use the CALM methodology and software.

A Typical Organizational Problem: Conventional Change Management Is Costly and Ineffective

Most organizations understand that such transformations upset the status quo, causing employee uncertainty, fear, resistance, reduced focus and performance. They spend $50 billion annually on Change Management (CM) consulting to try to forestall these disruptions by improving communications, modifying compensation or workforce structures, and so on. Unfortunately, over 70% report that their change management efforts fail.

These dismal results trace back to low levels of employee trust and other chronic work environment issues. Conventional CM methods focus tactically, on a specific imminent change. They also employ the same kinds of mechanical techniques used to manage projects such as new product development or systems integration. However, organizations face change on a continual basis, and helping people cope with major work changes involves more than allocating resources and careful scheduling.

A Different Tpe of Problem: Counter-Terrorism Is More Than a Numbers Exercise

Conventional decision support tools lack the horsepower required to address these needs effectively. Spreadsheets and other simulators excel at manipulating numerical data, projecting quantitative trends, and the like. However, they fall short in modeling and reasoning about qualitative factors and interactions; uncertain and rapidly changing information; and disruptive events. Capturing and leveraging expert knowledge about terrorist behavior patterns and domestic vulnerabilities is problematic. Disaster exercises are valuable learning tools, but they are difficult and costly to conduct, so they are staged infrequently.

The CALM Solution Approach: Practice Change Strategies and Measure Readiness Results

In contrast, we view readiness to change as a persistent strategic issue that requires a deep "organic" understanding of organizational dynamics and cognitive psychology to address effectively. CALM stands for Change, Adaptation, Learning Model. CALM defines a methodology and supporting software system that enable you to:

• Estimate your organization's initial readiness to respond to change

• Identify a target readiness state likely to ensure a successful transformation

• Simulate progress from the initial state towards that goal state under different scenarios about future conditions and alternate change strategies

CALM enables you to practice and compare alternate change strategies. These dry runs enable you to identify gaps in your plan and learn from errors at minimal cost: Mistakes in CALM exercises are virtual: you cause no actual blood, sweat, tears, or failures. Once you uncover these problems, you can refine your change strategies to improve their likely effectiveness.

Track Execution Results and Adapt if Necessary

Once you develop a robust change strategy, you must still execute it successfully. CALM was designed to operate not only at the point of decision but throughout the execution "lifecycle", enabling a sense and respond approach. This is critical because while you execute your transformation and change strategy, your environment invariably continues to evolve, and your stakeholders respond and adapt to those changes and to your strategy. In execution monitoring mode, CALM acts as an Early Warning System, helping you to detect problems promptly, diagnose them, and make effective mid-course corrections to ensure success.

Model Quickly and Easily with Pre-Made Building Blocks

CALM provides a library of pre-defined components for building scenarios quickly. You populate these templates to describe your organization and its readiness levels, pending transformations, environmental forces and anticipated events, and your proposed change initiatives. CALM helps you assess "infrastructure" readiness factors, such as business performance, processes, and technical capabilities. It also provides metrics for estimating readiness to change at organizational and individual levels, such as cultural alignment and teaming, employee self-confidence, emotional intelligence, and adaptability. The CALM library includes change initiatives such as improving communications, modifying compensation programs, and recruiting and training "change agents". Forces include internal and external factors such as economic conditions, new regulations, and leadership.

Uniquely Realistic Models Backed by Change Experts

CALM exploits "new science" theories such as system dynamics and adaptive agents to model how social and psychological readiness metrics change over time. These dynamics are pre-defined within CALM force and change initiative library elements, but can be easily adapted to fit your specific situation.

For more information visit: