FEDERAL EXECUTIVE FORUM

CYBER SECURITY

MODERATOR/HOST

Jim Flyzik, The Flyzik Group

PANELISTS

·         Patti Titus, Chief Information Security Officer, TSA

·         Dennis Heretick, Chief Information Security Officer, Department of Justice

·         Dr. Ron Ross, Chief Computer Scientist,- NIST

·         Phil Heneghan, CIO,- USAID

·         John McCumber Strategic Program Manager, Public Sector Group, Symantec Corporation

·         Tim Kelleher Vice President, Enterprise Security Services, Federal Systems, Unisys Corporation

CYBER SECURITY FORUM TRANSCRIPT

JIM FLYZIK, THE FLYZIK GROUP

We are coming to you from the University of Maryland, University College Cyber Security Conference. Today we will discuss critical issues facing government and industry leaders in the field of information technology security. With me today on the show are (list of panelists).

Let’s get right into the issues and first level set the audience by having each of our panelists talk a little bit about your role in cyber and information systems security. Just go right down the table and start with Dr. Ross. Can you give us an idea of what your roles are?

DR. RON ROSS, NIST

Good afternoon Jim. My role at NIST is to lead the FISMA implementation project; that’s the group that develops all of the implementing security standards and guidelines that the Federal government needs to employ to be FISMA compliant.

JIM FLYZIK, THE FLYZIK GROUP

Dennis Heretick, over at Justice. I know that Justice has done a lot in the area of cyber security. Can you tell us your roles there Dennis and your responsibilities?

DENNIS HERETICK, JUSTICE

Sure Jim. I’m the Deputy CIO for Information Security at Justice and as such I’m responsible for our agency wide IT security program. That includes requirements for risk negation, as well as implementation strategies and our performance.

JIM FLYZIK, THE FLYZIK GROUP

Having worked on law enforcement in the past I know how critical some of those issues are. Tim Kelleher at Unisys Corporation, give us a sense of what your roles are there Tim?

TIM KELLEHER, UNISYS

Thanks Jim. As you said I am the Vice President of the Enterprise Security at Unisys and that’s a fairly large group of people who support the Federal government agencies and it’s a pretty full spectrum operation; everything from consulting to systems integration to full service support capability for government agencies.

JIM FLYZIK, THE FLYZIK GROUP

 Great. I know a lot of industry, a lot of companies are putting more emphasis into that cyber security area as a field that you need to grow. Patti Titus over at TSA where I’m sure there are a lot of unique challenges being a relatively new agency in town. Patti, can you give us an idea of your role at TSA?

PATTI TITUS, TSA

Sure. At Transportation Security Administration I was charged in the early days with standing up and developing an IT security office. We had the absolute pleasure of designing that based on the NIST standards so we are probably one of the few organizations that are solely based on NIST because we are such a new organization. Part of the role of the CISO is also looking at the transportation sector so we are starting to branch off into that area, taking what we have learned within TSA and moving that into the sector itself, so we are looking forward to that challenge as we grow and mature further.

JIM FLYZIK, THE FLYZIK GROUP

Quite a challenge, to not only deal with the subject matter but to do it in a start up environment where you have to, you mentioned that you started from scratch, so we appreciate everything you are doing over there.

Phil Heneghan, who is a CISO but also an acting CIO, a little later in the show we’ll come back and talk about CIO roles versus security officer roles, but Phil perhaps you could give us some idea of how you are working now at USAID.

PHIL HENEGHAN, USAID

My role there as the Chief Information Security Officer also includes the role of Chief Privacy Officer, obviously the two are greatly connected. And we are a small enough agency that it’s all in one place. On the other hand we are a world wide organization with offices in 80 countries around the world, so the security challenge is pretty unique.

JIM FLYZIK, THE FLYZIK GROUP

Sure, I bet in terms of looking at world wide standards and differences in what is going on in this country versus other parts of the world. John McCumber at Symantec, I guess when we all think about security companies; Symantec is one that comes to mind. I know Symantec has expanded quite a bit over the years also, but could you give us an overview of your role there at Symantec?

JOHN MCCUMBER, SYMANTEC

Certainly Jim and I hope you do think of Symantec when you think of security. One of the challenges and one of my key responsibilities is ensuring that Symantec’s solutions and services are able to address the needs of our Federal government.

We want to make sure that Symantec’s technology and their services as well as our ability to bring in information across the internet are targeted to help our government agencies be able to protect their infrastructure, their information and their interactions.

JIM FLYZIK, THE FLYZIK GROUP

Terrific. Let’s get into some of the key issues that you are dealing with, some of the priorities. We’ll first talk priorities and then talk some challenges. Let’s start with Tim Kelleher at Unisys. Tim, what do you think are some of the major priorities right now that you are addressing in your day to day work?

TIM KELLEHER, UNISYS

Well, like most companies we are always looking at what our customers’ needs are and where we need to align our capabilities and our services to meet our customers’ needs.

Right now, I see two or three primary areas that we are seeing a demand for help at this point in time. First is the whole identity and access management arena. Protecting data and making sure that only the right people have access to data, and of course all government agencies are under the gun a bit in terms of meeting the HFPD 12 imperative so we are kind of gearing up to support that goal as well.

The second area that we are seeing a lot of need for support is around the whole FISMA need for certification and accreditation of systems. There are a lot of systems obviously in any enterprise and certainly the Federal government is not short on quantities of systems out there, and it’s a pretty robust process that everybody’s obligated to go through to certify these systems and it takes a lot of help from a lot of the private industry people like Unisys as well, who has actually supported in the last couple of years just under three hundred engagements of supporting Federal agencies to get those certifications completed.

And the final is one that I mentioned earlier is around the whole notion of managed services. Managing security is a difficult thing, it is getting more and more complex every year and it costs a fair amount of money to buy the tools and get the equipment to really manage that environment so many people are now turning more towards private industry to help with that, and that is that whole area of managed security services.

JIM FLYZIK, THE FLYZIK GROUP

Great. FISMA’s come up a couple of times already, it makes me jump back to Dr. Ross, and I know NIST does a lot of work with FISMA and standards for FISMA and so forth. What are the priorities that you face Dr. Ross today? What are some of your key priorities?

DR. RON ROSS, NIST

 Well the biggest priorities for NIST are to deal with getting all the basic standards and guidance documents out and completed. We’ve been working since, the legislation was passed in 2002, signed by the president in 2003, and we’ve been working for about three and a half to four years now to develop a whole series of standards and guidelines and those standards and guidelines are implemented within what we call a risk management framework and so we are trying to get all the basic pieces in place. Then once we have that we’ll go into our FISMA phase two which is going to deal with credentialing organizations that will want to offer security services to our Federal agencies.

JIM FLYZIK, THE FLYZIK GROUP

Patti, over at TSA, priorities you are facing day to day as you stop by the office and hear about the, I guess the emergency of the day or the priority of the day. What are some of the top things on your list?

PATTI TITUS, TSA

 Probably one of the most critical roles is operationalizing FISMA. So there is FISMA is a set of standards and guidelines but it is taking that and putting it into a full compliment of risk management strategies and then being able to take that and assimilate that information and make it digestible to the executive leadership to say these are the critical areas that we need to look at protecting. Categorizing the data, making sure that we have our critical systems identified.

One of the other challenges that we have which has been key to the success, it is a challenge, but it has been key to the success of TSA’s active security program, is we are a fully managed service organization. So our infrastructure is in that managed service environment.

One of the challenges to that as a government employee is the inherently government functions. What is inherently government? So it is building the verified piece of the trust model, and I think that has also been key to building the program and making it successful and we are looking forward as I said earlier, taking that model and methodology out to the private sector and making sure that the great work that we’ve done at TSA can also be replicated to our private industry partners.

JIM FLYZIK, THE FLYZIK GROUP

And you know that managed services issue, hopefully we’ll have some time to revisit that too before we finish. In fact I was reading something about that today that there’s been a lot of movement within GSA in networks and programs and government skill shortages in different areas, and this managed service approach is clearly a trend that will continue into the future, it just needs to get fine tuned and perfected.

TSA is one of the early adopters I guess, a lot of lessons learned in what works and perhaps what doesn’t work so well. Hopefully if people can take off the positive stories and move them forward. John McCumber, I see you nodding your head a couple of times as we talk about this subject and how about priorities from your perspective over at Symantec?

JOHN MCCUMBER, SYMANTEC

Certainly what we see in the Federal government, working with our Federal government customers and partners, are these challenges that you’ve heard discussed already.

We’ve really broken them down into three primary areas. We talk about the challenges with information assurance and cyber security as based on their cost, their complexity, and their compliance and how critical that is. So we are able to try and use technology and leverage a broad product suite to reduce costs for those customers and be able to help them manage the complexity, because security involves change.

The threat in those risk models that Patti talked about are really important because you see evolution of threat, you see new vulnerabilities being disclosed and published all the time and an important critical aspect of these people’s jobs is being able to manage and be on top of these various changes.

And then understand how does this affect my organization and what are the most effective strategies that I can employ to manage the risk based on this evolution?

JIM FLYZIK, THE FLYZIK GROUP

Great. Dennis over at the Department of Justice, you have a lot of law enforcement and some unique security requirements. I spent 18 years in secret service, I know of a number of security issues that are unique in law enforcement environments. I guess you have a lot of challenges. What are some of the big priorities that you are addressing today?

DENNIS HERETICK, JUSTICE

I think you mentioned law enforcement today especially requires sharing information with other agencies, with customs, with a great number of people. So to do our mission, it requires sharing and to do that you have to have a trust relationship. And what that means is you need to know the requirements, the type of requirements that Ron Ross has worked with us to categorize. So the first challenge I have is to be able to look at how can we best implement the type of controls that give us the business data.

So it’s not just about implementing controls but prioritizing those based on our mission. And it’s often characteristic of our business that we do a lot of planning, we do system security planning, we do certification and accreditation, we do testing, evaluation, with a priority on actually implementing security.

So our focus has been to be very effective at the planning and compliance and to do that in a way that gives us the ability to emphasize implementing our mission priorities and getting business value from that.

JIM FLYZIK, THE FLYZIK GROUP

Phil, how about over at USAID, what are some of the priorities that you face today in your CISO role.

PHIL HENEGHAN, USAID

Well, a lot of those priorities we have touched on, but I’ll describe a little bit of the challenge that we have is actually gathering the metrics to give the business executives to make decisions about risk. We’ve adopted the NIST FISMA guidance which actually is all risk based and drives the decisions, the business decisions, away from the technical arena and how can business own this.

So what I’m constantly doing is gathering metrics and I report monthly to about 100 senior executives within the agency and around the world, the CFO, the director of HR, reporting to them about the status of their systems. So that they are constantly informed and they can make decisions. But because the threat is constantly changing, we are constantly gathering new metrics and yet you have to feed it up to the executives in a way that they can digest and make intelligent business decisions so that is the primary challenge.

JIM FLYZIK, THE FLYZIK GROUP

Great. Now before we leave challenges, I had one other question around challenges. Do you think the challenges deal with the technology solutions or are the challenges more cultural issues or are the challenges more management attention, or management concern and resources?

I’m curious to hear from the panel. I know it seems to me that we struggle sometimes with the security in getting the kind of attention we need. Dennis, what do you think? Is it a technology issue or are these other things bigger challenges to overcome?

DENNIS HERETICK, JUSTICE

I have no problem at all getting attention. IT security gets a lot of attention. I think the challenge is to focus that attention on actionable things that clearly support your mission requirements. As soon as you get off doing things just for the sake of requirements, you are going the wrong way. You must relate and channel that attention into effectively supporting the mission of IT security solutions. I think that’s the key.

JIM FLYZIK, THE FLYZIK GROUP

I think it’s tough as I think security people need to sell themselves above, to management, to their peers, to their colleagues, because I think most of the time you are seen as taking their budget so to speak. Dollars going into security may be dollars coming from somewhere else. Phil what do you think about that question?

PHIL HENEGHAN, USAID

Well, we changed the model about four years ago at USAID and the certification and accreditation process was the grading process. The CISO for the CIO certifies all the systems, what that means to everyone is that we can accept all the risks identified to the enterprise, but all the accreditation is done by the business owners.

What I found when we shifted that risk, the resource issues sort of started to go away. Because when the CFO was confronted with accepting these risks, or not, the money appeared to do that. It’s the same with all these other systems. So again you are driving the business people they were ready to bring the money to the table to avoid accepting these risks.

JIM FLYZIK, THE FLYZIK GROUP

I like what you are saying there, you are talking about risk and I think we have learned over time especially approach at senior level the agency has. If you talk about the risk to the organization it is easier to get attention as opposed to talking about intrusion detection devices you need to buy for our network. I think the senior people relate to that term risk. Patti, what do you think? Technology? Culture? Management attention? What are the biggest challenges there?

PATTI TITUS, TSA

I think education is probably one of the critical factors. Being able to articulate what you are trying to do and you’ve stated marketing and I think really one of the key successes for the program has been, I used to be a VP of sales and marketing so I can bring that marketing slant to it and be able to take my knowledge as a subject matter expert and then market it at the different senior levels which has been very helpful.

I also think that having, at TSA we are very fortunate in having Kurt Collier as our Assistant Secretary who actually has a technical background and I think that has also made it very easy for me to approach him on a risk standpoint. So I think he also understands it. He is also very, very forward thinking. Using technology to enable field (sounds like) to do their job better and I think that’s also been another critical factor.

JIM FLYZIK, THE FLYZIK GROUP

That leadership issue is so important. If you can get the agency head behind you, your credibility is instantaneous. I do teach this subject and have done for quite some time and we always end up the semester by talking about the skills you need to be a good chief information security officer. When you think about it, it’s a really broad set of skills.

You need to understand security and security as it relates to specific products perhaps in your organization, but you also have to be a good manager, a good communicator, abilities to write and do presentations, and gain credibility across the organization. So it is quite a challenge.

We are going to delve into talking a little bit about the CIO and the CISO role and how they work together with some of the other security disciplines in just a moment. But first we are going to take a short break.

Break.

JIM FLYZIK, THE FLYZIK GROUP

When we left we were beginning to talk a little bit about that role of the chief information security officer and I know that role has sort of evolved over the years, I know for as long as I’ve been around the subject, we’ve seen the position evolve quite a bit and in most cases being  ?? in the organization. It brings up a lot of questions about the primary responsibilities for IT security, physical security, human resources security, and I’m curious to hear from our panelists how those kinds of issues are coordinated within your area or agency. Let’s start with Dr. Ross at NIST. Is there a bridge that somehow works between these various security disciplines?

DR. RON ROSS, NIST

Well I think that if you look at our security guidelines that talk about security controls, we address the breadth and depth of controls to include management, operational, and technical. So you’ve got the personnel security, the physical security and the technical types of security are all rolled in to one control set.

So it really demands that the senior leadership of the organization understand who is responsible for each one of those control areas. And to make sure the controls are actually implemented, assessed for effectiveness, and then you assume whatever risk that actually comes about after you do that process.  So it really depends on the leadership at the top to make sure the coordination takes place across the entire spectrum.

JIM FLYZIK, THE FLYZIK GROUP

Dennis, how about at Justice and your role vis-a-vie Van Hicks the CIO and then you have HR security, physical security roles. Are they somehow coordinated and can you give us an idea of how it works?

DENNIS HERETICK, JUSTICE

Yes and it’s absolutely critical to coordinate them. I’m very fortunate in that because my CIO Van Hitch happens to be the security and privacy liaison for the Federal CIO council. So we get to take a broad view of security at Justice. The way I look at it is that it’s a little bit like a ham and egg breakfast and you know that Van Hicks is responsible for this.

But the CIO is also responsible for a lot of other areas. And so he very much is involved in IT security and is directly responsible for it, but I feel like it’s my only responsibility so I’m more like the ham here that’s committed to IT security at Justice. And the involvement that Ron alluded to, there are other disciplines besides IT that seeks to secure information in Justice. For instance we have the security and emergency planning staff that is not part of the CIO organization, is more physical and personnel security.

And there are families of controls that NIST has in the FIPS 200-853 families of controls that address those areas and so integrating with those is very much of a defense in depth, as they used to say in the Department of Defense. Your priorities can’t just be some priorities; you have to have priorities in each one of those areas. You can’t do everything all at one time, but you need to look across a broad spectrum or everything you are not looking at will be the way that you fail.

JIM FLYZIK, THE FLYZIK GROUP

Great. So it’s ultimately Van’s responsibility but when I was a CIO I would tell my CISO your job is to make sure you make me look good and I don’t get in trouble. Make sure I’m doing everything I’m supposed to be doing in this particular area.

Tim, how about you at Unisys when you have worked with agencies or Unisys works with a customer or a client, do you get some ideas of how the coordination happens between IT security, physical security, HR security?

TIM KELLEHER, UNISYS

I think there are a lot of legacy systems and legacy requirements out there where those things probably don’t come together easily and it’s more coordination amongst the people who own those disciplines, but I think the good news is that we do have HSPD 12 here in the Federal government which is the mandate to ultimately get to the biocredentials even though we are probably not going to use the biometric part of it immediately, those cards are basically produced by incorporating a direct feed from an HR system into an IB management system which then talks directly to a physical access system.

So I think we have the right path here, we just have to get on with executing it. First stage is to get the cards out there. With that we get the electronic activity that we need so we will be mechanized at that time. That will automatically update as the HR systems are updated. I think the challenge after that is that they will probably deploy basically a card and a pin number to begin with so we are not going to be leveraging a biometric card. That will be the next stage when we truly leverage the biometric card.

JIM FLYZIK, THE FLYZIK GROUP

Sure. Patti Titus, you’ve had some unique issues because you’ve got TSA, TSA being also a component of DHS, I guess this is a two part question, you’ve got coordination within the transportation security administration and then I guess coordination with DHS and your department wide perspectives. Could you say a few words about that and how that coordination happens?

PATTI TITUS, TSA

Sure. I’d like to say that I have lots of people that I report to. So there is the departmental CISO Bob West, I do take direction from him so I am actually an information system security manager for the department. And then I’m the CISO for TSA, reporting to the deputy CIO. We are very fortunate, we have a new CIO, Mike Golden came to us from Southwest Air, and he’s actually dual hatted as the CIO/CTO. So he’s coming up to speed on all these acronyms which we told him that there’s a book, it’s about 800 pages, but he should only focus on the security ones. But he is actually coming up to speed. We are trying to spoon feed him a little bit at a time. Security can be a little overwhelming but sometimes my passion to the discipline has a tendency to overtake my ability to keep it in the layman’s terms, so I think we have really excellent working relationship. We have also put into place a memorandum of understanding with our chief security office so our CSO has the physical and the personnel security side of it.

And to make sure that we don’t cross each other’s boundaries, we try to define our roles and responsibilities so that we coordinate, which makes us much more efficient and it also makes us much more nimble. Of course we also coordinate both directions either up or down through the executive offices on an as needed basis. So I think that there’s a very strong relationship between the CISO and the CIO obviously at this point working through the deputy CIO.

JIM FLYZIK, THE FLYZIK GROUP

Great. Good to hear. I know that coordination is really important. I used to tell those folks who worked with me that if we can hire good people, and do the proper screening up front before people come to work; you reduce the amount of insider threats by a tremendous amount. It’s so important that that HR security function work in conjunction with the IT security function. Phil, how about over at USAID, how does all of this work?

PHIL HENEGHAN, USAID

 A lot of coordination. Again since we a located around the world in a lot of different countries, Iraq, Afghanistan, the physical security side as well as the personnel security up front, we have some pretty clear standards and metrics. We have in fact used the NIST guidance for operational and managerial controls. And that is the criteria that our office of security uses and any deviations from that are actually dealt with at a fairly senior level in the agency which hires the CISOs. 

So when there are going to be deviations and let’s face it, given what’s going on around the world we do have to deviate from standards frequently, but again it’s a lot of coordination so that we are all in tune.

JIM FLYZIK, THE FLYZIK GROUP

John, from Symantec I guess looking in to your customers, in to the agencies, I guess you’ve seen a variety of ways that agencies are trying to coordinate this, but what is your approach, how do you go about trying to address some of these coordination issues amongst all the facets of security that exist in an organization?

JOHN MCCUMBER, SYMANTEC

That’s a really important question for right now. In fact I’m going to take a little different tack and put on my hat as a member of the faculty of the George Washington University, where I was privileged to help develop and now teach a course that bridges physical, personnel, and information security. One of the challenges we found developing that course is that there are some basic changes and differences in the underlying models.

Physical security has been around since the dawn of mankind when we were blocking the cave door to keep that thing with the big sharp teeth from walking in. And then what we wanted to do is that we take that physical representation in managing that physical environment to manage security.

In personnel, we have what we call the trust model underlies that. I had first hand experience with that before I took my position at the National Security Agency when they did a very intrusive polygraph into my life and we call that the speed dating approach to understanding trust and how to ascribe trust to people. And then for many years, information security, Dr. Ross and I had experience with that in our previous lives as we had to chase that down from an access control model.

Now that’s evolved and we have new thought leaders in this like Phil here who talked about changing that evolving from an access control to more of a risk model that talks to those business related issues. That’s the challenge these leaders are facing now and helping them have those tools to be able to address those becomes important both from a policy as well as a technical aspect.

JIM FLYZIK, THE FLYZIK GROUP

Yes, I like this; I hear it over and over again, this risk management in talking about risk. It does change the discussion quite a bit when you go that way. And I do think in this coordination number, actually we all have experience at a time in my life when actually I was Assistant Secretary for Management at Treasury, during the change over from Clinton/Gore to Bush/Chaney, we had the incident at the treasury building at the time where you may have remembered strange odors and smoke and we had to evacuate the place.

We went into the evacuation plan and I asked the question, who is in charge of the physical security in this? And somebody looked at me and said, well you are. And suddenly it dawned on me, to make a long story short, I spent three days in a command post sitting out on Pennsylvania Avenue there and I learned a whole lot about chemical spills and so forth, and it wasn’t a terrorist incident and all that.

Enough about me, let’s get back to the panelists. It seems like we are always trying to catch up on security. After the president gets shot, the secret service gets more money.

After the space shuttle hazard disaster we get more money for NASA. After we destroy the data on our computer we begin backing up the hard drive and taking the back up process more seriously. It seems like we are always trying to catch up but in the world today we need to try to find a way to be more proactive.

Do you think we are getting better at this? Or do you think that 9/11 is now quite a few years away, are we going back to being a little bit complacent? Ron, what do you think?

DR. RON ROSS, NIST

I think we are getting better. I think that over the last couple of years as organizations within the Federal government are now starting to employ these basic security standards and guidelines which really represents a set of very strong controls for these information systems. That is a level of due diligence which I don’t think we’ve had before.

We are just now seeing this standard of due diligence which really relies on a fundamental set of controls that we can count on in every Federal system, with every organization looking at their own risk tolerance and adding additional controls to protect the mission. To me we are making great strides. That fundamental set has never been there before; we are making great strides in that area.

JIM FLYZIK, THE FLYZIK GROUP

I like to think that too. And I like to think that shows like this, are creating awareness that we need to create to try to get the proper resources and attention on some of these subjects. John from Symantec, do you think we are getting more proactive? Do you see your customers coming to you and being more proactive trying to address threats?

JOHN MCCUMBER, SYMANTEC

Absolutely. And not only that, because it’s been a necessity we have to have the ability to look forward and perceive threats because they evolve very rapidly. The latest internet security threat report that we have just published shows that in the last 6 months we have discovered 1683 new potential vulnerabilities across the entire spectrum of technology.

When I started in this business, you were able to track this on a yellow legal pad and now that has changed, so the vulnerability list is huge and grows ponderous every month. The challenge is making sure you can target those specific threats, a slightly smaller list, and that allows us to target our resources much more effectively but in order to be able to do that you need knowledge and information of what is taking place in your real time environment and that’s the challenge our agencies and organizations face as they try to address that.

Because the list of threats is smaller than the list of vulnerabilities. And in order to have risk you have to have a threat, vulnerability, as well as an asset. All three have to align. So in order, by disconnecting any one of those you are going to mitigate risk either partially or completely and that is the challenge these Federal leaders face in trying to address that.

JIM FLYZIK, THE FLYZIK GROUP

Terrific. Tim Kelleher at Unisys. Would you share the same kinds of thoughts that we heard from John?

TIM KELLEHER, UNISYS

Yes, I think that we are evolving. We are going from human security as a defensive mechanism and putting up barriers around us to we’ve got to start looking at security as an enabler. And borrowing some thoughts like if you are familiar with the trusted enterprise model where enterprises look at where their risks are.

What is the most important data for the enterprise to protect? Isolate that, don’t try to protect everything because you are going to end up building walls around it and you can’t do that. We’ve got to identify, really look at your enterprise, understand what is my critical data and make sure that you protect that. And you don’t even protect that in a defensive mode, you do that in an enabling mode.

And by doing that we’ll stop putting walls around things. We all need to do commerce through the internet at this point in time. Because the citizenry demands it basically, so if you keep walling it off, it’s going to be a self fulfilling prophecy that you are going to fail here.

So trusted enterprise notion, identify your critical data, make sure you protect it, but you do that in a way by enabling access to it from the right people, which kind of goes back to the identity management notion.

JIM FLYZIK, THE FLYZIK GROUP

And a trusted enterprise model is something that I’ve participated in security we kick around that term in trying to compare security with quality and in the future companies, since we are so interdependent on supply chains and multiple…. I know congress sometime back did a project matrix study where agencies looked at how they depended on outside agencies for their critical mission and at treasury we were, I was surprised.

I was the CIO there realizing that whatever I did at treasury, I am dependent on literally hundreds of other entities in order to meet my critical mission requirements. The people I do business with. Take IRS for example, if the folks that IRS work with, the companies that they work with are not operating correctly, you are not going to get tax data and so forth. And so you quickly realize this idea with identity management and the world we are in today of knowing and trusting your supply chain partners having some way of knowing what is a trusted enterprise.

What kind of controls do they have in place? Let’s continue with this proactive and getting out in front of things, Patti at TSA are you getting out proactively? Do you see yourself as getting out in front of these issues?

PATTI TITUS, TSA

Actually we do Jim. The primary focus on TSA’s rapid standup was protecting the perimeter and I think that we have a tendency to think that if I secure the front gate then I’m good. The Federal government is the largest manufacturer and application developer in the world. We create products, government off the shelf products for use and what we need to do is, now the focus of what we’ve been tasked to do, is to start to focus on those applications.

Looking at vulnerabilities as we start to take these applications and web enable them and put them out in front of the public and move toward that egovernment ecommerce type of mindset we are taking applications that weren’t designed for public consumption and we are putting them out in the public face.

So a lot of work has to be done looking at the application code, making sure we are not vulnerable to sequel injections and some of the other nasty type of attempts that can happen. So now focusing not just on the perimeter security but looking also at taking newer tools that are out there for application security monitoring and using other tools to start taking a deep dive into those applications and I think that’s been very helpful at getting us more proactive. It’s also unfortunately showing areas that we are going to have to spend more funding to start web enabling these applications, so it’s a plus and a negative.

JIM FLYZIK, THE FLYZIK GROUP

Well the good news is your strategy and you are addressing it. Often times in the past we knew about these issues and we just didn’t have the ability to even get them on the table. Now I think we are getting them up on the table and in a lot of cases addressing them. Phil how about at USAID, do you think you’ve got support to be proactive and out in front of these issues before….

PHIL HENEGHAN, USAID

Well I think FISMA itself actually has given us the support we need to do that. And the fact that the Hill has been grading everybody on IT security has put that out in the forefront. And then on top of that the guidance that has come out of NIST, which has been very supportive of those processes and taken them away from a compliance-based model.

I think that when FISMA was first passed, everybody just said we can never do it all. And in fact you can’t do it all unless you really look at things and prioritize in a risk based process. And since NIST has put out good guidance to help us do that. I think those are the things that have actually helped, or have the executive support process. And be ahead of it instead of waiting until, as you said, something bad happens and then getting at the money.

JIM FLYZIK, THE FLYZIK GROUP

Dennis at the department of justice, are you getting proactive, getting out in front of these things more so today than perhaps in the past?

DENNIS HERETICK, JUSTICE

I would say that was something that we’ve had to do in the past as well as today. And I think my colleagues reflect that very well. We’ve had to look broadly at our priorities. We are partnered with a number of Federal agencies. Phil at USAID and Patti and I work together. We have a swat team approach at Justice and we have found that is specialist with automated tools.

 And we start with our cyber security assessment and management tool which gives us a way to take the threats that we had and look specifically at the controls that mitigate those, the ones that have a direct impact on our mission and prioritize those at the top versus those that don’t have a direct impact.

That gives us a way to take that proactive view of the things that matter the most, what you would call attack-based metrics. That does give you a chance to learn from experience what things that have been successful so that at least you are mitigating those successful attacks first; the things that would have that direct impact on the mission.

So the cyber assessment and management tool gives us the tool so that we can use our specialists to get that done and it gives us the ability not just to look at protecting your enclave, the hardware and software products, but the information itself.

That’s so key to most people’s mission because you just don’t do business within your enclave. There’s remote computing, remote access to data, this is critical for our mission and so we have to take a data centric approach in addition to protecting our hardware and software.

JIM FLYZIK, THE FLYZIK GROUP

Terrific. Thank you very much. You know it’s amazing how little incentives can help in this area too. When I did run the Federal CIO council I was invited to the White House and they were concerned about software patches and they decided that the CIOs would be responsible to get all known patches deployed in their networks and in their computers within 24 hours and the very next day I went to a managed service agreement with one of my contractors and set up a performance based contract requirement and had patches in all my systems within 24 hours.

It was sort of the carrot stick approach a little bit but it is a wake up call and creates behaviors. Anyway we need to take a break. Then we are going to come back with our panelists and do a wrap up session on the show, talking a little bit about the future and where we are today and where we are going in the future.

Break.

JIM FLYZIK, THE FLYZIK GROUP

We are talking cyber security and issues impacting the government and industry as we try to make progress in this important critical area. Now a couple of quick questions for our panelists?

We hear a lot about certification and accreditation and we hear about agencies in a lot of the FISMA grades that are behind and we need to get systems certified and accredited and it takes too long to get them certified and accredited that by the time you get them deployed you are already looking at another generation of technology. I want to quickly go right down the table here, are you seeing progress being made in that C&A process?

JOHN MCCUMBER, SYMANTEC

Certainly, we’ve come a long way with C&A over the past several years. Given the challenges providing the right tools and capabilities so that it’s an automated driven process as opposed to being the old manual where we used to determine whether something was certified and accredited based on the weight of the document. So I think there’s been a lot of technology that’s been able to come on and help those managers do that that allows them to take that risk based approach and make those decisions.

JIM FLYZIK, THE FLYZIK GROUP

Phil?

PHIL HENEGHAN, USAID

At USAID we are 100% accredited, all of our systems are accredited, but I agree we need to automate as much as we can and inherit as many of the controls as possible. For instance if you have a good security awareness program and that then gets inherited to all of your systems and we are actually using the Justice Department tool to help us automate that process and improve our C&A process.

JIM FLYZIK, THE FLYZIK GROUP

Patti, are C&A processes at TSA?

PATTI TITUS, TSA

We actually are at 100% as well. A young organization that’s hard to believe but we achieved that at the end of the fiscal year last year and we are looking forward to continuing that this year, we’ve got almost half of our systems again will need to be either reaccredited or we will move from development into operations. Significant challenge this year.

JIM FLYZIK, THE FLYZIK GROUP

Congratulations on the progress. Tim?

TIM KELLEHER, UNISYS

As I mentioned earlier we have supported almost 300 engagements to help the government agencies to complete this. Some of them are sitting at this table with us here. The other thing that we’ve encountered, John mentioned applying technology. Applying technology is just one technique we are helping some of our customers by using the notion of instead of certifying every system as a single entity, they can certify classes of system which helps expedite getting the process completed. I’ve got to complement some of my colleagues sitting next to me because I know that in many of their cases they have gone from some low grades to some As and Bs at this point in time.

JIM FLYZIK, THE FLYZIK GROUP

Yes, we see a lot of progress being made in a lot of areas. Dennis?

DENNIS HERETICK, JUSTICE

I think certification and accreditation process of course is key but what we focus on in that is continuous maintenance. Having 100% certification and accreditation was really not our goal; it was something we expected to get done.

What is critical to us is to identify those key controls that have to be constantly monitored and to monitor those and make sure that we are doing our vulnerability scans to configuration security, making sure that our mailware   protections are always effected and our firewalls and IBSs and we have a dash board that reflects constant status on that so it can be managed and monitored.

JIM FLYZIK, THE FLYZIK GROUP

Well said; obviously someone who knows the subject matter and lives it every day. Dr. Ross?

DR. RON ROSS, NIST

 I’d like to echo what Dennis just said. I think there’s a misconception that when you get all of your systems certified and accredited that everything’s OK and the next day you have a breach and then you wonder why it happened.

The C&A process is just an orderly and structured process by which you can understand what controls are in place, where your deficiencies are, and it is managing the residual vulnerabilities that remain in every system and being comfortable that the mission is not in jeopardy.

And so that’s the test. You can certify and accredit every system and still get breaches but it’s understanding that risk to your mission that’s really the key point.

JIM FLYZIK, THE FLYZIK GROUP

We’ve got roughly about 10 minutes left in the show and I want to key in, we usually try to end the show with more of a vision kind of discussion and thinking about the future. I want to give you a few opinions. My opinion is that we still remain somewhat reactive, but we are getting better. And I think I’ve heard from many of you who are a bit more proactive.

To date I feel like there’s been a lot of hype around viruses and different types of malicious software and things like phishing attacks. But I would argue, correct me if you disagree, that to date most of our problems have been expensive annoyances. They’ve been costly. They clearly have been costly, and they have been an annoyance.

However when you begin to think perhaps to the future of things like cyber terrorism or sophisticated IT tools in the hands of those trying to harm us, attacks that we’ve seen from other foreign countries that emanate, or viruses that find a way into FAA systems or nuclear reactor sites or whatever.

I’m making things up here but there’s this one school of thought with some books actually predicting that if we remain or if we don’t get more proactive we could be facing the day when the United States could be attacked by a so-called digital Pearl Harbor. I’m curious about how each of you would react to that question. Is it hype? Is it something we need to be concerned about? John at Symantec, what do you think?

JOHN MCCUMBER, SYMANTEC

I’ll be happy to address that. I believe the term digital Pearl Harbor was coined by John Markhof for the New York Times and if memory serves me correctly that was in 1994. I actually kept a copy of that article. What we see transpire and I really mean the attacks of 9/11, and other kinds of evolution have really put that into perspective I think and it’s really changed our focus as to how information attacks and threats to our information infrastructure have evolved.

One of the other things that you’ll notice is in the last two years you haven’t seen the Washington Post or the New York Times publish a report on a wide-spread malicious code attack. It used to be something you’d see every six months. Now you see that has evolved and that the threat has evolved to become much more targeted. And you see that specifically in the empirical studies that we’ve done.

So part of understanding this is keeping track of that threat as it evolves and moves that way, and then determining and separating that from these terminologies that people use they use these terminologies to build a program or sell newspapers or sell books. Or does it fit within that constellation of the risk model of threat, vulnerability, assets all counterbalanced by the various countermeasures we deploy. And then take a prudent approach in dealing with that.

JIM FLYZIK, THE FLYZIK GROUP

Well said. Phil, what do you think?

PHIL HENEGHAN, USAID

As Dr. Ross just alluded to, there is always a residual risk, so a digital Pearl Harbor can happen and we all have to accept that. How you build your infrastructure and how you manage says how well you can deal with that when it comes, if it comes.

Again, USAID since we are so widely distributed again in 80 countries around the world, it’s sort of easy to lose a part of it and still work. So from my perspective and I  realize that I’m looking at this selfishly and not futuristically, I think that we are OK because we can continue to operate if there is a major problem in a single place.

JIM FLYZIK, THE FLYZIK GROUP

Patti?

PATTI TITUS, TSA

I think it’s a reality, I think it’s a very real threat. The residual risk acceptance that we have on a daily basis with our systems with our vulnerability acceptance where you need to get something operational and you have to accept some residual risk with that, I think it is a reality.

It’s there and it is very possible. I think that you need to have very strong contingency testing, you need to have disaster recovery planning, you need to, as you said earlier, identify your critical assets so that you know what you need to reconstitute if that happens.

So I think it’s very possible and I think that as CISOs we would be hard pressed to say otherwise. It’s getting the visibility into the problem and situation and be able to be nimble enough to react. The whole concept of telecommuting is actually helping in that we have a possibility to be able to work remotely, but it also increases the possibility of the threat of that digital Pearl Harbor.

JIM FLYZIK, THE FLYZIK GROUP

Well said. I guess 9/11 has forced us to think the unthinkable. So you can’t just dismiss this stuff any more. Tim, what do you think?

TIM KELLEHER, UNISYS

Well, I’ll admit that in preparing for this I actually did a Google search on digital Pearl Harbor and I got no less than 1.25 million hits. So it’s clearly a juicy topic and as with most juicy topics opinions vary widely out there. From one end of the spectrum which is it’s not up for discussion, it’s already happened, some would claim the single slammer which knocked out 13,000 Bank of America ATM cards is an example of it.

The MS blast worm which is near and dear to Marylanders here, that virus actually shut down the Maryland Department of Motor Vehicles.  And there is unsubstantiated speculation that that MS blast worm actually had a lot to do with the root cause of the 2004 blackout that hit the north east US and Canada.

And I think something of that scale fits into the category of a digital Pearl Harbor. So that’s one end of the spectrum that says it has already happened. Clearly if that’s true, it can happen again. We do need to be diligent. I think the other side of the equation is the fact that long before cyber security, when security was just security, it’s always been a fact that the worst security threats were from insiders.

So while we speak of cyber security from the chatterers across the pond, I still think it’s also very true today that you’ve got to be watching inside, which is where people have access, know what they are looking for, and can gain access.

JIM FLYZIK, THE FLYZIK GROUP

Good point. Make a visit to the Spy Museum here down town and hear about all those insider threats. Dennis?

DENNIS HERETICK, JUSTICE

Well Jim we are totally dependent on our IT infrastructure and on the information, so there’s no doubt that it has that impact. And I don’t think there’s, I guess there’s one thing about living a long time and that is you learn a lot and I don’t get up in the morning that I don’t look in the mirror and not want to pick up my cell phone because I don’t want to have to deal with it till I get to work if I don’t know about it already. It’s like a bumper sticker I saw a few weeks ago that said inside every old person is a young person wondering what the hell happened.

And I think each of us in this business worries about coming in to work and wondering what the heck happened. We have been put a huge emphasis on incident response and contingency planning. Part of my DOD experience, we run an annual exercise in the Department of Justice, it’s a department wide exercise and the CIOs participate in that and we go through the steps of escalating an event and working that and I think that’s just critical.

No matter what you do that’s proactive that we talked about that we are so proud of, you know that it takes just one small event to escalate into a very disastrous situation.

JIM FLYZIK, THE FLYZIK GROUP

And that domino effect of the intra-connectivity amongst so many computers these days and systems, that domino effect can quickly take things down faster than one can get in front of it to stop the process. Dr. Ross, what are your thoughts on digital Pearl Harbor?

DR. RON ROSS, NIST

I agree with Tim very strongly. I think that if you look at Pearl Harbor it was an isolated attack that did serious damage but it certainly didn’t bring down the entire country and I think the digital Pearl Harbor analogy has been made to seem like everything would stop working in a few seconds. I think we’ve already experienced these kinds of attacks.

Clearly our Federal agencies are under attacks every day from very serious adversaries, very sophisticated tools they are using to try to get into these very critical systems. I think it’s already here. The question is with our current cost (sounds like) technology and our best policies, procedures and practices can we do enough in a defense in depth strategy to try to withstand these kinds of attacks. I think we are doing better but we still have a long way to go.

JIM FLYZIK, THE FLYZIK GROUP

Great. Thanks very much. Let me take a couple of summary notes here that I think what we heard from today’s panelists. I think what I heard was the fact that we need to reframe the conversations and talk about risk and risk management and the need for agencies both within their own agency or corporation as well as looking at those who are dependent on the supply chains those you are working with and can you trust those other entities.

I think identity management techniques and things like that come into play as well as RF ID tagging and so forth which are a whole other set of subjects that we can talk about some day.

I also heard I think from the panelists a lot of very positive comments about proactivity, trying to push this idea that we’ve got to be more proactive in addressing these cyber security issues and vulnerabilities and identifying and getting out in front so I think we also heard from the last question that it’s probably not feasible to identify every known vulnerability and threat because as the technology changes so do the vulnerabilities and so do the threats. So in order to be in a position to adjust or react to a major threat we need to be in a situation where we have resilience in place or back up and contingency plans.

With that I want to thank my guests.