Public Sector Institute

Videos

Cyber Leaders Share Their Cyber Visions

John Bordwine
Symantec

Mike Carpenter
McAfee

Bob Dix
Juniper Networks

Priscilla Guthrie
ODNI

Lee Holcomb
Lockheed Martin IT

Dave Wennergren
OSD

Greg Schaffer
DHS

The bottom line: Everyone needs to be a cybersecurity leader—starting with their computers. More

The more security is proactively “baked in’, the more “secure information sharing” will occur. More

Currently, a person’s security role and responsibility may not match exactly. What exactly is that responsibility and what training they need is the theme of FISSEA 2010. More

DHS is hiring 1,000 new cyber defenders. When they need training, they can get it from The Defense Cyber Investigations Training Academy. More

Government relies on a wide variety of approaches and tools to keep the bad bits out and let the good bits in. Here are three examples. More

As threats rise, so do the efforts of industry to provide the cyber solutions government—and the rest of us—need. More

Emerging proactive, public/private partnerships are swelling the ranks of Team Cyber. But the bottom line is: everyone needs to be on the Team and start by practicing good “cyber hygiene” on their own computers.

Step 1 of the President’s CyberSpace Policy Review Near-Term Action Plan was to appoint a so called “cyber czar”.

Howard Schmidt, who has an impressive 40 year resume including serving as the Chief Strategist for the US CERT Partners Program in the Bush Administration, is now in the job.

According to the Policy Review, Schmidt’s task is coordinating “the nation’s cybersecurity policies and activities, establish a strong NSC directorate… (and) to coordinate interagency development of cybersecurity-related strategy and policy.”

He is “on the frontlines” as point person for accomplishing the other 9 elements of the Policy Review’s Near-Term Action Plan, followed by the 14 elements of the Mid-Term Action Plan.

Needless to say, Schmidt is going to need a lot of help from government, academia, research labs and industry.

These professionals are going to have to provide the brain power, the technology power and the will power to arm the nation’s cyber defenders with the tools they need to have full-time, real-time situational awareness.

In the near term, Schmidt’s efforts will be focused on hard tasks such as: preparing an updated national strategy; establishing performance metrics; creating an incident response plan; and initiating a national public awareness and education campaign to promote cybersecurity.

All mandated by the “leading from the top” approach of the CyberSpace Policy Review.

To initiate a national public awareness campaign, Schmidt is going to need everyone’s help (i.e. you).

After all, cyber security (two words) begins—and sometimes ends—with how you connect to your network.

In fact, 80% of the cyber challenge could be mitigated right now, making it much more difficult for the bad guys if everyone practiced what Bob Dix President, Government Affairs & Critical Infrastructure Protection, Juniper Networks calls “cyber hygiene.”

Dix made his comments during the Federal Executive Forum on cybersecurity. He called for increased efforts to educate government, home users and small businesses on how to practice simple cyber hygiene (e.g. using and updating antivirus programs, installing firewalls and practicing sound password management).

“That’s a place where we can spend a little more time and attention while we raise the awareness at the senior levels,” said Dix. “We need to get down to the Mom and Pops and small businesses that don’t have IT staff, and I think we can improve upon that.”

So, for everyone there is the opportunity—and responsibility—to “lead from the bottom”.

Greg Schaffer, Assistant Secretary for CyberSecurity & Communications at DHS, agreed with Dix.

“We need broad societal recognition across government, the private sector, in large businesses, in small businesses, among individuals as well as our international partners that unprotected nodes—poor cyber hygiene—is irresponsible behavior,” explained Schaffer.

“If we are not protecting those nodes, we are presenting opportunities for those who would do us harm to take advantage of those nodes and then use them as attack vectors against us. There are significant costs to society of having those problems persist. I don’t know that we recognize all the expense associated with what is happening today.”

That squarely puts responsibility on the end user to practice good cyber hygiene. It also puts responsibility on government to provide ongoing training.

In fact, one common complaint from end users is: industry makes practicing good cyber hygiene too hard. So the onus is also on all cyber providers to make it easier for end users to practice good cyber hygiene.

Among Schaffer’s 2010 priorities are hiring the right set of capable and skilled professionals in the cybersecurity arena and building an ecosystem as the front line of defense for the Federal Executive Branch. He is also interested in building partnerships with key players both within the government and within the private sector.

Dave Wennergren, deputy CIO at the Office of the Secretary of Defense, is one of those key government partners. He is keenly aware of the amazing opportunities that will arise when “secure information sharing” becomes standard operating procedure.

“The power of a Web 2.0 world; the ability to do mass collaborating; the democratization of technology; the ability to share is profound,” Wennergren told the Forum audience.

“If you could use terminology like ‘secure information sharing’, you are actually are defining security solutions that help you collaborate with users across boundaries in ways never before deemed possible. So it provides huge business opportunities,” Wennergren explained.

In a future where “secure information sharing” devices will be more powerful iPhones, iPads and Droids, on-demand collaboration beyond organizational boundaries will be the norm. For that to be successful depends on being focused on “continuously evolving security”, said Wennergren.

In a cyber world where the private sector controls a vast majority of network assets, public/private partnerships are critical to developing the evolving security policies and solutions.

“The dialogue that we are having at the CIO level is about how do we raise the bar in security? How do we share best practices?” said Wennergren.

“We are using social networking services and rather than trying to figure out how to raise the bar on security by yourself; we are engaging in a dialogue with all the big social media services asking ‘what are you guys doing? What are the best practices, how do you share with your partners’?”

“We are all in this together; you’ve got to raise the bar together. It’s a message that has to be heard by all government agencies that there’s incredible power in partnerships with industry and having that strategic dialogue.”

“You’ve got to not shy away from it, you’ve got to jump into it,” Wennergren asserted.

The more security is proactively “baked in”, the more “secure information sharing” will occur.

Future cybersecurity solutions have to ensure the power of mass collaboration and sharing information with unanticipated users according to Dave Wennergren, DCIO at the Office of Secretary of Defense.

“If you could use terminology like ‘secure information sharing’, you are actually defining security solutions. This provides huge business opportunities, but it has to be different than the reactive security practices of the past.”

Reactive security is when a problem is identified and a product is deployed to solve it. This leads to better firewall, antivirus and intrusion protection products, but against a threat that has already been identified or is signature-based.

“The problem is that many threats are not signature-based, but are zero- day threats, said Sam Visner, Vice President in charge of Computer Sciences Corporation’s (CSC) cyber strategy, in a recent interview. “So if you are trying to react, by the time you do, it may be too late, the damage may be done.”

A signature-based threat is one that has been detected and characterized so cyber defenders can look for a signature (pattern) and prevent that from getting through into the enterprise. And if it does get through the effects are known. A zero-day threat has never seen before. It’s the first time.

“First look at the architecture of your enterprise and ask: Was it designed properly from the get go?” Or, “if you are redesigning, recapitalizing or modernizing your infrastructure, is that process using good architectural and engineering principles, so that your enterprise is intrinsically secure?”

Translation: “Are you building the house properly—which is being proactive? Or are you trying to put a steel door on a Styrofoam building—which is reactive? So, no matter how fast you work you are always behind the power curve,” explained Visner.

That doesn’t mean patch management is going away. What Visner advocates is “baking in” the security solutions into the infrastructure and sharing more information about architecture and design.

“We have built a set of architecture and design principles called ‘intrinsically secure architecture’ to make sure any architecture and any enterprise solution that CSC implements are intrinsically secure,” he said.

“The real question is whether the government can add the private sector information to its own and build a knowledge base of information that is sufficient,” said Visner. “I think people are talking actively about what public/private partnerships can do (e.g. Google & NSA) to better defenses and share threat information faster.”

Another example is DOD is putting together a Defense Industrial Base (DIB) pilot program with a set of framework agreements.

Visner explained that this allows DOD to learn about threats on the parts of the CSC infrastructure where DOD information is processed and thinks the DIB model should be considered as a template for other parts of the private sector to share information with the government. —Jeff Erlichman

Where the intersection of FISMA, OMB’s ISS LOB and NIST SP 800-16 cross is the concept of security role-based training.

FISMA states that agency-wide Information Security programs are required and shall include “security awareness training”. OMB’s Information Systems Security Lines of Business (ISS LOB) talks about common suites of ISS training products and training services for the federal government.

Because the current IT environment is so complex, a person’s role and responsibility may not match exactly. Everyone has some responsibility from the executives right on down to the end user. But what exactly is that responsibility and what training is needed to fulfill that role?

Using roles—and the responsibility that comes with it—not titles allow for fine tuning. Plus a person may have more than one role in maintaining security. So, there are roles—and responsibilities—for executives, IT staff, program managers and so on.

In fact, the concept is spelled out in NIST SP 800-16 and there is a “NIST Model” which features a Learning Continuum and divides role-based training into: 6 functional specialties; 3 fundamental training content categories; 26 job functions (roles); 46 training matrix cells; and 12 body of knowledge topics and concepts.

“Effective role-based training continues to be a major puzzle for federal agencies,” explained Captain Cheryl Seaman from the NIH Information Security and Awareness Office in a recent interview.

Captain Seaman said that while the goal is to have a staff that is adequately prepared to protect information assets within our dangerously shifting cyber threat frontier, the path to that goal is not straightforward.

“Who needs training and what do they need is not standard throughout the federal government, thus it remains an enigma,” said Captain Seaman.

Captain Seaman is also the chair of the 23rd annual FISSEA (Federal Information Systems Security Educators’ Association) Conference to be held March 23-25 at the Natcher Conference Center on the NIH Campus in Bethesda, MD.

According to Seaman, while many already have a handle on security awareness, “role-based is hard to get your arms around; especially when you think of training and resources and how do you make do with the resources you have; what is your strategy for your own agency?”

Seaman is hoping to have a candid exchange of ideas on some of the different paths agencies are taking to solve the enigma, some of which meet federal cross-training workforce development initiatives.

“Look at the different approaches. OPM is developing competencies; what are DHS and DOD doing? What about the NIST way? VA has its own. So let’s look at harmonization efforts to find common ground and approaches.” —Jeff Erlichman

• A better understanding of role-based training and how to implement it at your organization

Having the right set of capable and skilled people—who know their role and responsibility—

is critically important for defending your network perimeter and your data itself.

This focus on finding the right people is the #1 priority of DHS said Greg Schaffer, Assistant Secretary for CyberSecurity & Communications during the Federal Executive Forum.

“No question about it, people are our #1 priority with respect to everything that we do,” said Schaffer. “Having the right set of capable and skilled people in the cybersecurity arena is critically important to all of our programs; so we are very focused on getting those people hired.”

Recently DHS was given the financial resources to hire 1,000 new cyber defenders. Officials hope they have found some of the people they need at their December Cyber Job Fair. But even if DHS fills each of the 1,000 positions it won’t be enough. And it certainly isn’t enough to fill the governmentwide need.

In fact, SANS Institute’s Alan Paller recently told the audience at the Cyber Crime Conference there are around 1,000 trained digital forensics professionals in the U.S.; 20,000 to 30,000 are really needed to combat the threat.

It’s clear those newly hired DHS recruits are going to need training. Helping government put contracts in place to train cyber defenders is Ken Evans, GSA FEDSIM Defense Sector Director.

“We help our Defense clients put contracts in places and help them manage the contracts,” explained Evans in a recent interview. “We provide our clients the best vendor that provides the best support they need at the best value.”

One of FEDSIM’s clients is The Defense Cyber Investigations Training Academy (DCITA). DCITA wanted to expand its training offerings in the cyber area said GSA’s Keith Parks, Senior Project Manager, who along with William Kreykenbohm, DOD Group Manager, worked closely with DCITA.

“They also wanted to find a better way to measure whether DCITA training was meeting DOD and federal law enforcement community needs,” explained Parks.

After gathering all the requirements, a performance-based task order was awarded to Computer Sciences Corporation (CSC) under the GSA Millennia GWAC.

Under the task order CSC is to design, develop and teach courses in areas that computer forensics and network intrusion.

The Academy is the only government organization solely dedicated to cyber investigations training, development, and delivery. Students are trained in the latest digital forensic techniques using state-of-the-art equipment, classrooms, and technologies according to its website.

“The relentless changes in technology, cyber landscape and threats demand that we provide the very best training to our students; from the fundamentals to key tactics, techniques and procedures all delivered through innovative and dynamic methodology,” said Matthew Parsons, director of DCITA in a statement when the contract was awarded.

“DCITA is pleased with the CSC award and anxious to continue our progress in training DOD’s network investigators and operators in this critical mission.”

Jim Menendez is the Vice President and General Manager of Global Security Solutions (GSS) within CSC’s North American Public Sector (NPS). He, along with CSC project lead Ron Hinkle, head up the CSC DCITA team.

“In the 12 years that CSC has been providing the forensic training at DCITA, we’ve trained over 13,000 students,” said Menendez in a recent interview. He said students from both DOD and civilian agencies either come to the “schoolhouse” as we call it, or have access to remote courses throughout the world including Germany and Iraq.”

“One of the biggest challenges as a nation is the availability of trained professionals,” Menendez said.

He explained the key to CSC’s success is in their approach to training. They are not relying on past performance, but building on that and putting in place new training techniques and approaches, including the use of a portal technology and a new content management system to facilitate distance learning. Students can even earn college credits for courses taken at DCITA.

“Our tagline during the recompete was ‘over the horizon’, looking not only at current requirements, but looking at what we should be doing to meet future demands for training,” Menendez said.

The new contract formalizes a provision to train private sector members of the Defense Industrial Base (DIB) so that there is a consistent process for responding to cyber incidents that have been consistent for both the government and DIB members.

Menendez is not shy when he says part of his mission is to help the DCITA meet its business objective of becoming the nation’s—and the world’s—clearinghouse for forensic training.

As more and more agencies race to beef up their training, Menendez is working closely with DCITA staff to figure out ways build out the program that we already have in place to address their needs.

He urges agencies who might be thinking about starting their own training programs to think twice. “Some might think they need their own academy,” said Menendez, “but rather than do that we should promote collaboration across the government and build out what already has been established at DCITA.”

In fact the cyber forensic training requirements go beyond the U.S. said Menendez. “There are NATO forces and others and trying to figure out how we can put MOUs in place and turn this into a global business.”

The 2009 US Champion Team was the Air Force Institute of Technology’s “Little Bobby Tables” with 1,772 points. They were successful in providing the most solutions to the scenarios for U.S. only teams.

Can you top them? If you are ready to pioneer new investigative tools, techniques and methodologies, then it’s time for you to enter the DOD Cyber Crime Center Challenge.

The DOD Cyber Crime Center (DC3) sets standards for digital evidence processing, analysis, and diagnostics for any DOD investigation that requires computer forensic support to detect, enhance, or recover digital media, including audio and video.

Already over 190+ teams have registered for the 2010 Challenge! Registration closes November 1, 2010. Solutions are due November 2, 2010. Winners will be announced December 1, 2010.

DC3 also sponsors the US Cyber Challenge (http://csis.org/uscc/) which is a national talent search and skills development program.

Its purpose is to identify 10,000 young Americans with the interests and technical computer skills to fill the ranks of cyber security practitioners, researchers, and warriors. In particular, the search is looking for the people who can become the top guns in cybersecurity.

The identification process relies on national competitions with many winners. They include CyberPatriot high school competition conducted by the Air Force Association, the DC3 Digital Forensics Challenge conducted by the US Department of Defense Cyber Crime Center, and the NetWars vulnerability identification competition conducted by the SANS Institute.

Government relies on a wide variety of approaches and tools to keep the bad bits out and let the good bits in. Here are three examples.

“There are 50,000 new, bad applications being developed per day,” explained Mike Carpenter, Senior Vice President for Public Sector at McAfee, during The Federal Executive Forum.

“I venture to say that there are probably not 50,000 good commercial applications being developed per day. So there is more bad code being developed than there is good code.”

According to Carpenter if you look at the current way that we defend our networks and our systems, it’s about identifying what malware is; it’s about preventing malware from coming in.

“We have over 450 researchers around the globe; their only job and their skill set is to identify malware and then be able to decode that malware protection back to our customers. We have a global footprint.”

That global footprint consists of over 150 million sensors around the globe that feed the McAfee Cloud, enabling analysts to provide intelligence and tools to help government defend against attacks.

But 50,000 new, bad applications is a staggering number. So, what Carpenter and his industry partners are grappling with is “how we can get ahead of that?”

“I believe the future in prevention is not about getting in front of the bad threat, it’s about identifying good code that should be executing on your systems,” Carpenter said.

He favors an approach that moves from blacklisting to more whitelisting and looking at what applications should be accessing what resources on your system and what IPs should be transversing your network.

“You are looking for good information rather than necessarily looking for bad information since there has been a major shift in global development of code.”

Whitelisting is sure to gain more traction in the future. Blacklisting has traction right now.

“About 80% of the cyber attacks that occur in technology that has been developed today have a signature that we recognize, we’ve blacklisted it. A Juniper system can shut it down,” Lee Holcomb, Lockheed Martin’s Vice President, Strategic Initiatives, explained during the Federal Executive Forum.

“But about 20% of the attacks today fall into this category that’s called ‘advanced persistence’. A lot of what we are focusing on is really looking at that 20% that is very hard to catch.”

Holcomb described the concept that Lockheed Martin’s developed through its own internal network which has about 120,000 people; so it looks very much like a large government agency to foreign adversaries.

“We look at a chain of attack. How does a bad guy come after you? They do reconnaissance, maybe on your network or maybe on social sites they go to,” Holcomb said. “They do reconnaissance; they do delivery of an attack; they do an exploit and compromise you; they then do command and control; and then they exfiltrate data from your site. We’ve watched that process.”

Lockheed has catalogued about 55 different campaigns and developed a database on how each behaves. They share that information.

“We’ve been able to identify the patterns, and we may miss the bad guys at one of these stages, but if we look at the whole pattern we’ve actually been able to catch folks in the pattern, even when we don’t know the signature of the attack,” said Holcomb.

“So we think this is a new paradigm; we think that this is a direction that needs to be taken to be more effective as a cyber defender. It’s a lot easier to be a cyber warrior, quite frankly. It’s more difficult to be a cyber defender. And so we are trying to make the cyber defender more effective.”

Imagine the Cloud as back hoe filled with 40 quadrillion bytes of data as the workhorse.

It contains the brute strength to perform the tremendous amount of analytics needed to cull “golden nuggets” from an ever growing massive amount of “Big Data” that can come at any time and in any format at a rate of 50,000-60,000 new cyber events per second.

Then it can pick the best set of data in real time and feed these “golden nuggets” to precision instruments (e.g. Oracle, PeopleSoft) analysts can use to make decisions in as close to real time as possible.

So, when analysts are defending against cyber threats, they can analyze data in close to real time—not 24 hours old—thus improving defense capabilities exponentially to thwart attacks.

Big Data allows better decision making through a more effective way to store, manage and analyze data said Josh Sullivan from Booz Allen Hamilton in a recent interview.

Hamilton explained how the Cloud was this back hoe that was the brute force workhorse that fed them golden nuggets. At the same time, they could still use their existing suite of visualization and analysis tools and keep all the capital they had built up around using these tools, but the source feeding those precision instruments was the Cloud.

The scalability of the Cloud allowed them to do tremendous amount of analytics and pick the best set of data in near real time to feed to those precision instruments instead of relying on the precision instruments to pick out the golden nuggets from an ever expanding sea of data said Sullivan.

Sullivan explained if there was a critical node they wanted to analyze; every hour we could compute everything we wanted to know about that node and store for later retrieval.

So, if there were 1,000 critical devices to constantly monitor, the Cloud would be used as the workhorse to continually pre-compute all available data for those devices and have the information ready for analysts or other machines to consume as needed in real time.

All of these experts agree that it is easier to be a cyber warrior; and much more difficult to be a cyber defender. Using blacklisting and whitelisting technologies along with the sheer computing power inherent in the Cloud are helping balance the scales making cyber defenders more effective.

As threats rise, so do the efforts of industry to provide the cyber solutions government—and the rest of us—need.

Cyber experts from Guidance Software, HP, Juniper Networks, SafeNet and Symantec all agree government faces a daunting task managing and protecting data at rest and in motion, whether it is on an internal server or a mobile device.

But these experts also agree there are practical, cost-effective ways to minimize risk and maximize protection—and they have solutions working in the field to back them up.

These experts—Sam Chun, HP; Cary Moore, Guidance Software; Bob Dix, Juniper Networks; Pete Engel, SafeNet; and John Bordwine and Jason Meinhart from Symantec—made their comments during a recent Roundtable hosted by the publishers of On The FrontLines.

Everyday there are more and more attacks. Every day, the time we have to respond grows smaller.

“Customers are having a hard time having a sense of what’s going on and having a true command picture of their environment,” said HP’s Chun.

“That’s because of so many different technologies being deployed, along with the volume and speed that information is coming in. We are working hard to address that in a near real time way to drive quicker decisions.”

Guidance Software’s Cary Moore sees a similar trend. “Many of our customers are being hit with more sophisticated attacks and advanced persistent threats. They need the intelligence to respond quickly and get networks healthy in much faster way.”

As threats increase, SafeNet’s Engel said he is seeing an increasing move to securing the end points—the mobile devices and telework situations—as well as a move to securing the data itself; so that if the network is compromised there is another layer of security around the data itself.

He added that includes studying how the data is being used on the network and on those mobile devices. “We are seeing what the users are doing with these devices and bringing that together in the overall profile and the picture of what’s happening on our network.”

Symantec’s Jason Meinhart brought up another point often talked about, but where there has been little action.

“The chief challenge is dealing with outmoded forms of regulation, the challenge of certifying systems, coming to grips with the limitations of the C&A process,” said Meinhart.

“With all the mobile devices, you can’t govern their use by same policies that were written five years ago when a desktop computer attached to classified or unclassified system may have been the norm. It’s a whole new ball game today with mobile; the rules are outdated.”

All agree that government managers understand the magnitude of problem they face. But they also point out that in government there are very few people who understand the full scope of the problem because it is so complex.

“The government is making a strong effort to address cyber hygiene and low hanging fruit issues such as: regular updates to antivirus signatures, password management, configuration management, patch management and a commitment to regular cyber education and training,” explained Juniper’s Dix.

“We need to get back to basics; have solid and sound policies; make sure users know policy and if there is an enforcement arm, that those policies are truly being enforced. We need to be proactive,” said Moore from Guidance. “Training has to be a big part of that and there has to be a change in mindset and security is a big part of that—every user needs to take that responsibility.”

“We as an industry don’t have a really rigorous way of modeling risk,” said HP’s Chun. “We make IT decisions crudely compared to other industries. For example the financial industry has the data to give you a number, to quantify your risk.”

“Our customers need the tools and capabilities that allow them to do trade off analysis between very specific technologies that are not similar,” he added. “The economic condition is ripe for this type of approach; if I had to choose between antivirus versus intrusion protection, what is the better choice for my environment to invest in?”

SafeNet’s Engel noted that “one of the areas we see developing very rapidly is back office identity and privilege management—the CAC cards and the PIV cards. Agencies are now looking at how they can take advantage of the technologies that are on the card from both a security and business process perspective.”

At Guidance, Moore said they are building off their forensic tools to deliver faster actionable intelligence that can be passed on to the decision-maker.

“We are building technologies to be able to deal with new threats like poly- and metamorphic malware. We are getting better visibility into the network and into the systems to find what truly is out there.

This means finding out what the differences are between a “good” system and a system that has been hit and bring this in a way that clients can see information as fast as possible.”

Symantec’s John Bordwine talked about the importance of integrating technology around the SCAP environment and paying more attention to Data/Loss Prevention or DLP technologies—both of which have the attention of OMB.

According to NIST, “the Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality.”

Bordwine said this is a key initiative across government due to the fact that agencies know they are understaffed and may not have the right skill sets in-house. Thus along with a need to increase the knowledge base, it needs to automate security processes as much as possible.

Juniper’s Dix said, “we’re seeing more focus on standardizing configuration management across the enterprise, such as the Federal Desktop Core Configuration (FDCC) initiative, as OMB now requires verification of FDCC compliance via SCAP. We also see greater attention to the top 20 security controls in the Consensus Audit Guidelines (CAG), which now includes NIST 800-53 Revision 3 mappings.”

It is also clear that utilization of enterprise-wide solutions and ‘Center of Excellence’ skills and best practices represent a more holistic approach to cyber attack risk identification, prevention, mitigation and response said Dix.

I have taught a graduate class on cybersecurity at the University of Maryland, University College part-time on Saturdays for 17 years. Every year, my students complete research papers on current cyber topics so I have had a chance to follow along as cyber threats became more complex. The sophistication of the threats evolves right along with the advancement of technology.

I also watched as we reacted to cyber threats in the past with a “band-aid” approach—fixing problems after something bad happens. We have now reached a stage where significant vulnerabilities call for proactive approaches to prevent cyber attacks before they happen. Can we do this? Why is it so difficult?

Cybersecurity challenges are daunting for many reasons. First, the scope of the problem raises the question of where to put resources to begin to address the challenges? Do we begin with securing operating systems, databases, local networks, or the data itself?

What about wireless networks? What about the devices? The PC’s, notebooks, tablets, blackberries, iPhones, droids, routers, and switches to name just a few of the hundreds of smart devices that connect to our networks. Then there is the Internet! How do you secure something that has no centralized governance structure or single points of trust? Clearly, we need to start somewhere.

The National Cybersecurity Initiative addresses protection of the perimeter—defining ways to keep bad bits out and let good bits in. Internally, protecting the data requires encryption and tools for data loss protection and data masking of structured and unstructured information. Proxy data should mask real data while data is in transit. “Real” sensitive data should only exist in the secured production environment. We also need to use encryption techniques to the fullest extent to address the identity management (IdM) challenges and message authentication.

Law Enforcement plays a big role here too. Cyber attackers have the anonymity of the Internet on their side; the rules of evidence are often times complex computer logs difficult to trace and almost always difficult to understand by juries. No smoking guns, no DNA, no blood or fingerprints.

Now, if technology and law enforcement challenges aren’t hard enough, consider who needs to be involved in this effort—everyone who uses a computer, a cell phone or any of the wireless network appliances in use in cyber space.

No government or industry entity can fix every vulnerability. It is the responsibility of everyone to practice good security practices when interacting in the cyber world. This means a massive awareness and education campaign as a national priority and cooperation and collaboration with international entities. Further, if we hire people of high integrity, a good deal of the internal threat is diminished. If we use physical security methods to restrict access to sensitive areas, we diminish that threat as well.

The federal government wants to hire more cybersecurity skilled employees. What are the qualifications for the job? Let’s see. They need computer skills, telecommunications skills, wireless and wireless devices skills, management skills, oral and written communications skills, and of course, cybersecurity skills. Where do we find them?

The good news is cybersecurity is now a national priority. Some great people are being called back to government service to address these tough issues. And our universities are stepping up to help train a workforce of the future to step up to the challenges. The proactive approach is underway.

Jim Flyzik is President of The Flyzik Group. He is the former CIO at the Secret Service and Treasury and served at The White House under Tom Ridge. He hosts the Federal Executive Forum on Federal News Radio and is the chair of the AFCEA 2010 Homeland Security Conference in February. Contact him at www.theflyzikgroup.com.

I admit it. I’m one of those “end users” on the frontlines of my personal and business cyber defenses.

When it comes to security, the CyberSpace Review Plan doesn’t have to spend its resources telling me. Believe me, I’m aware. You better be—especially when your email is in the Cloud.

I’ve long known and practiced the virtues of proactive cybersecurity and having multiple backups. But it didn’t prevent me from being attacked. I have one email account that has taken my provider more than 6 months to figure out the problem. And I’m still not 100% sure it’s solved.

If you are like me, here’s what you’ve got. I have a one program that provides a “Security Center” protecting my computer, files and email from viruses, spyware etc.

I have another program that scans, repairs and optimizes my PC. Plus, I have another anti-spyware program. I’m not sure whether these programs actually conflict or are complementary. In fact, I’m confused. I would ask my systems administrator, but of course, that’s me. And I don’t know the answer.

But I do know one thing: I’m practicing “cyber hygiene”. I’m cyber responsible, but still frustrated, still not sure I’m doing enough, and still wishing the whole cybersecurity process was easier and more transparent. Plus, error messages and warnings are written in “computerese”. Yikes!

So, I can’t tell you how refreshing it was to hear some leading security providers say the industry isn’t doing enough to help end users.

HP’s Sam Chun has written on security awareness. During our recent Roundtable he said, “I think we on the industry end have made it fundamentally too difficult for the end user to achieve security. I think we as an industry need to do better; it’s just too hard and too complex for the average user.”

Chun said we need to make security transparent, invisible, assured and persistent for the end user so it is just computing for them. “The industry needs to work harder to make this happen. We should not expect the user to do it effectively; so we as an industry need to help them do it.”

CSC’s Sam Visner added “for many years hardware and software manufacturers and SIs said ‘we are going to turn IT into a commodity; one that is increasingly available, increasingly useful and increasingly easy to use; so you shouldn’t worry about IT’.”

But now some are telling end users they haven’t done enough. They don’t update antivirus definitions or don’t configure their firewall right Visner explained. “Everything we told you about IT being inexpensive, easy and useful, now we have a big and difficult discipline that you—the user—have to do. That wasn’t the deal when we rolled out IT.”

I’d love to do nothing, but I’m a realist. It may become simpler, but proactive personal cybersecurity is never going away.

But I’d like every cybersecurity provider to have Chun’s and Visner’s attitude.

“If we design the system properly, we do not have to expect users to do all the maintenance; if we design it properly, users don’t have to become cyber experts; and if we “bake in” cybersecurity as an intrinsic system component, then IT becomes increasingly available and inexpensive, becomes easier to use and becomes useful to the mission,” declared Visner.