Keith Rhodes | Effective IT security starts with risk analysis, former GAO CTO says
Keith Rhodes has a good grasp of the role technology plays in the government's mission. As a supervisory scientist at the Energy Department’s Lawrence Livermore National Laboratory, he led the design, development and testing of secure space communications for a strategic Defense Department system. Later, he was chief technologist and director of the Government Accountability Office’s Center for Technology and Engineering, where he also served as the lead adviser to Congress on technical issues.
He has testified frequently before Congress on information technology security, an area that GAO has consistently found to be a high-risk endeavor in the government. He advocates a risk analysis and management approach rather than focusing on the perimeter.
Rhodes became senior vice president and chief technology officer at QinetiQ North America’s Mission Solutions Group in 2008. He spoke recently with GCN senior writer William Jackson about IT security.
GCN: Government IT security has consistently been assessed by GAO as a high-risk area. Does it remain so?
KEITH RHODES: Yes, and I don’t think that anyone should be surprised if it does remain so for a long time. Government is a nice target. It is high value, and it is subject to all the threat vectors, whether it is nation-states, organized crime, individuals or virtual gangs. The government is a plum; it is always going to be attractive, and IT security is going to have tremendous challenges, which means it will always be at high risk.
Government has put a lot of effort into securing its systems. Why is IT security such a tough nut to crack?
Rhodes: IT security isn’t a thing in and of itself. IT security is about mission assurance. You’re trying to assure that a mission gets accomplished. You have to bring that focus with IT security. No one can secure everything, but you have the ability to protect those things that matter. If an organization, whether it is the government or private industry, tries to take a blanket approach, you won’t have enough money, you won’t have enough technology, and you won’t have enough time to build a continuous security system.
So you have to answer four questions: What am I trying to protect? Against whom? For how long? At what cost? That is a challenge for most organizations. A lot of the security approach has been point solutions that take care of an edge boundary, and organizations would be well served to do risk analysis and figure out what the priorities are that need to be protected to assure the mission is accomplished.
The risk is defined by human beings, and that is why it becomes a tough nut to crack. You can’t buy security out of catalogs. You have to be an active participant in the risk analysis.
You describe security as a continuous process of monitoring, testing and adapting. Do agencies have the resources for that?
Rhodes: Yes, if they do the risk analysis, I think they will find they can get those resources. If I’m trying to protect everything against everything, then Croesus doesn’t have enough gold to protect everything. You have to decide there are some assets that have greater value to the mission than others, and those are the ones where you are going to focus your time and effort. There are some things you will have to focus on, and it involves continuous monitoring and adaptive security and continuous risk analysis to keep your eye on the parts of the organization that matter the most. It is not that you take your eye off other parts, but you might use more traditional approaches in some areas and others you will really focus in on.
How do you sell IT security when budgets are tight?Rhodes:
Again, it comes back to mission assurance. If a chief security officer goes in and says, “IT security is good, here’s how much it costs, and we should do this,” and leaves it at that, the odds of his getting the money are slim. You need to walk in with a mission profile approach and show how IT security assures mission accomplishment — say, “Here’s how much it’s going to cost, and here’s how much it will cost if you don’t do it.” You’ve got to give them a cost/benefit analysis, and you’ve got to have a return-on-investment strategy. Your return on your investment is [that] your mission is accomplished. That is how you sell it in times of austere budgets.
Who in government is doing this right?
Rhodes: The Defense Department actually does risk analysis and focused protection well. Not perfect, obviously, but they do it better than a lot of other people do because they understand their mission. They also understand they are continuously under attack, and they have that mind-set. They are managing their security to their risk profile because they have to accomplish their mission, come hell or high water.
In other departments and agencies, you’re going to find pockets that do it better than others. But if I had to pick a department that designs to risk, then I have to pick the Defense Department, even though they are always in the press because they are always under attack. To me, that means that they are responding to the real-time threats. Nobody has stopped the DOD yet with an electron.
Can other agencies learn from DOD, or are their situations too different?
Rhodes: I don’t think they're too different. The one thing that people need to understand is that complacency has no place in security. You can never rest on your laurels. This is a continuous process of monitoring, testing and adapting. The threat evolves, the vulnerability set changes, the infrastructure changes, and [you have to account for] all of those changes.
Has the Federal Information Security Management Act helped the state of the government’s IT security?
Rhodes: FISMA has helped because it gave a framework. It made information system management and security management something that everyone was held accountable for. That said, implementation is everything. If security people view FISMA as just a checklist, nothing is going to get done. If you’re expending a huge amount of energy trying to do your day-to-day operations, a lot of people are going to look at it as another piece of paperwork that has to be sent in.
It’s not that FISMA hasn’t helped or that it needs to be changed. It’s a function of the information collection and the oversight associated with it, which needs to be strong. It needs to not be viewed as a paper exercise or allowed to be used as a paper exercise. It is a matter of making sure people do not become complacent because they met their check box on FISMA.
Are there any changes that you think should be made to FISMA?
Rhodes: The only point I would stress is that if people are going to crack open FISMA and take a look at it, make certain that they strengthen and retain the risk management and risk analysis part. You can’t secure everything, you can only protect those things that are important to you, and that’s a function of risk, which is derived from mission assurance.
How have threats to information systems changed over the years?
Rhodes: They have become more automated, so anybody can do it. I was asked by [former] Sen. [Fred] Thompson from Tennessee what it would take to turn somebody into an accomplished hacker. And I said one mouse click. You are one mouse click away from somebody having an automated tool to use against you. The ease of attack is light years ahead of where it was just five years ago. The infrastructure has become far more complex over the last 10 years, and we have become far more dependent on it. The threat is now more complex because it has more attack points.
Once upon a time, it was the nation-state you worried about most, and it was the most powerful because [it] had armies and missiles. Now, we’ve seen where the individual has as much strength as a nation-state because he can now penetrate your network, establish a botnet, and sit back and wait until [he wants] to do something.
The threat has also morphed to being a for-profit business. Once upon a time, people broke in just to make a name for themselves. Now they’re selling their warez and skill sets and zero-day exploits.
Has security changed quickly enough to keep up, or are we falling further behind?
Rhodes: In some ways, we haven’t changed fast enough. We’re still buying and designing to boundary protection. Where we have moved faster is in understanding there has been a game change in the opponents where it has moved to for-profit crime.
From a threat analysis standpoint, we’re not perfect, but we’re better at that than at the implementation. The threat calls for prediction and proaction, and security design tends to be traditional endpoint solutions. The thing that will help that will be to manage to risk rather than trying to have a blanket solution.