CYBERSECURITY

In cybersecurity, there are no silver bullets

Securing information and systems is a complex challenge with no easy solution, experts say

Members of a panel of security experts today painted a gloomy picture of the cybersecurity landscape, in which rapidly evolving threats and conditions ensure that even the best solutions are likely to remain piecemeal and temporary.

Security efforts should focus on assessing and managing risk to information, members of the panel of industry and government officials said, and baseline security requirements mandated by government cannot be expected provide adequate security across the board.

“We should go in with our eyes open to the reality that if somebody wants the information, no matter what the baseline, they will get it,” said Wayne Fullerton, solutions and operations director for Cisco Systems Inc.’s U.S. federal organization.

Levels of security need to be assigned to a given piece of information based on its value to the owner and to those who could steal it. After the cost of stealing information drops below its perceived value, “if people really want it, they will get it,” Fullerton said.

And although no one level or policy is practical for securing all data, no one architecture is advisable either, said Bill Vass, president and COO of Sun Microsystems Federal.

“We don’t want to have one consistent architecture everywhere,” Vass said. That would only create a common set of risks.

The panel was presented by the Secure Enterprise Network Consortium, which includes Cisco, Sun Microsystems, CA and Accenture, as well as the Energy Department’s Los Alamos National Laboratory.

Rep. Jeff Miller (R-Fla.), ranking member of the House Armed Services subcommittee on Terrorism and Unconventional Threats and Capabilities, expressed concerns about the threat of cyber warfare in his opening remarks to the panel. Miller represents the panhandle of Florida that includes the Pensacola Naval Air Station and Eglin Air Force Base.

“We are in a cyber war, whether you want to call it a war or not,” he said, citing the millions of daily attacks against Defense Department IT systems. It is difficult to determine the sources and motives for these attacks, but he also cited instances of online attacks against Estonia in 2007 and Georgia last year as illustrations of the “ability to combine cyber attacks with a military objective.”

Miller said DOD must work closely with industry to ensure that national defense IT systems are not compromised at their outset by backdoors and other compromises that could be installed by offshore developers and manufacturers.

Terry Wallace, principal associate director for science, technology and engineering at Los Alamos, said the lab assumes that its systems are compromise, and that its security is imperfect.

“There will always be information loss,” Wallace said, and all systems are contaminated, although how and to what extent is unknown. With these assumptions, Los Alamos must strike a balance between the need to protect information and to enable collaboration on scientific research that is the lab’s stock in trade.

“There isn’t an answer today,” he said. “Our biggest challenge is that we have a lagging response. We’re almost always mitigating something that is no longer a security concern,” taking resources away from the job of anticipating threats.

Another problem that does not seem to be anywhere near a solution is figuring out who is in charge of the government’s IT security. This is a question that frustrates both the government and private sector.

“For us in industry, it looks like a phone book” when trying to determine whom to contact on a given subject, one member of the audience said.

Miller had little comfort to offer on that question. Although a central point of contact would be convenient, he warned that responsibility needs to be distributed so that differing needs of each installation can be addressed.

Jerry Briggs, managing director of Accenture’s federal business, said that rather than a single overseer for IT security in government, what is needed is better cooperation between the executive branch, Congress and industry.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Wed, Mar 18, 2009 Eirik Iverson Virginia

Last year I posted something on plugging data leaks: http://www.securitynowblog.com/security_applications/10_enterprise_data_leak_causes_remedies Generally, some emphasis should shift away from network security toward PC protection, control, and audit is required. http://www.blueridgenetworks.com/products/edgeguard.htm

Wed, Mar 18, 2009 Rob Norfolk, VA

Having been actively involved in cyber warfare as the CISO for the world's largest intranet and now as a contracted government service provider, it is refreshing to hear the coments reflected in this artcle. Those with limited knowledge of network security, think there is a silver bullet that will repeal all attacks. If more people will descibe network security as warfare, then others will eventually take the analogy to its logical conclusion......1. it takes a team of war fighters or network security operational professionals 2. the cyber warriors need the best equipment available and 3. the cyber warriors have to continually drill & train to succed on the battlefield........unfortunately, there will be casualties and winning the cyber war is very costly and the battle will go on for many years.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above