The big threats now are from large nation states and the groups and individuals that contract out to them, and from attacks using botnet technology that morph and evolve in a virus like way to change their form and signature on a regular basis. Those lead to domain name server (DNS) attacks and DNS cache poisoning.
What those attacks lead to is a compromise of the trust of public IT communications. In every tabletop and simulated exercise that I've been involved in, they can lead rapidly to global DNS meltdown, which is a colloquial way of saying there is a broad loss of trust in Internet communications and data communications. That may ultimately be our biggest concern.
There is unevenness of response and with the definitions of information security, both within agencies and between them. There are multiple efforts underway to talk about what to do about information security, but also a duplication of efforts. There are task forces in the different silos of government - civilian agencies, defense agencies and in the intelligence community - all of which have different efforts under way, and which in many cases overlap. It does get very confusing.
The working theory in both government and industry is that information security overlays both IT security, which focuses on hardening systems and networks and perimeter defense, and information assurance, which is the domain of FISMA and deals with confidentiality, integrity and the availability of information regardless of the technology that surrounds it.
One of the big areas where there's currently a security gap is voice-over-IP. When you take voice and run it across IT data circuits it's subject to all of the hacking and penetration attempts that plague the Internet and corporate networks. One of the things most neglected is firewall perimeter defense for VoIP.
It's not, because information security deals with theft of identity. If your credit card is swiped by a waiter at a restaurant that has a credit card reader then your number can be stolen and your identity compromised, and that's not cyber security. There are lots of things that are not cyber related.
As an analogy, the primary way most people have of protecting their homes is locks on the doors that are opened with a metal key. However, if they have homes with garages they may lock their front door but not the door between their house and the inside of the garage. So it's very easy for someone to synch a garage door opener, open the garage door and then walk into the house.
If you look at the garage door opener as the equivalent of information security technology then the information itself, which is the house, is still left unprotected.
The standards themselves are very mature, but I think the real question is how fast are they responding to meet technology requirements. What I'm seeing right now is that technology is maturing at a faster rate than the standards, though that's having a positive effect by forcing standards to develop faster. That's outstanding, because you don't want to hold up technology development to wait for the standards, though standards are needed to verify that the technology is secure.
That's particularly so in terms of NIST. I'm seeing them step up and respond at a much faster rate than every before.
Strong identity management is indeed a key issue, and we're not there yet because there is no single, non-forgeable digital ID that is interoperable in all technology environments. The closest we've come is the chip in the US passport, which is interoperable across at least the American government and also with other governments who have adopted it.
Another example is HSPD-12, which mandated a common access card for government employees and contractors. That's been an extremely successful program, and interoperability of that card across at least some agencies is beginning to be realized.
What there is not, right now, is a common digital identity outside of government for the US citizen. You can buy a digital certificate, but where can you use it? There are not that many places that will accept it. The only version of consumer cryptography we have that is relatively ubiquitous and interoperable is Secure Sockets Layer, but that doesn't verify who you are.
The difference is tremendous. For a start, there is no one thing called The Cloud, there are many different clouds, and security in each of those clouds can change dramatically. And security in a cloud is not what we would normally associate with security such as strong perimeter defense, it's more a matter of trust. The cloud is outsourcing, and you don't own the computing resources, so what trust do you have in the provider? The newest concept in cloud computing is called a trust score, which is a quantifiable metric of all of the different controls around a provider's cloud, to do with authentication, with the physical controls around the data centers, even the background checks of the people who work there. In a cloud environment, the security paradigm is shifting from perimeter defense to this concept of trust.
Qwest has extremely strong cybersecurity in terms of technology techniques and staff. It has successfully implemented secure architectures across all three sectors of government. And one of our greatest advantages is that we can react quickly to design customized solutions in a flexible and time-effective way. Qwest has a very flat management structure, so I'm able to reach up into the CEO's office if necessary to accomplish what I need to get done for a customer, without asking for permission or having to get multiple approvals. I can pick up the phone and get what I need, there and then.
What makes Wikileaks different is that, in the past, bad actors generally sold federal information, classified or otherwise, to someone for money or for political or ideological reasons. It was always an individual with access to protected information. It's always been an individual bad actor.
Wikileaks was the first time a bad actor obtained large volumes of protected information and just put it out for the general public to see. They didn't do it for financial gain, or to advance any particular cause. Wikileaks is a whole new ballgame, because no one has ever taken chunks of highly protected stuff and just put it out there for the world to see.
So, the definitions of who are the bad actors and what actions they can take have to be expanded. Then there have to be changes in cyber law, because what's the repercussion for putting something out there in that way? And how do you involve people who live in other countries? With the web-based technologies you now have you don't have to be a technologist to do this, to build a web site and make it visible to the entire world, and then post whatever it is that you stole.
Risk assessments are generally focused on compliance, on what agencies need to do to comply with the law or with their agency's regulations. But compliance does not necessarily equal verifiable security.
The real question is how to combine verifiable security, and in the cloud age verifiable trust, with compliance. The answer should be that every federal agency's budget should be increased substantially so that they're not just in the position of being compliant with the law and regulations, but that they actually have the funds and resources to do verifiable security.
It's a true Gordian Knot, and you can either try to untangle it or find something that's powerful enough to slice right through it.
It has huge implications. I have two teenage daughters who live electronically through cell phones and PCs and with texting and web sites and all of those technologies. They don't use the telephone that's on the wall in my house, anymore. They never did. They are digital natives and they see technology differently, and your basic elementary school graduate is more skilled in technology today than PhDs of the 1950s and 1960s.
So, while we're the ones in charge, they are the ones with the power. That's another conundrum we have to deal with. The implication for information security is that, first, we have to harden things to defend against people who are far more nimble than the protectors who view the world in a completely different way and, secondly, we've got to educate kids far better on the rights and wrongs of the technology world, because we haven't taught them how to behave correctly. When schools teach technology, they need to teach the ethics of using that technology as well.
Social media has major security implications because such things as Facebook and MySpace penetrate the firewall. One answer is just to block the use of all social media. Another is to understand that people are going to use this stuff and so develop acceptable use policies and educate them in the ethics and safe behavior of using social media, along with developing appropriate carrots and sticks.
I don't believe that containing social media completely is a good thing because, if they really want to use it, people will find a way. I would rather know that they're doing it and be able to watch them and make sure their conditions of employment are tied to that correct behavior.
But social media is a big potential problem, not least because everything from Facebook and other sites comes through as HTML, and most firewalls don't have the ability to filter HTML. Dealing with it will be a harder leap for agencies than just implementing strong security technology. Plugging in a firewall is easy. Teaching ethics is hard.
That's an issue that involves both strong authentication and cryptography. It also involves what kind of platform you have to deal with. If you're teleworking on a government furnished, government imaged machine then you have a strong virtual private network, which is strong authentication. If you telework using your personal PC, then you've got the problem that whatever flora and fauna reside on that PC can intersect the work you do for the government.
The way that can be corrected is through thin-client technology, which relates back to cloud computing. If you are going to telework, then with that you use a virtual machine that's in a protected data center. That's probably the safest way.
The implications are tremendous. We carry BlackBerries, we carry smartphones. If the BlackBerry is on an enterprise server then there's more protection than there might otherwise be, but there are still huge implications with this technology.
Consider what I call the Android nightmare scenario. Somebody develops an Android app that loads on a smartphone but it doesn't create an icon. It just waits, and you don't know it's there, and it waits until you synch your smartphone with your computer. Then it inserts a botnet that goes and runs around in your corporate or federal network.
And it's very easy for a bug like that to get onto your smartphone or iPad because they are connected to the public Internet all of the time. They're always on. So it would not be hard for someone to put that bug on your device just by brushing past you in a crowd. It would be the modern day equivalent of picking your pocket.
The sad part about this is that, much as I'd like to think so, I'm probably not the smartest guy on earth. If I can think of it, somebody else is probably already doing it.
Strong authentication, which is interoperable across multiple environments, along with strong identity management and tiny cryptography. Traditional cryptography is generally RSA cryptography, where algorithmic strength depends on the key size. The bigger the key, the stronger the algorithm. But in technologies such as elliptical curve cryptography, very tiny keys and algorithms can nevertheless equate with very strong cryptography.
Also, technologies that provide the ability to scan for botnets are being explored. You can scan for viruses but not botnets. And stronger and different types of DNS defense.
The thing is that the way security has worked up to now is that it follows and reacts to what the bad guys do. It's endlessly trying to catch up. With the distribution of data, applications and other resources in a cloud environment, that can't be the case. Security is going to need to keep up with this move. Security can't afford to follow anymore.
Qwest's strategy is going to be to lead, to innovate, and to keep pace with the technology and our customers' requirements. To implement effectively, and to increase our effectiveness at remediation when bad events do occur, to continually work on continuity of operations planning. That's absolutely a field we are working on.
We're also looking for commonalities in federal regulations, and how to take advantage of those to build increasingly secure infrastructures for our customers. For example, there's a tremendous commonality between the government push from IPv4 to IPv6 and cloud computing. There's a lot of synergy between those things. What we are going to do is develop solutions that include security that meet multiple regulatory requirements simultaneously. That will provide a more effective security environment and, at the same time, save our customers money.
8609 Westwood Center Drive, Suite 500, Vienna, VA 22182-2215 703-876-5100 © 1996-2013 1105 Media, Inc. All Rights Reserved.
8609 Westwood Center Drive, Suite 500
Vienna, VA 22182-2215703-876-5100 © 1996-2012 1105 Media, Inc. All Rights Reserved.