What keeps federal CISOs awake at night
- By Derek Major
- May 22, 2015
Think you know how to keep intruders out of your IT systems? Then don't bother applying for a job at the Department of Veterans Affairs.
According to Stan Lowe, VA's deputy assistant secretary of information security, anyone who would “unequivocally state that they know without a shadow of a doubt that there is nobody in their network, I would say 'thank you very much, here’s a white box, get your stuff and get out.'”
Lowe, who spoke at a Washington, D.C., cybersecurity conference hosted by FireEye, said there was no true way for anyone to know if a system is completely clean, so in order to keep his network as safe as possible he always acts as if his systems are always under attack.
“All I can say is from the information I have and that my partners have, we think we’re pretty secure,” Lowe added. “However, there’s no true way to know, so you have to act as if you’re already compromised. Any common-sense person in my field would operate under the assumption that we’re already being attacked and now the question is how we protect our data. So right now we’re trying to find better ways of showing data that we have that proves that something is happening or not happening.”
Retired Air Force Lt. Gen. Michael Basla, echoed Lowe's assertions. “Our approach has always been, defend to the best ability, then react when something has occurred,” said Basla, who is now the senior vice president of Advanced Solutions. “The approach with that is we are really adopting a strategy of big data analysis. We want real time analysis of that streaming live traffic.”
Basla and Lowe were part of wide-ranging discussion on the difficulty of protecting vital systems, which also included Department of Commerce acting CISO Roger Clark and Mark Kneidinger, the Department of Homeland Security's acting director for cybersecurity and communication, federal network resilience.
FireEye Vice President and Chief Technology Officer Tony Cole served as moderator and asked the panelists about their biggest near-term cybersecurity concerns. Clark talked about the scary side of the future.
“What’s really scary is when you start thinking about how expansive the threats can be as you start connecting more and more through the Internet and through unsecured systems,” Clark said. “You look at houses that have everything connected ... and as a person who’s getting older, I’m really getting worried about the potential of medical devices and someone coming in and doing harm to me while I’m up here trying to talk.”
Kneidinger also pointed to the Internet of Things as a prominent concern.
“I think that the Internet of Things ... just expands the dangers of being hacked,” Kneidinger said. “We have to build some protocols, some process that controls for these devices before we accept them."
“We have created Internet isolation capabilities" for some IoT systems, he said. "Threats will continue to rise and we’re not going to stop them, but there are ways we can fight.”
Kneidinger also raised the question of how cyber warfare could be better factored into security planning in the future.
“One thing that we haven’t really addressed as a country and as a world is the rules of the road associated with cyber warfare” Kneidinger said. “No one knows where the red line is right now. We have a very hard time defining what an act of war is right now and what is permitted and not permitted."
“I know the bad guys don’t have to follow the rules," he said, but "the good guys need to know what the rules are so when someone crossed the line we can hold them accountable.”
Derek Major is a former reporter for GCN.