O. Sami Saydjari | Weak spots on cyberdefense

After a 20-year career at government defense agencies, O. Sami Saydjari likes to think strategically about cyberdefense. Despite growing attention to the security of the nation's critical infrastructure, the United States' increasing dependence on interconnected resources has left us more vulnerable than ever before, he says, and neither government nor the private sector has the means to solve the problem alone.Saydjari spent 13 years with the National Security Agency, where he was an NSA fellow in 1993 and 1994. And for three years, he was the information assurance program manager for the Defense Advanced Research Projects Agency. Today Saydjari is CEO of the Cyber Defense Agency, a private research and consulting organization headquartered in Wisconsin Rapids, Wis., focused on defending high-value systems such as the power grid from cyber-attack. He talked to GCN about the state of cybersecurity.SAYDJARI: The attacks over the last 15 or 20 years have been increasingly sophisticated, and the quantity of attacks has grown exponentially. By sophisticated, I mean they are more stealthy, they are more complex and they are targeting more complex layers, such as operating systems and networking protocols. That makes them potentially more dangerous.The payloads of the attacks often are fairly minor, compared to what they could be. We haven't seen a lot of attacks that have been optimally malicious. A lot of them seem to be experiments or games that are being played by hackers.SAYDJARI: Yes. I would call that the criminalization of hacking, where the criminal element is beginning to employ these techniques.SAYDJARI: Twenty years ago, the infrastructure operated separately from the Internet and other open networks. So in some sense, the level of vulnerability has gone up simply because the level of interconnectedness has gone up significantly. This is excellent for productivity but creates a propagation of vulnerabilities.At the same time, security in the end systems also has gotten better in the last five to seven years. There are some good trends here. More security products are coming out, firewalls have gotten a lot better and virus detection is quite good. So there are improvements in defenses, but if you compare it to the trend of increasing interconnectedness and dependence, overall the vulnerability has gone up substantially.SAYDJARI: I would say it's identical. The government in many ways mirrors what is going on in industry. There are a small number of agencies that are doing quite well, and there are others who do quite poorly. On average, I would say that defenses are less than they could be, and our risks are higher than they need to be.SAYDJARI: The two things I would suggest are risk management and risk management. I think industry is immature with respect to the state of system engineering, figuring out how to manage your security investment for optimum risk reduction. Parts of industry have begun to manage their risk in a way that is an engineering discipline. They measure their risk, they measure what they are doing to limit it and they insure their residual risk.What is missing from the IT security community now is an understanding of which security mechanisms, which policies and procedures, what kinds of management decisions will have a major impact on security, and which ones simply are a sink of resources that don't have a major benefit. Decision-makers don't have the kinds of tools and techniques they need to make those kinds of decisions.SAYDJARI: Hackers have very limited resources at their disposal. They can develop very sophisticated attacks, they can reuse their toolkits and do interesting things. But in terms of massive damage, that is highly unlikely. To accomplish that kind of damage, you have to do military-style campaign planning. It will require insiders to cooperate and install some malicious software. It will require, in some cases, years to accomplish this and quite a bit of money to buy the equipment, test beds and experiments that will be needed to orchestrate the complex of attack steps that would necessary to have a strategic, damaging effect.SAYDJARI: The current national policy talks about the critical infrastructure providers doing a better job of defending their systems, and it makes a good set of recommendations for them to follow. But it falls short in that the commercial infrastructure providers can only be asked to do what is commercially viable, and no more. We can't ask them to defend against nation state adversaries just because they happen to be on the front line of a cyber-war. We are going to have to find a way as a country to invest in hardening our infrastructure that goes beyond what companies are commercially incentivized to do. We have to look at ways of subsidizing these companies through tax breaks or other kinds of relief systems to help them make the investments they need because it is so critical to our economy.The second thing that is needed is the government has to step in to provide situational awareness that crosses industry domains. We have no way of correlating attack information and watching the situation across domains. We need a capability to do that, and we need to develop strategies and mechanisms for sending out commands when situations develop, and the critical infrastructure providers need to be able to execute those commands quickly to stop those attacks. We need eyes and hands to defend ourselves, and that would require an investment in government programs.SAYDJARI: Our preparedness is approximately zero in terms of recovery. I don't think that has gotten the attention it requires from the government or the critical infrastructure providers. We have to figure out how not to have a situation like Katrina happen in the cyberworld. I think adversaries are going to take advantage of that and look at how to damage our infrastructure to maximize how long it takes us to recover from a disaster.SAYDJARI: A good trend in the last 20 years is that the government has become aware of the problem. The fact that I have had conversations with Congress members is a good indication that education has been successful. People are beginning to understand the issues.SAYDJARI: Senators and congressmen who have some relationship to the cyberarena. This is just the start of a process for others. The idea is to help them understand the role they play in cyberdefense and to discuss our national policies and where it can be improved.SAYDJARI: I found them very receptive. In addition to those I talked with, there are a number of other senators and congressmen who are concerned that the resources and level of priority we are giving to cyberattacks in this country are inadequate. They are very interested in finding ways to improve that situation.For example, we don't have any program to develop the eyes and hands of cyber-defense that I mentioned earlier. Such a system would take a minimum of three years to develop, and in the middle of an attack is not the right time to begin that development. The lack of cyber-recovery is another example. There are many places where we can make improvements over existing policies.