Keith Rhodes | Effective IT security starts with risk analysis, former GAO CTO says

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Keith Rhodes, now chief technology officer at QinetiQ North America’s Mission Solutions Group, discusses the importance of setting priorities for protection and who in government is doing a good job with security.

Again, it comes back to mission assurance. If a chief security officer goes in and says, “IT security is good, here’s how much it costs, and we should do this,” and leaves it at that, the odds of his getting the money are slim. You need to walk in with a mission profile approach and show how IT security assures mission accomplishment — say, “Here’s how much it’s going to cost, and here’s how much it will cost if you don’t do it.” You’ve got to give them a cost/benefit analysis, and you’ve got to have a return-on-investment strategy. Your return on your investment is [that] your mission is accomplished. That is how you sell it in times of austere budgets.

Keith Rhodes has a good grasp of the role technology plays in the government's mission. As a supervisory scientist at the Energy Department’s Lawrence Livermore National Laboratory, he led the design, development and testing of secure space communications for a strategic Defense Department system. Later, he was chief technologist and director of the Government Accountability Office’s Center for Technology and Engineering, where he also served as the lead adviser to Congress on technical issues.

He has testified frequently before Congress on information technology security, an area that GAO has consistently found to be a high-risk endeavor in the government. He advocates a risk analysis and management approach rather than focusing on the perimeter.

Rhodes became senior vice president and chief technology officer at QinetiQ North America’s Mission Solutions Group in 2008. He spoke recently with GCN senior writer William Jackson about IT security.

GCN: Government IT security has consistently been assessed by GAO as a high-risk area. Does it remain so?

KEITH RHODES: Yes, and I don’t think that anyone should be surprised if it does remain so for a long time. Government is a nice target. It is high value, and it is subject to all the threat vectors, whether it is nation-states, organized crime, individuals or virtual gangs. The government is a plum; it is always going to be attractive, and IT security is going to have tremendous challenges, which means it will always be at high risk.

Government has put a lot of effort into securing its systems. Why is IT security such a tough nut to crack?

Rhodes: IT security isn’t a thing in and of itself. IT security is about mission assurance. You’re trying to assure that a mission gets accomplished. You have to bring that focus with IT security. No one can secure everything, but you have the ability to protect those things that matter. If an organization, whether it is the government or private industry, tries to take a blanket approach, you won’t have enough money, you won’t have enough technology, and you won’t have enough time to build a continuous security system.

So you have to answer four questions: What am I trying to protect? Against whom? For how long? At what cost? That is a challenge for most organizations. A lot of the security approach has been point solutions that take care of an edge boundary, and organizations would be well served to do risk analysis and figure out what the priorities are that need to be protected to assure the mission is accomplished.

The risk is defined by human beings, and that is why it becomes a tough nut to crack. You can’t buy security out of catalogs. You have to be an active participant in the risk analysis.

You describe security as a continuous process of monitoring, testing and adapting. Do agencies have the resources for that?

Rhodes: Yes, if they do the risk analysis, I think they will find they can get those resources. If I’m trying to protect everything against everything, then Croesus doesn’t have enough gold to protect everything. You have to decide there are some assets that have greater value to the mission than others, and those are the ones where you are going to focus your time and effort. There are some things you will have to focus on, and it involves continuous monitoring and adaptive security and continuous risk analysis to keep your eye on the parts of the organization that matter the most. It is not that you take your eye off other parts, but you might use more traditional approaches in some areas and others you will really focus in on.

How do you sell IT security when budgets are tight?

Rhodes:

Who in government is doing this right?

Rhodes: The Defense Department actually does risk analysis and focused protection well. Not perfect, obviously, but they do it better than a lot of other people do because they understand their mission. They also understand they are continuously under attack, and they have that mind-set. They are managing their security to their risk profile because they have to accomplish their mission, come hell or high water.

In other departments and agencies, you’re going to find pockets that do it better than others. But if I had to pick a department that designs to risk, then I have to pick the Defense Department, even though they are always in the press because they are always under attack. To me, that means that they are responding to the real-time threats. Nobody has stopped the DOD yet with an electron.

Can other agencies learn from DOD, or are their situations too different?

Rhodes: I don’t think they're too different. The one thing that people need to understand is that complacency has no place in security. You can never rest on your laurels. This is a continuous process of monitoring, testing and adapting. The threat evolves, the vulnerability set changes, the infrastructure changes, and [you have to account for] all of those changes.

Has the Federal Information Security Management Act helped the state of the government’s IT security?

Rhodes: FISMA has helped because it gave a framework. It made information system management and security management something that everyone was held accountable for. That said, implementation is everything. If security people view FISMA as just a checklist, nothing is going to get done. If you’re expending a huge amount of energy trying to do your day-to-day operations, a lot of people are going to look at it as another piece of paperwork that has to be sent in.

It’s not that FISMA hasn’t helped or that it needs to be changed. It’s a function of the information collection and the oversight associated with it, which needs to be strong. It needs to not be viewed as a paper exercise or allowed to be used as a paper exercise. It is a matter of making sure people do not become complacent because they met their check box on FISMA.

Are there any changes that you think should be made to FISMA?

Rhodes: The only point I would stress is that if people are going to crack open FISMA and take a look at it, make certain that they strengthen and retain the risk management and risk analysis part. You can’t secure everything, you can only protect those things that are important to you, and that’s a function of risk, which is derived from mission assurance.

How have threats to information systems changed over the years?

Rhodes: They have become more automated, so anybody can do it. I was asked by [former] Sen. [Fred] Thompson from Tennessee what it would take to turn somebody into an accomplished hacker. And I said one mouse click. You are one mouse click away from somebody having an automated tool to use against you. The ease of attack is light years ahead of where it was just five years ago. The infrastructure has become far more complex over the last 10 years, and we have become far more dependent on it. The threat is now more complex because it has more attack points.

Once upon a time, it was the nation-state you worried about most, and it was the most powerful because [it] had armies and missiles. Now, we’ve seen where the individual has as much strength as a nation-state because he can now penetrate your network, establish a botnet, and sit back and wait until [he wants] to do something.

The threat has also morphed to being a for-profit business. Once upon a time, people broke in just to make a name for themselves. Now they’re selling their warez and skill sets and zero-day exploits.

Has security changed quickly enough to keep up, or are we falling further behind?

Rhodes: In some ways, we haven’t changed fast enough. We’re still buying and designing to boundary protection. Where we have moved faster is in understanding there has been a game change in the opponents where it has moved to for-profit crime.

From a threat analysis standpoint, we’re not perfect, but we’re better at that than at the implementation. The threat calls for prediction and proaction, and security design tends to be traditional endpoint solutions. The thing that will help that will be to manage to risk rather than trying to have a blanket solution.

NEXT STORY: IT policy in the U.S. goes back 100 years

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.