Growing pains for the U.S. strategy
A year and a half ago, Silicon Valley executives converged at Stanford University in Palo Alto, California for an eagerly anticipated event – the Bush administration's release of a strategy for securing cyberspace.
Now, the fanfare that accompanied that event is a faded memory. Yet the plan – released in final form in February 2003 – is not collecting dust on a shelf, according to the country's top cybersecurity official. The government has been working aggressively to implement the strategy and is making a lot of progress, asserts Amit Yoran, director of the National Cyber Security Division (NCSD) in the Department of Homeland Security (DHS).
Among the accomplishments are the National Cyber Alert System, the development of private-public partnerships, and enhanced planning and communication to respond during a crisis.
Since he was appointed to the post last September, some technology executives say that Yoran – Symantec's former vice-president of worldwide managed security services – has done a good job pushing cybersecurity issues to the top of the agenda and is making great progress.
However, some security experts say that the government's efforts to secure the internet fall short, while Democrats on the House Homeland Security Select Committee charge that the Bush administration has failed to prepare the country for an electronic 9-11.
For Yoran, the National Cyber Alert System is a big step towards boosting America's IT security posture by increasing awareness – one of the priorities outlined in the national strategy. Launched in late January, the system provides free security tips and alerts about vulnerabilities and threats via email to home and corporate users.
"We have tried to simplify cybersecurity and make the information available to all users of the internet," says Yoran, describing the operation as "almost the equivalent of the emergency broadcast system in cyberspace."
More than a quarter of a million users subscribed to the system within a week of its launch, he adds. It is managed by the U.S. Computer Emergency Readiness Team (US-CERT), a partnership between NCSD and Carnegie Mellon University's CERT-CC.
Unveiled last September, US-CERT is responsible for analyzing and reducing cyber threats and vulnerabilities and coordinating incident response activities. According to Yoran, it is part of NCSD's effort to fulfill the national strategy's plan for a National Cyberspace Security Response System.
Forging private-public partnerships
A major focus for NCSD has been the public-private partnership called for in the strategy. "There is a tremendous effort this year to operationalize that partnership," says Yoran. "There's been a lot of joint and collaborative strategy, a lot of dialogue and, in some cases, there has even been some meaningful progress.
"What we're looking at doing is determining how to take both public and private sectors, bring them to the table, get the information exchanged and raise our cybersecurity preparedness through that venue."
NCSD is also working with many of those operating critical infrastructures to help them understand how to better protect those systems and develop appropriate security measures, he adds.
In collaborating with the private sector, the government is working closely with a variety of groups, including the Information Sharing and Analysis Centers and InfraGard, he notes. In December, for example, DHS co-hosted the National Cyber Security Summit, which brought together more than 300 security professionals to agree ways to implement the national strategy.
Overall, the private sector's response to implementing the strategy has been positive, but more work is required, says Yoran. "I would characterize the private sector's response as eager to collaborate, eager to work with the public sector, but establishing the venues where that public-private partnership can move forward at an operational level is where meaningful work is required," he states. "That's really where we're focused over the next year."
Planning for the worst
At the operational level, some of the work includes planning for bad-case scenarios. That involves how federal agencies communicate with each other through a non-internet private network, called the Critical Infrastructure Information Network, if other communications mechanisms fail, and also how they can coordinate with private-sector participants to help restore the communications infrastructure, Yoran explains.
The Cyber Interagency Incident Management Group, which coordinates intra-government preparedness and operations in response to cyber attacks, also is helping to ensure that the country is ready in the event of a crisis, notes Yoran.
"There is great coordination across the federal government. We're moving in a unified front in the cyberspace realm... We've made great progress and we'll continue to move forward aggressively," he declares.
Despite Yoran's assertions of progress, Democrats on the House Homeland Security Select Committee in late February issued a scathing report on the Bush administration's homeland security efforts, which cites numerous shortcomings on the cyber front.
According to the report, there is no structure in place to coordinate public and private agencies in the event of an electronic 9-11 and the administration overall has been slow to implement the national cybersecurity strategy, "leaving our nation at risk and unprotected."
The study claims that some of the steps taken by DHS to protect cyberspace – including the National Cyber Alert System – seem to only replicate previous efforts, a view shared by Marcus Ranum, senior scientist at TruSecure, who says: "Most of what DHS has been doing is announcing redundant initiatives."
Furthermore, Yoran's position "is buried too deep in the bureaucracy of DHS with little authority for effectively leading our country's cybersecurity efforts," according to the report. Yoran's predecessors with the Critical Infrastructure Board – which was dismantled with the creation of DHS – were presidential advisors.
Yoran declines to discuss the Democratic report, which includes numerous recommendations, although he acknowledges that "we would all like to see more rapid progress." He insists that the government has made tremendous strides in implementing the strategy.
As for criticism that his position is too far removed from the White House, an issue raised prior to the committee report, Yoran says he enjoys an ongoing dialogue with officials at the White House, where he goes at least once a week. Moreover, the White House is a policy-setting body not an operational organization – the actual work of the federal government occurs in departments and agencies.
"The natural focus point for cybersecurity issues is the Department of Homeland Security," he asserts.
Yoran also rejects the notion that the National Cyber Alert System is nothing new. First, he asserts, it offers information that is much easier to understand than systems that are geared for the technically savvy. In addition, unlike other systems, it carries the authority of being America's cyber alert system.
"When you look at the progress we're making in implementing the national strategy, there is a range of areas which I would characterize as operational progress. How do we improve the existing set of systems, our response capabilities, and the speed by which we communicate and share information with folks?" says Yoran.
"Then there are the long-term and strategic initiatives that are under way – how to improve the quality of software and reduce the number of vulnerabilities? How do we improve and move the ball forward in some of these other areas – but which will take years if not decades to receive benefits from?"
Dan Burton, vice-president, government affairs, at security vendor Entrust, has been impressed with Yoran's work so far. "At the cybersecurity division, it's not a time for headlines," he says.
"It's a time to operationalize programs and Amit has the skills to do it. He is laying a lot of the groundwork that will be necessary to make that division run well. A lot of that work is not glamorous, it's not high profile – it's steady implementation and building bridges with the private sector. He's doing a great job in that respect."
He notes that the strategy is not a blueprint, but rather an overarching philosophy: "A lot of the job is interpreting what that strategy means and how you put in place programs that support those overarching objectives. That clearly takes time."
A broad appeal
With his experience in both the private and public sectors, Yoran has a balance of skills that instills confidence in both sides, believes Burton. Before Symantec, Yoran founded managed security firm Riptech, where he raised venture capital and oversaw the development of technology, operations, sales and marketing as CEO. Symantec acquired Riptech in 2002.
Before that, Yoran was a U.S. military officer, directing the vulnerability assessment program for the U.S. Department of Defense's Computer Emergency Response Team.
"The trick he has to pull off is making industry feel responsible and responsive to homeland security needs," states Burton. "He doesn't have a mandate to do this. There's no legislative vehicle he's going to use. It's just the force of his personality."
Harris Miller, president of the Information Technology Association of America (ITAA), says Yoran is making great progress, despite the time lost between the release of the strategy and his appointment.
"It's not as if the DHS folks paid no attention to cybersecurity," says Miller. "But because the team at DHS had so many other responsibilities, it wasn't getting adequate attention.Since Yoran came on board, however, it's been getting tremendous attention."
ITAA was one of the hosts of the December summit, which Miller describes as very successful. Task forces organized at the summit were slated to release reports in March or April.
Initially, ITAA was concerned that Yoran's position was too far removed from the White House. Miller observes that Yoran "clearly is looked to as the go-to guy within the administration on cybersecurity issues. In a perfect world, I would have had his position at a different level. But it's also important to have the right person, and he's the right person."
Rather than becoming another strong player from the private sector who gets swallowed up by the bureaucracy of Washington, D.C., Yoran showed leadership by immediately engaging the industry, believes Doug Goodall, president and CEO of security firm RedSiren.
"He's been very effective in taking the first steps... There's nothing more difficult to do than to create something that doesn't exist around an imperative like national security and do it in a world that is enormously political with lots of vested interests," states Goodall. "He accepted the call."
So who's got the power?
Yet Bruce Schneier, CTO of managed security firm Counterpane Internet Security, believes federal cybersecurity efforts have been ineffective because NCSD lacks authority.
"The problem is that the office has no power. You can't secure anything without offending somebody," he says. "It's telling ISPs: 'You're giving every one of your customers a personal firewall. Now shut up, I don't care if you don't like it.' And it's telling software companies: 'You won't release software unless it's secure. Yeah, it will hurt your business... but too bad.'
"As long as the government is unwilling to offend anybody, all you get out of the office of cybersecurity is pleading and recommendations, which don't actually do any good."
The national strategy doesn't recommend specific legislative measures to secure cyberspace, but regulations are not out of the question, warns Yoran.
"It would not be prudent for us at this time to restrict ourselves to the use of any tool at our disposal which we deemed appropriate to protect the public interest," he says. But he declines to discuss in which areas he believes regulations could help.
While the strategy does not advocate regulatory action, it does stress the need to secure government's cyberspace. In light of the annual Federal Computer Security report card that gave failing grades to several federal agencies, progress on this front has been too slow, according to a briefing Yoran gave in February to the ITAA. However, he cites a number of initiatives such as the Government Forum of Incident Response and Security Teams, which share information across agencies.
From what he has seen among federal customers, cybersecurity has become a priority for the government, says Ryan McGee, director of product marketing for McAfee Security at Network Associates: "You can see from the outside how dedicated the entire federal government has become."
Overall, Marc Willebeek-LeMair, CTO of TippingPoint Technologies, wants to see more cybersecurity action from the federal government. He acknowledges that Yoran has not been in office long, but adds: "Soon, we're all going to want to see some measurable and clearly identifiable steps."
Looking forward, Yoran says getting the public and private sectors to work well together remains a challenge, but he also sees a great opportunity for NCSD to change the fundamental paradigm of cybersecurity.
"By that I mean the strategic programs, the long-term initiatives to improve the quality of software, the software development lifecycle, to make the changes that will ultimately eradicate a vast majority of the attack techniques our adversaries employ."
For now, he believes, the nation's level of preparedness against cyber attacks has increased significantly. For example, the Love Bug of 2000 caused much more significant outages and downtime compared to the more sophisticated MyDoom, he says, crediting improved security technology and increased user awareness. Efforts in education, information assurance and awareness – such as the National Cyber Security Alliance and its Stay Safe Online program – are paying off, he adds.
Despite the multi-dimensional cybersecurity campaign, we can expect to see attackers continue to invent new and creative ways to penetrate networks and cause problems. "It's unrealistic to say zero downtime is our expectation," warns Yoran. "Of course, we strive to that, but we also need to be realistic and ensure the disruptions are infrequent and of minimal duration when they do occur."