Security Strategy, Plan, Budget

IT security reboot 2006: Top 5 influential security thinkers

Deborah Platt Majoras
: 43
Occupation: Chairwoman, Federal Trade Commission
Personal: Married, three step-children
College: Bachelor's degree in sociology and Spanish, Westminster College in Pennsylvania; graduated from University of Virginia School of Law
Recent accomplishments: Established the FTC's Division of Privacy and Information Protection; named co-chair of the nation's Identity Theft Task Force.
Awards: Named to Washingtonian magazine's list of the 100 most powerful women.

Slapping ChoicePoint in January with a record fine following a breach that compromised the personal information of 163,000 customers was admittedly a defining moment for the Federal Trade Commission and its crackdown on shoddy data protection practices.

But what Chairwoman Deborah Platt Majoras, on the job since 2004, says really makes her proud is knowing her agency is working harder than ever to educate the average Joe about the dangers of identity theft.

"I always say, ‘An educated consumer is an empowered consumer,'" the 43-year-old says. "I continue to believe that out of all of the work that we do, educating our consumers about the marketplace and where those dangers are lurking is probably the best public service we could provide."

Earlier this year, Majoras oversaw the creation of the FTC's Division of Privacy and Information Protection, a department formed to centralize work previously being done inside the Division of Financial Practices.

The new division's goal is not only to pursue complaints against companies such as ChoicePoint — fined $15 million ($5 million in customer redress) after hackers hijacked the company's database — but also to generate awareness and provide victim assistance about identity theft.

The FTC, the national clearinghouse for identity theft complaints that serves law enforcement agencies across the country, received 255,565 ID theft complaints in 2005, compared to 215,177 only two years prior. The agency's ID theft hotline receives about 15,000 to 20,000 calls a week, Majoras says.

"This is priority number one for her commission," says Ari Schwartz, deputy director of the Center for Democracy and Technology, a D.C.-based promoter of democratic values within the digital age. "It's the fastest growing crime in America."

In May, President Bush announced the creation of the first ever Identity Theft Task Force, co-chaired by Majoras and U.S. Attorney General Alberto Gonzales. The task force's goals are to increase aggressive law enforcement action, improve outreach to citizens, and focus on the safeguarding of federal agency data.

Shortly after the announcement was made, the FTC unveiled its "AvoID Theft: Deter, Detect and Defend" program. The program plans to send 4,500 education kits to victim advocacy groups across the nation. Materials include a victim recovery guide, training booklet and 10-minute video on ID theft.

"Consumers are the first line of defense," Majoras says. "The fact is that if we all exercise caution in our commercial dealings, if we safeguard our own information more seriously, we believe we could reduce the incidence of ID theft greatly."

Providing people with assistance should they fall victim is just as important as prevention resources, she says. According to the U.S. Justice Department, roughly three percent of the nations' households were victims of identity theft during a six-month period in 2004, losing about $3.2 billion to the fraudsters.

"Consumers are quite bewildered when this happens to them," she says. "It's a very personal crime. People react very strongly to that. They need to know how to fix it very quickly."

The FTC has flexed its muscles in other ways this year, ramping up enforcement efforts against purveyors of spyware who violate the CAN-SPAM Act of 2003. Since 2005, the agency has filed complaints against nine companies that allegedly delivered spyware to consumers.

Hours before Majoras was interviewed for this story, Zango, the result of a merger between 180Solutions and Hotbar, agreed to pay the FTC $3 million in ill-gotten gains over the distribution of adware. The agency said in a statement that Zango, which bundles adware with services such as games, "used unfair and deceptive methods to download adware and obstruct consumers from removing it, in violation of federal law."

"Spyware, particularly, is a pernicious problem," Majoras says. "By its very nature, consumers don't often know it's being installed on their computer."

But Schwartz says the milestone FTC spyware victory came in May when a judge barred Odysseus Marketing and its principal, Walter Rines, from downloading spyware without consumers' consent. What makes the case particularly notable was that the FTC made a "theoretical change" when it went after Odysseus for unfair, instead of deceptive, practices, Schwartz says.

"This was the first time in decades that the FTC brought a case on the grounds that the company told consumers what they were going to do, but it was unfair," he says. "You can't just go around burying it deep in the end-user license agreement that you're going to destroy someone's computer and that be OK. There are just some things that are unfair to consumers."

The case also exemplified Majoras' primary concern at the FTC: protecting customer interests. "One of my responsibilities at the FTC is to start an agenda," she says. "It became fairly clear early on [in my tenure] that while technology has moved us in certain ways, this technology also provides benefits for criminals, and that is something that is unacceptable."


William F. Pelgrin
: 51
Occupation: Director of the New York State Office of Cyber Security and Critical Infrastructure Coordination
Personal: Single
College: Bachelor's degree from Union College, law degree from Albany Law School
Recent Accomplishments: Just completed the first national government guide to child internet security, being sent to municipalities and other local governments across the country.

The electricity we use. The water we drink. The heat that warms our homes.

All of these will soon be a little bit safer — in part thanks to William F. Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination.

Charged by Gov. George Pataki with protecting the Empire State's critical infrastructure in the wake of the Sept. 11 terrorist attacks, Pelgrin has walked a fine line during the past four years by working with an international group of Supervisory Control and Data Acquisition (SCADA) infrastructure owners and vendors to bring security-minded industrial products into the market.

His influence in making the systems that run power plants, dams, pipelines and other utilities safer goes well beyond the boundaries of New York State — especially when taking one of this year's major projects as an example, says Alan Paller, director of research for the SANS Institute.

"Pelgrin's most important contribution comes from his creation and leadership, beginning in March, of an international consortium of SCADA and control system asset owners [utilities, power distributors, pipelines, chemical plants, dam operators, etc.] in a dozen countries that agreed to develop a single set of common procurement specifications so that all control system buyers could ensure they were getting optimal security baked in," he says. "By June, they had a draft, and by July, buyers were already using them. Idaho National Laboratory (with essential funding from the Department of Homeland Security) is equally responsible for the success, but Will's work — getting all the utilities in New York State, as well as many, many others to help, gave the program energy momentum and broad acceptance."

Pelgrin credits much of his success over the past year to his work educating industry vendors and other officials on the importance of SCADA security — in addition to other top security issues, such as data theft and child safety on the web.

"How many people actually know what a SCADA system is? You see with most audiences, no more than 20 to 25 percent of people raise their hands. And I consider this one of the top two to three issues that we need to address," he says. "When Alan Paller approached me about the issue, I said, ‘Yes, I am concerned.' I think about how often these systems are purchased, and it's about every 15 years. That's one reason I helped make this consortium, why I have this as one of my three major issues and why this should be on everyone's hit parade."

Securing SCADA and other infrastructures often comes down to how well government and corporate officials can educate the local personnel who are ultimately in charge of security. Whether the reported hackings of SCADA systems are reality or just scary stories, the stakes are too high not to do more to protect critical infrastructure, Pelgrin says.

"With SCADA, data theft and protecting our kids, reaching a community that we traditionally don't seem to embrace is very important. There is a local government aspect to what we do. When it all comes down to it, at the end of the day, these all become local issues. With SCADA systems, local authorities run SCADA systems, local authorities run water systems. With them, I hazard what's vulnerable and what challenges we face are so apparent," he says. "When you talk about SCADA, people should know what you're talking about. That was part of what I thought I could bring to the table. These are systems that are so critical, regardless of whether rumors of hackings are urban legend or reality, you have to protect them."

That attitude of an urgent need for protection of New York's critical infrastructure in the wake of the deadly attacks on the World Trade Center and the Pentagon was the impetus for the creation of the Office of Cyber Security and Critical Infrastructure Coordination, established in September 2002. Pelgrin, the former director of the state Office for Technology, immediately took the reins, assigned with preparing the state's cyberreadiness and critical infrastructure for possible attacks — and natural disasters.

Despite the agency's progress over the past four-plus years, Paller says its biggest year in security SCADA infrastructure may come in 2007, as more vendors will adjust their products to be more security-minded.

"Vendors will bake security in just to be eligible to bid on new products. And the project is moving forward to add specifications for the procurement of maintenance services so control systems that won't be replaced for years can still have the best possible security wrapper — something only the vendors are able to accomplish," he said. "He is upgrading security, but doing it in a way that enables both vendors and users to gain economically. The users share the costs of the upgrades and the vendors get paid for the additional capabilities and make their users safer."

Pelgrin, however, says that his consortium is only just starting to make SCADA safer. So, he's looking forward to increased attention from the federal level — both the legislative and executive branch.

"What's wonderful is to be at the birth of this. You're seeing people talk about this — at the congressional level on Capitol Hill, and at the Department of Homeland Security," he says. "You don't see 172 organizations around the world spending time on something that isn't important."


Hugh Thompson
: 30
Occupation: Chief security strategist for Security Innovation
Personal: Single, no children
College: Associate degrees in economics and physics from College of the Bahamas; Bachelor's, Master's and PhD in Applied Mathematics from Florida Tech.
Recent accomplishments: Formed AppSic, an industry organization dedicated to coming up with independent security metrics. Starred in the HBO documentary Hacking Democracy, which highlights vulnerabilities in e-voting systems.
Awards: Microsoft named him a "Most Valuable Professional" (MVP) in the category of Developer Security in 2005.

Like many leaders in information security, Hugh Thompson has long lamented the lack of usable metrics to justify security spending in the enterprise. While most organizations have matured to the point where they at least recognize the importance of security spend, many still are perplexed as to how to figure out how much is enough.

Thompson is taking steps to help overcome such confusion.

"Over this past year, one of my biggest focuses has been on security metrics," Thompson says. "How do you help folks justify that internal spending on security? But even more important, how do you allocate it across the security lifecycle?"

Over this last year, to find ways to answer these questions, he has brought together a diverse group of security visionaries from all over the map — software developers, CSOs, analysts and vendors — to form the Application Security Industry Consortium (AppSIC). The goal of AppSIC is to find a way to develop ways that businesses can take measured risks during the software development lifecycle and form an economic basis for integrating security throughout the process.

"I think we've done a lot of interesting work in AppSIC to at least move the ball forward in this direction, at least kick it a bit," he says. "How do we measure software assurance, how do we measure software security, or at least how do we start to think about measuring it."

As chair of the group, Thompson's responsibility is to corral industry leaders, such as MaryAnn Davidson, Scott Charney and Amit Yoran, to tackle the problem. In less than a year, the group has published a paper to lay the foundation for thinking about the topic and has conducted research that should produce some useful deliverables for puzzled IT security pros to put to use in 2007.

"What Hugh is doing with getting the AppSic group together is trying to get the right people in the room who can make progress on this question [of metrics]," says Brian Chess, chief scientist for Fortify Software. "It's an admirable thing to do and I think he's got the right people to do it, too. If anyone is going to crack this nut it is going to be the group — and it's going to be because of Hugh."

Chess says that even more than the passion and energy that Thompson brings to the table, what he admires most about Thompson is his willingness to even attempt establishing metrics. For so long many have regarded meaningful security measurements as security's El Dorado — something impossible to find.

"What he is trying to do is to tackle a problem that is so difficult and so important that most people just can't even face it or acknowledge it. Difficult or not, it is fundamental to what we're trying to do," Chess says. "But I think most people's reaction to measurement is exactly my first reaction to it: ‘Forget that, I'm not even going to think about that, it's way too hard.'"

Thompson always has had a penchant for solving seemingly impossible problems, though. Long-time friend and colleague James Whittaker explains that his first experience with Thompson's tenacity was when he was working as Whittaker's Ph.D. student in the late 1990s. Whittaker says that after he finished a book titled How to Break Software, Thompson approached him about writing another similar book with a security spin.

"He came to me with that self-assured, cocky graduate student attitude and said, ‘I think I'd like to write a book called how to break software security, rather than how to break software,'" Whittaker says. "I informed him that I had analyzed 10,000 bugs in writing this book and doubted that security was any different than reliability. And he said ‘I think it is, and I'd like a chance to prove it to you.'"

Whittaker tried to hold Thompson off with what he describes as "the impossible task" of analyzing all of those bugs to find one difference between the errors he found in his book and the security errors Thompson was talking about.

"[I'm] thinking that he's going to go off, figure out how hard that was, and I'd never see him again," Whittaker says. "Well, instead of finding one, he found five. And that was the tip of the iceberg that lead to that book and he earned my respect really quickly."

When Whittaker left the academic world several years ago to start Security Innovation, a firm founded to address application security, he brought Thompson along with him to act as the first employee. Whittaker says Thompson took a leading role in building the company, as well as drawing industry-wide attention to the issues surrounding secure coding practices.

Just this year Whittaker was wooed away by Microsoft, but Thompson stayed on with the company: "In many ways I left in order for him to grow into my position there."

Even while taking an even more visible leadership role at his company and launching AppSic this year, Thompson has still managed to carve additional time for another pet security project — raising awareness about the dreary state of e-voting security. Thompson recently was seen in the HBO documentary Hacking Democracy, talking about his research on the topic.

"It's like going back in time 10 years and looking at software because the mistakes and some of the security issues...the vulnerabilities are so glaring," Thompson says. "They seem so obvious, but they're uncaught by whatever procedures and checks and balances are out there."

Whether it is security metrics, secure coding or e-voting, Thompson always takes the opportunity to take his messages to the streets. Some, like Chess, believe it is this ability to clearly communicate that truly makes Thompson stand out as a leading security luminary.

"He just really does a good job turning his message into something people get and it resonates with them And I think that they really take it away with them," Chess says. "He's a really good communicator. You don't always find that in the uber-geek crowd."


Edward Felten
Age: 43
Occupation: Professor of computer science and public affairs at Princeton University
Personal: Married, one child
College: Bachelor's degree in physics, California Institute of Technology; doctorate in computer science, University of Washington
Recent accomplishments: Has performed extensive security research on electronic voting machines and digital-rights management technology on CDs
Awards: Named to 2003 Scientific American 50, a list of leaders in science and technology; recipient of the Pioneer Award from the Electronic Frontier Foundation

In the fall movie comedy Man of the Year, Robin Williams plays a Jon Stewart-like political talk show host who decides to run for president at the urging of an audience member. He surprises just about everybody, including himself, by winning the election, despite being on the ballot in only about a dozen states.

The plot seems humorous and far-fetched at first until viewers get a dose of sobering news: The longshot candidate wins the seat because of a glitch in electronic voting systems that caused his vote to be counted many more times than his Democratic and Republican opponents.

Of course, Edward Felten, a professor of computer science and public affairs at Princeton University in New Jersey did not need to shell out 10 bucks and eat a bag of popcorn to learn that the new age of digital voting is ripe with risk. After all, the 43-year-old professor and a group of graduate students had just spent the summer hacking into a real-life Diebold touch-screen voting machine, discovering ways a simple attack could compromise the integrity of an election.

"Not only does it increase risk that elections won't get accurate results, it's also a step away from the basic principles of our government, which is that citizens have a right to know how the government works and how the government processes work," he says. "Not surprisingly, when you have less transparency and oversight, you get a mechanism that is not as good."

(Diebold, the nation's largest manufacturer of touch-screen machines, has publicly defended its security by saying controls are in place at polling places to prevent illegal access, such as securing machines with tape that would reveal tampering, and that Felten and his group tested outdated software).

Studying the ins and outs of arguably America's most important new technology and how it affects the state of the nation has consumed much of Felten's time this year. But it is not the only major project that has kept him busy.

Felten and a graduate student, Alex Halderman, also served as key contributors to the debate over the Sony BMG digital rights management (DRM) fiasco in which the music giant, in an effort to prevent users from duplicating copyrighted music, opened up users' PCs to a host of vulnerabilities. "Not only did [the rootkit-like software] allow Sony's code to hide, it also created space for other malicious software to hide," Felten says.

He and Halderman specifically studied the two rootkit uninstallers Sony offered as a solution. "They both installed an ActiveX control that could be invoked by a webpage," Felten says. "It could be told by any page on the web to download code. Any webpage could install whatever software. It was about as serious as a vulnerability could be."

While both the e-voting and rootkit investigations involved two distinct technological issues, they both underscored Felten's belief that Americans should always be permitted to understand the technology they are using. (His popular blog, started in 2002, is aptly named, "Freedom to Tinker.")

"More and more of what we do in the world is controlled and mediated by computers," he says. "Ultimately, the technology devices you own and use should be serving your interests. To try to sneak technology on a user's machine without a user knowing what's going on, I think that's harmful."

Rush Holt, a Democratic New Jersey congressman who proposed the Voter Confidence and Increased Accessibility Act mandating audit trails on all voting machines, says Felten is unique because he understands the need for researchers to educate Americans and stimulate their thought process.

"I first started seeing him at public meetings," Holt recalls. "I was impressed that he was a scholar, a real expert in the field, who is also a good public communicator. Not only was he able to communicate to the public, he was willing to do that. Ed recognized that particularly with regard to voter security, public education is an important part of the work."

In September, Felten demonstrated to the U.S. House of Representatives Committee on Administration how somebody can place a removable memory card into a DRE (direct recording electronics) voting machine to install a virus. "It could flip votes from one candidate to another without much chance of detection," he says.

"He was given about two minutes to make his demonstration at a hearing," Holt says. "But he did it very well. I thought it was gripping. Everyone in the room was paying attention."

Cindy Cohn, legal director of online watchdog Electronic Frontier Foundation, says she and her staff consider Felten their "hero." The organization successfully defended the professor about five years ago when he sued the music industry to have a scientific paper published that proved how he and his team broke through now-defunct digital watermarking technology that was designed to prevent copyrighting.

"He inspires others," she says. "There are a growing group of scientists that need to be engaged in the policy debate if they want to stop bad things from happening. We think he's got a message that's catching on."


Sen. Olympia Snowe
Age: 59
Personal: Married to former Maine Gov. John R. McKernan Jr.
College: Bachelor's degree from the University of Maine, 1969.
Recent Accomplishments: Second-term senator serving on Commerce, Science and Transportation committees, Senate Select Committee on Intelligence.
Awards: Named 54th most powerful woman alive by Forbes magazine; one of top 10 senators by Time magazine.

Asked to name the top IT security-minded federal legislators, most CSOs would probably pick a congressperson from Silicon Valley, the technology-rich suburbs of Boston, the Pacific Northwest or Northern Virginia.

But one of the most influential lawmakers on IT-related matters hails from Auburn, Maine, a continent away from the heart of the network security world.

U.S. Sen. Olympia Snowe, R-Maine, may represent a state known for its legendary beaches and New England fall foliage, but she realizes the impact that information security has on even the smallest of businesses.

This year, Snowe sponsored the Small Business Information Security Act of 2006 — which was sent to committee — as well as a resolution with Sen. Conrad Burns, R-Mont., declaring October "National Cyber Security Awareness Month."

The reason: now the smallest of businesses are learning that cybersecurity can, if ignored, negatively affect the bottom line, says the two-term senator.

"Maine's economy, like the economy of many rural states and rural nations is quickly changing. To compensate for the loss of manufacturing jobs over the past decades and capitalize on the ability of information technology to be a catalyst for economy development, Maine is adapting by looking to information-based jobs to fill the void," says Snowe. "It is important to stay on top of the issues that will affect Mainers, and all Americans, in the years to come. IT-related issues will continue to play a vital role in the growth of our economy, and I will continue to work hard to meet the new challenges that these issues will bring."

The first Republican woman to serve a full term on the Senate Finance Committee, Snowe says the bill's creation of a Small Business Information Security Task Force would be especially effective in helping businesses with few resources identify their information-security related needs and threats.

"This task force will advise the Small Business Administration and help small businesses both understand the information security challenges they face and identify resources to help meet those challenges," she says. "This legislation creates a clearinghouse of information, resources and tools — compiled by a group of public- and private-sector experts in the field — that will ease the trouble, confusion and cost often associated with enhancing information security measures within a small business."

Paul Kurtz, executive director of the Cyber Security Industry Alliance, says Snowe has identified an important niche of consumers that could need help with IT-security related matters.

"Many times in Washington, we focus on big government and the big enterprise and we don't spend enough time going with the small enterprise and small businesses. How do we know that they have the right tools and the right features to protect themselves from what's out there today," he says. "There are a few things we have to remember: She's the chair [of the Senate Committee on Small Business and Entrepreneurship], so it's important for her to raise this. There are a lot of small businesses out there, and while Maine and Vermont don't have a lot of population, they do have a lot of mom-and-pop businesses. From her roots, I bet the internet means a lot to those people."

Blazing trails is something Snowe is accustomed to. The first woman ever to serve in both chambers of her statehouse and the U.S. Congress, 59-year-old Snowe was the youngest Republican woman and the first Greek-American woman elected to the national body when she was picked to represent Maine's 2nd District in 1978.

The first woman to represent Maine in the Senate since Sen. Margaret Chase Smith, whose term ended in 1973, Snowe was named one of Time magazine's top 10 U.S. senators in an article praising her centrist views on a number of national issues. Just last year, Forbes magazine named her the 54th most powerful woman in the world.

To her, information security must go beyond even the largest of organizations, saying that both the private and public sectors as a whole must realize the importance of a strong defense against cyberattacks, or it could be too late to prevent a crippling act of cyberterrorism against the U.S.

"Unfortunately, cyberattacks are becoming more frequent and more severe, and the perpetrators are becoming harder to identify and bring to justice. Today, half of all cyberattacks originate in the U.S., which far outpaces the rest of the world," she says. "If Congress does not exercise constant vigilance, America could suffer a massive information security breakdown that paralyzes our major cities, renders our communication systems useless, and exposes millions of Americans to another massive terrorist attack. The seriousness of this issue, and the constant need to address cybersecurity concerns, cannot be understated."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.