IT security reboot 2008

Rep. James Langevin
Age: 44
Occupation: U.S. congressman (D-R.I.)
College: BA, Rhode Island College; MA, Harvard
Personal: Single

Rep. Michael McCaul
Occupation: U.S. congressman (R-Texas)
College: BS, Trinity University; JD, St. Mary's University
Personal: Married, five children

Now that Barack Obama has been elected president, he faces a tremendous responsibility: keeping the country safe. Fortunately, he will have some useful advice on the matter. The Center for Strategic and International Studies (CSIS), along with Congressmen James Langevin and Michael McCaul, have been working since last year in a bipartisan group called the Commission on Cyber Security for the 44th Presidency, which is comprised of private and public sector experts.

“The work that we've done on cybersecurity is important for the country, and it is work that is long overdue,” says Langevin (pictured on the left), who heads the commission.

The commission intends to brief the next president before the end of the year and recommend comprehensive strategies for organizing and prioritizing efforts to secure America's computer networks and critical infrastructure.

“We have become more interdependent and interconnected through the use of the internet,” Langevin explains. “We've also become much more vulnerable because of the free and open architecture of the internet, because that's how it was designed.”

To address this overarching problem, the commission's agenda includes issues such as infrastructure protection, software assurance and information security initiatives in both the public and private sectors.

“There are three main areas to this – criminality, espionage and cyberwarfare,” says McCaul, commenting on the work of the commission. “We have the cyberwarfare capability in this country, but the idea of a rogue group having similar capability is a real concern. One of the things we found was the lack of coordination among the Department of Defense, the Department of Homeland Security and the National Security Agency. Thus, we have agencies that have the offensive capability not talking to the agency that has the responsibility of defending the networks.”

One of the central recommendations expected to come out of the commission is that overall responsibility must be elevated to the White House – to the National Security Council – and that it must be budgeted.

“The key question is: Who's in charge? There is no coordinating force that brings it all together,” McCaul says. “That is a glaring void. Somebody should be responsible for coordinating people tasked with doing the attacks and those charged with defending against the attacks.”

It is key, then, to determine where the authority should lie in terms of directing a cybersecurity initiative, Langevin adds.

Suggestions will go far beyond defining roles and responsibilities, however. “Cybersecurity is about raising awareness and making sure that it gets on the top of the radar screen for the next president, as well as making sure we are giving him a blueprint that has been well thought out and will present a sound strategy to protect the country,” Langevin says. “I've been excited about the prospects, because we have some bright minds on the commission from across the country [about 40 people], who are experts in cybersecurity, both inside and outside of government.”

As to the main purpose driving the commission, Langevin says, “We live in a free and open country, which is our greatest strength and our greatest vulnerability. We can't fully protect ourselves from every conceivable threat, so we must concentrate on identifying those that are most glaring and work aggressively to try to reduce them. [We must] try to prevent as much as we can, and try to protect the country as much as we can.” – CM

Paul Smocer
Occupation: VP for security, BITS
Personal: Married, one child
College: BA, Indiana University of Pennsylvania
Recent accomplishments: Assisted in the 2007 merger of Bank of New York with Mellon Financial
Awards: Finalist for ISE Mid-Atlantic Awards security executive of the year

In the ancient Greek battle of Thermopylae, the Spartans defended a narrow mountain pass against thousands of Persian invaders. Information security professionals are like the Spartans, fighting against hordes of oncoming threats and risks being thrown at their organizations.

When he heard it years ago from a former employer, this analogy stuck with Paul Smocer, vice president for security at BITS, a Washington, D.C.-based financial services consortium whose members are 100 of the largest financial institutions in the U.S. And it rings truer today than ever. As a 30-year IT security veteran, Smocer can give you another history lesson — on the evolution of the industry over the past decade.
“When I think back to the year 2000 and pre-2000, most of the focus in information security was around access control,” Smocer says. “Then we saw it grow into infrastructure security – protecting your network from the outside. Then it morphed into email security where we saw the beginnings of spam and phishing.”

The focus then shifted to securing against insider risk, then yet again to data loss prevention. Now, the latest wave is around business application security, Smocer says.

The threats that IT security professionals are facing have evolved over time, but none of them have gone away. With more threats than ever before, Smocer knows how important it is for organizations to join forces in their security efforts.

Within the financial industry, Smocer is working to do just that in his role at BITS. A division of The Financial Services Roundtable, BITS was created in 1996 to provide guidance about emerging security issues facing its institutions.

“Information security, in particular, is an area where the participants recognize it is a battle not best solved individually,” Smocer explains. “Collectively, we can accomplish more than individual institutions can."

A problem with one financial services institution tends to have fallout with all. Customers read about breaches and question whether their institution has the same problem. When one suffers, others tend to suffer as well. BITS participants recognize that working cooperatively with each other helps to serve the industry as a whole.

Smocer became actively involved with BITS while working as chief information security officer of Mellon Financial. He came on as a member company representative on the security and risk assessment steering committee, of which he eventually became chair.

In the changing post-9/11 landscape of security in the financial services industry, Paul was a standout on the steering committee. He helped make sense of new security regulations that were coming down on financial services organizations, and he became the voice of reason, says Gene Fredriksen, global information security officer for Tyco International, who served on the steering committee with Smocer.

“There are people who see the problem, and there are people who see broad solutions and have a broad perspective,” Fredriksen says. “Paul always had a broad perspective, looking at systemic issues, not just a Band-Aid approach.”

Smocer has spent his career in roles where he thought he could make a difference in IT security. It was during his tenure on the steering committee that Smocer saw the opportunity to make a difference, not just within a single organization, but across the financial services industry as a whole. Smocer went from a member company representative to a BITS employee in February when he took on the role of vice president for security.

Smocer is now responsible for promoting the safety of financial institutions through the development of best practices and strategies for secure infrastructures, products and services.

“It all comes down to making sure the membership is served in providing them a good forum of collaboration and development of industry best practices,” says Smocer.

Since coming into his new role with BITS, Smocer has led initiatives around email security, education and awareness, and business application security. He also has begun reaching out to other financial services organizations and the Federal Trade Commission to explore ways they can work together in the future. His focus as of late has been on identifying key issues that will be priorities for 2009.

Throughout his career, Smocer has seen threats grow in number and cybercriminals evolve from individuals and script kiddies to organized groups. IT security professionals are now faced with more sophisticated and frequent attacks, so it's not a place where one can rest. It's a place of constant change. Over the years, what Smocer hasn't seen falter is his vigor for the job.

“The passion for the job hasn't changed,” Smocer said. “The challenge of keeping up with everything has.” – AM

Elizabeth Nichols
Occupation: VP engineering and CTO, PlexLogic.
Personal: Married, two children
College: AB, math, Vassar College;
Ph.D., math, Duke University
Recent accomplishments: Developed solutions in satellite mission optimization, industrial process control, war gaming, economic modeling, enterprise systems network management, and most recently, security metrics.

Many organizations struggle to make cost-effective security investment decisions. To help make that struggle a little less onerous, the Center for Internet Security (CIS) has been developing what it hopes will be widely accepted metrics for decision support.

Elizabeth Nichols, who was tapped by CIS to help develop a security metrics schema that will serve as a structure for the final definition of each metric, is eager to see the results of her work at the organization form the basis for measurement frameworks for years to come.

“I've known some of the principals at CIS and worked with them early on in their configuration benchmarking efforts,” she says. “So I've had a long association with the [group]. And, of course, I've been working a lot in metrics. So we came together and they said it would be great for me to participate in leading one of these sub-efforts dealing with consensus metrics. I'm deeply involved in defining these consensus metrics.”
Experts at CIS say that the consensus group of IT security industry players will develop a metric framework and a service to define, collect and analyze data on security process benefits and outcomes.

“The mastery of risk, which is what one is trying to do when you manage security, is realizing, in a way, that you can influence the future,” says Nichols. “You can take control of at least a part of your destiny. You can turn the odds a little more in your favor. That's what you're trying to do with security metrics. You're trying to add knowledge to a very complex process, so you can make better decisions and, hopefully, force outcomes to be more positive. You can't eliminate threats and breaches, but you can at least anticipate them and know what the most successful strategy is to deal with them – and have hard data to back it up.”

The CIS is a nonprofit group that helps enterprises reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls. It provides enterprises with resources for measuring information security status and making rational security investment decisions.

According to the group, once the metrics data is available, a number of important goals can be met. For starters, it will offer the ability for enterprises to compare their outcomes and understand the practical benefits and effectiveness of best practices. Also, it will provide a rational basis for formulating information security strategy and making cost-effective investments.

“There are a good many reasons for measuring security,” Nichols says. “One is efficiency, which impacts costs. Another is effectiveness, and yet another is determining progress, to see whether you are improving.”
In her spare time, Nichols has written a number of works. She authored a chapter in Beautiful Security, to be published in spring 2009 by O'Reilly and Associates, and contributed to Security Metrics: Replacing Fear, Uncertainty and Doubt, by A.R. Jaquith.

In addition, she co-authored five textbooks on microprocessor programming and digital integration, microcomputer communications and UNIX. Three of the books were translated and widely distributed in Europe and South America. Other works include several research papers on mathematics and computer science published in research journals, such as the IEEE Journal on Security and Privacy, as well as the trade press.

When asked about the prospects for the CIS efforts, she says, “I am very optimistic. Security metrics have been stuck in the dark ages too long. As Lord Kelvin [a 19th century mathematical physicist] said, ‘To measure is to know, if you cannot measure it, you can not improve it.'” – CM

Bob Russo
Age: 58
Occupation: General manager, PCI Security Standards Council
Personal: Married, three children
College: Attended City College of New York
Recent Accomplishments: Led the release of v1.2 of the PCI DSS standard

On any given day, ask Bob Russo where he is in the world and it may take him a few moments to remember. Russo, head of the Payment Card Industry Security Standards Council, the group responsible for driving adoption of the two-year-old PCI Data Security Standard (PCI DSS), undoubtedly will get his bearings soon enough. His hectic schedule, though, usually gives him pause.

Most recently, he was in London for three days. A day before that, it was Switzerland; before that, Brussels for four days. But, after what amounts to a typical spate of travel, he was back in Long Island City, N.Y.
“I'm home for two days to see my grandkids,” the 58-year-old says. “Then I get on a flight to Paris. I literally live on the road.”

Russo admits that the constant travel certainly comes with a wear-and-tear factor. But when you are hired to sell a global security standard to merchants, banks and anyone else involved with the credit card payment process, spending your days in a cubicle simply won't cut it.

“I'm here in an evangelical role,” he says. “My job is to make sure everyone knows about the standard.”

Since Russo took the helm in 2007 as the council's general manager, he has essentially served as the face of the PCI standard, a 12-step process for securing credit card transactions.

By all accounts, this year has been a wildly successful one for the council. It oversaw the release of two new standards – one addressing the security of payment applications, the other PIN-entry devices – while also pushing out the much anticipated second version of its staple PCI DSS. In June, the council launched a quality assurance program aimed at assessors and scanning vendors – those charged with ensuring PCI compliance – in hopes of limiting vendor confusion and establishing consistency.

Russo's fingerprints can be found on practically everything the council does, but perhaps nowhere more prominently than another 2008 accomplishment: increasing the number of the council's participating organizations – the retailers, credit card processors, financial institutions, security companies, application providers and others whose continuing input helps build the standard – from 300 to some 550. In essence, the council has grown from a fledgling idea, when the five major credit card brands got together and decided to create one agreed-on standard, to a truly viable and recognized organization, Russo says.

A big reason for that growth is the marketing touch of Russo. He exhibits all the attributes of a successful salesperson: charismatic, sharp-dressed, terse, persuasive, yet personable and funny. Talk to some of his colleagues and they'll tell you he has established an almost iconic-like presence within the payment card industry.

Sure, at times, his PCI pitch can sound a bit oversimplified. Deployment challenges have been well documented in the pages of this magazine. Still, people such as Russo are attention-getters.
“There's a great skepticism about putting some of these standards in place,” says Paul Rodgers, the chairman of Vendorcom, a European business community that brings together key players in the payment card industry. “Bob seems to smooth over all of that and deliver messages clearly and effectively.” 

It doesn't hurt that he carries a noticeable Brooklyn accent, albeit refined. Russo says the inflection helps to separate him from the rest of the pack. He comes across as more trustworthy to the people he meets, if for no other reason than the fact that he grew up not far from Ebbets Field.

Part of Russo's job is to negotiate, to make everybody happy – something in which he gained a lot of experience when he worked for some nine years as a liaison to the five major payment brands.

“These are five of the fiercest competitors you could ever imagine,” says Russo, who held positions at several compliance services and software providers that required him to constantly interact with the card companies.

Executives at Visa, MasterCard, Discover, American Express and JCP were the ones who eventually hired Russo for the council job. They understood his skills – to listen to everyone's side and try to meet them halfway. In no place was this more evident than a recent trip Russo took to New England.

He first met with a group of bank associations, which were suing TJX over the discount retailer's massive breach. The banks didn't want to be left funding the merchant's security shortfalls. A day later, Russo drove to Newport, R.I. to speak with a retail association. Members there were up in arms over being required to protect credit card data in the first place.

He never flinched. “You need to listen to all sides,” he says. “You have to be empathic with what's going on out there. You don't want to leave any segment out.”

Welcome to the Bob Russo Traveling Road Show. Next stop…well, give him a minute to remember. – DK

Seymour Goodman
Occupation: Co-director, Georgia Tech Information Security Center
Personal: Married, two children
College: Undergraduate, Columbia University; Ph.D., California Institute of Technology
Recent accomplishments: Chairman of a National Research Council committee on technical responses to a cyberattack; co-authored Information Security Policies, Processes and Practices

Seymour “Sy” Goodman still drives to work in his 1969 Volkswagen Squareback. Same interior, same engine, same paint job. His wife of 42 years refuses to ride in the car. She simply is too embarrassed by its appearance.

But Goodman – who co-directs the Georgia Tech Information Security Center – counts the blue Volkswagen as part of the family and says it has never run better, although there is no way of telling just how many miles the venerable vehicle has racked up.

“The odometer hasn't worked in 20 years, and it's only got five digits on it anyway,” says Goodman, 65.

In a way, the outmoded and unfashionable car serves as an interesting paradox to Goodman's academic pursuit of the past 30 years: researching the global spread of information technology.

His focus of the past 15 years has been on Africa. And now, with internet access and mobile phones fairly ubiquitous throughout the region, Goodman is preaching the need to secure these technologies, in places like Cape Verde, Rwanda, Ethiopia and Gambia.

So far, Goodman, a professor of international affairs and computing at Georgia Tech University, has visited about 20 African nations to meet with government officials, internet service providers, business leaders and end-users.

“All this wonderfulness that comes with the internet and cellular telephony also brings significant risk,” Goodman says. “As part of being part of a globally connected world, they have some obligation to keep themselves safe and to protect the world from problems that originate in their country.”

But Goodman – who is joined in visits by other researchers from Georgia Tech and Carnegie Mellon University – has encountered resistance from the start and, regrettably, has made little progress.

There are obvious reasons, such as cost and priority, that African nations are slow to embrace the message of the American academics. After all, hunger, disease and genocide are difficult crusades to trump in these impoverished nations, Goodman says. Yet, what seems to trip up Goodman's industrious undertaking more than anything else is the newness of the technology. The African people are so enamored with the ability to use the internet and cell phones that they are willing to accept insecurity as part of the package.

“This is like going from nothing to going to all types of functionality, which is absolutely thrilling to them,” Goodman says.

He knows this is faulty thinking, not just for the security of Africans, but for computer users worldwide. After all, a compromised PC in Ghana could affect a major corporation in New York if that machine is part of a botnet being leveraged to deliver malware-laden spam or a destructive denial-of-service attack.

“There's so little cyberdefensive capability on the entire continent of Africa that they're being exploited and nobody knows what's going on. And, when something does happen, they have a problem fixing things,” Goodman says.

The African trips, supported through grants from groups such as the MacArthur Foundation and donations from corporations such as Microsoft, seek to raise awareness to the problem, he says. Leaders are pointed to funding sources that can help them build a stronger IT security backbone.

What Goodman wants, though, is the formation of national organizations exclusively tasked with cyberdefense, much like US-CERT (Computer Emergency Response Team) here in America.
As a result, he and his fellow researchers are pursuing their most ambitious goal yet – organizing an unprecedented, continent-wide cybersecurity workshop where individuals from across Africa could exchange defense strategies.

Goodman and others are seeking sponsorship from the International Telecommunication Union, a powerful United Nations agency, and are planning to hold the event in Tunisia, the only African nation with an operating CERT.

Goodman faces an uphill climb with everything he does in Africa, but he says he won't stop trying. And there are glim mers of hope: Georgia Tech now maintains a permanent presence in Liberia, where students help extend the internet to rural areas while working to address security and privacy issues.

“The international dimension of cybersecurity is, by no means, well developed,” says Benoit Morel, a professor at Carnegie Mellon who often collaborates with Goodman. “If you subtract Sy from the equation, a lot goes away.”

It is the same kind of void Goodman might feel if you took away his trusty '69 Volkswagen.  – DK

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.