Last week we solicited questions for US Representative Jim Langevin (D-RI), one of the chairs of the CSIS Cybersecurity Commission. Here are his answers — along with contact information for him if you want to continue the conversation.1) Red Teams
The NSA has had great success with Red Teams and competitions between security experts in helping learn how to better secure sensitive data and to keep up to date with the latest attack techniques.
What are your plans to utilize this powerful technique? If applied elsewhere, Red Team competitions can help better secure other aspects of the internet and to stay up to date.
Rep. Langevin: I couldn't agree more. I've been an advocate of moving away from the paperwork exercises that have become more prevalent in Federal government IT security towards a more operational-focused testing environment like red/blue teams and penetration testing. In fact, I wrote a bill (HR 5983) this year that would have required the heads of appropriate Federal agencies (DHS, NSA, DOD, etc.) to create security control testing protocols to ensure that the Department of Homeland Security's networks are protected against known attacks and exploits. The bill would have essentially given the DHS Inspector General the ability to red/blue team the Department's networks to determine whether or not the Department's security policies and controls were effective.
The DHS Inspector General does not have the same capabilities as the NSA red team. Unfortunately, there are a limited number of individuals who are members of these elite teams; what I'd like to see happen is groups like NSA red/blue engage with more Federal civilian agency security officers who can perform these functions when the NSA teams are not available.
Of course, the great value in red teaming comes from actually mitigating the vulnerabilities discovered by the red team. This takes time and money, which can sometimes be difficult to come by. So while we have to do more red teaming in the Federal government, we also have to be prepared to spend the money to fix the problems.
I find that red team competitions are a great way to refine offensive and defensive skills, and can also be a good recruiting tool for the Federal government. In the spring I congratulated the college participants in the 2008 National Collegiate Cyber Defense Competition that was held at the campus of UT-San Antonio, and encouraged them to look for Federal jobs when they graduate. We as a nation have to recruit and invest in these students because of their talent and potential.
2) Why run this out of the EOP?
Why run this out of the Executive Office of the President? Trying to run operational units directly from the White House seldom works well; the environment is political, not operational. The present cybersecurity office, in Homeland Security, is ineffective because the incumbent is a former lobbyist. When Amit Yoran was in charge there, progress was being made. He quit because he wasn't getting backing from higher in Homeland Security. The office needs a high-level champion in the White House, but that's a liasion job.
Rep. Langevin: You are right - cyber operations should not be run by the White House. We have plenty of agencies that have the skill and capability to run various cyber operations throughout the Federal government. But as you've noted, at the end of the day, cybersecurity requires coordination of activities across agencies, and the CSIS Commission concluded that the White House is the best place to locate this function.
The Commission discovered that the central problems in the current Federal organization for cybersecurity are lack of a strategic focus, overlapping missions, poor coordination and collaboration, and diffuse responsibility. The Commission considered many options for how best to organize for cybersecurity. One particularly useful model was the Intelligence Reform and Terrorist Prevention Act (IRTPA). IRTPA imposed a new, more collaborative structure on the Intelligence Community. It mandated a distributed "intelligence enterprise." Congressional mandates, however, are not enough. It took a Director of National Intelligence with the appropriate authorities to build collaboration. This did not mean that the DNI became a centralized manager of the IC - agencies still have their unique operational functions. The DNI role is to provide the strategy and collaborative networks for the intelligence enterprise. This effort, although it is still a work in progress, helped to guide our thinking.
I hope that the Assistant to the President for Cyberspace will be that high-level champion that you described, a person who can provide programmatic oversight for the many cybersecurity programs that involve multiple agencies, but not take operational control over the agency responsibilities.
3) Re:Why run this out of the EOP?
by gclef (96
To build on this, how are you planning on addressing the credibility gap between what the executive wants to achieve, and what the rest of the internet community (at least in the US) believes you really can/should achieve?
For example, I was at BlackHat this year, and the keynote speaker was one of the Feds, speaking about the federal plans for cyber security. The discussions in the hall after his keynote were scathing. Many of the attendees concluded that he had no clue what he was talking about. This, I think, has to be the first hurdle the executive needs to clear before accomplishing anything. Put simply: the private sector just doesn't believe in government's ability to succeed. How are you going to fix that?
Rep. Langevin: The uncertainty of success should not prevent government from playing a role in securing cyberspace, but its questionable effectiveness means we have to find specific areas or roles where the government can add value. This is the challenge we face today.
I think back to some of the fundamental lessons of the government's efforts in Y2K. John Koskinen, the incredibly effective manager of this effort, asked himself what role the government could or should play with the private sector. His list was short: 1) Government could provide expertise to the private sector; 2) Government could provide a trusted meeting place for the private sector; 3) Government could provide a mix of positive and negative incentives for the private sector to implement security fixes. With this blueprint, Koskinen had his marching orders.
Government alone will not solve the cybersecurity problem because government alone does not own the infrastructure or the technical expertise. But government involvement is the key for success because of its ability to positively and negatively incentivize behavior. Today, just like 10 years ago, there are incentives that the government can provide to ensure better security in the private sector, and, like the government response to Y2K, I think this is where the government should focus its effort.
The trust relationship between the government and the private sector has been damaged over the years, so this will be an area for the next President to try to improve. The CSIS Commission recommends rebuilding the public-private partnership on cybersecurity to focus on key infrastructures and coordinated preventative and responsive activities. The Commission recommends the President direct the creation of three new groups for partnership that provide the basis for both trust and action: 1) A Presidential Advisory Committee organized under the Federal Advisory Committee Act (FACA) with senior representatives from the key cyber infrastructures; 2) A "town hall" style national stakeholders' organization that provides a platform for education and discussion; and 3) A new operational organization, the Center for Cybersecurity Operations (CCSO), where public and private sector entities can collaborate and share information on critical cybersecurity in a trusted environment.
There is one specific area that the government can establish some credibility with the private sector: become the gold standard for network security. Some of you have heard me discuss this vision during my DHS oversight hearings. The security of Federal networks has received attention from the highest principals in government, and I believe the increased attention will lead to better strategies, larger commitment of resources, and greater awareness throughout Federal agencies. Making the Federal government the gold standard demonstrates to the private sector that we are committed to security and we can be a trusted partner.
The free and open nature of the internet is its biggest asset. How do you plan on enforcing "cybersecurity" without damaging its free and open nature? Are you sure that the cure (government regulation) isn't worse than the disease (cybercrime)? Remember there was no cybercrime before the internet. The internet has brought us both crime and prosperity, so far the prosperity has far exceeded the crime. I benefit far more than I suffer from having an unregulated internet, can you convince me that a regulated internet is even necessary?
What sort of measures can you take to fight cybercrime without affecting my unfettered access to the internet? The phrase "If you have nothing to hide, you have nothing to fear" is not an acceptable response.
Rep. Langevin: I disagree with the premise - neither I nor the CSIS Commission discussed a "regulated Internet". What we did discuss is the need to develop and issue standards and guidance for securing three specific critical cyber infrastructures - telecom, finance, and energy - with the intent of increasing transparency and improving resiliency and reliability in the delivery of services critical to cyberspace.
5)How will this power be controlled?
I work in IT security and thus I wonder how you plan to deal with two conflicting problems: Rapid change of threat scenarios and ability to supervise and monitor the actions taken by the "cyber police". Threats in IT change rapidly. Over the course of days sometimes. So quick reactions to emerging threats is a necessity. You have to react fast when something emerges, you can't let debates go on forever with weeks passing to give various interest groups a say in the matter.
How do you plan to ensure that civil liberties will not suffer from the necessary fast response when trying to make the internet a safer place?
That whatever organization is supposed to make the "net safer" will have certain powers is a given. Whenever, though, someone who has power has to do something fast (i.e. before someone could complain or interfere), the temptation to abuse this power (claiming "danger in delay", when the only danger would have been that someone could find out that power abuse is afoot) is present as well. How do you plan to address this?
Rep. Langevin: It's a significant challenge to respond to threats that can hit in a matter of milliseconds. Specifically, to address abuses of power or compromises of privacy and civil liberties, we have to insist that privacy and civil liberties protections be built in from the ground floor into our cybersecurity programs.
The E-Government Act requires agencies to conduct Privacy Impact Assessments (PIA) before developing or procuring IT systems or projects that collect, maintain or disseminate information in identifiable form from or about members of the public, or initiating a new electronic collection of information in identifiable form for 10 or more persons. In general, PIAs are required to be performed and updated as necessary where a system change creates new privacy risks. I think this is one way that we can ensure that privacy and civil liberties concerns are addressed at the outset, but I am open to any suggestions from the readers.
6) Hiring Practices And Education
I noticed briefly in the document that it mentions the inability of the Govt. to hire the necessary talent to combat these issues. Namely it mentions the drop in CS student enrollments and attempts to relate it to the .com burst. In reality the American IT profession is under assault by both outsourcing and the current H1B visa program. How do you intend to increase CS enrollment when the job market is being eroded by these two factors?
Rep. Langevin: I am concerned about the drop in computer science students, because it could portend of a decline in American competitiveness in science and technology At the same time, I also know that advanced degrees are not a necessity in operations. Some of the best operational experts I know - both in and out of government - only have high school diplomas.
There are a variety of different skill sets that we are looking for in the Federal government. The goal is to both increase the supply of skilled workers (to benefit both government and the private sector) and to create a career path (including training and advancement) for cyber specialists in the Federal government.
I have long advocated for a comprehensive approach to immigration reform that combines border security, enforcement of immigration laws already on the books, and a humane and common-sense approach to dealing with the millions of immigrants who are already in this country illegally. Reforming the system includes looking at all visa programs such as the one you mention.
The model for increasing the supply of skilled cyber workers is the 1958 National Defense Education Act, which improved national security and strengthened the economy. A larger effort poses complex challenges, however, and a focused program that emphasizes cybersecurity will be easier to obtain. The simplest approach may be to expand Scholarship for Service, a National Science Foundation scholarship program that provides tuition and stipends, in addition to requiring accreditation of schools where scholarships are provided for computer security studies.
The U.S. must also develop a career path for cyber specialists in federal service. Creating this career path entails a number of steps, including minimum entry requirements for cyber positions, training in specialized security skills, and a national cyber skills certification program. The Office of Personnel Management, working with key agencies engaged in cyber defense and offense, needs to establish rewarding career paths and advanced training.
This career path should transcend specific departments or agencies. I believe it should be modeled on the Federal Law Enforcement Training Center (FLETC), which provides training to all Federal employees in the Law Enforcement Officer skills. The program should initially focus on national security related missions (including critical infrastructure), but could later be expanded to other mission areas.
Why must civil liberties be given up under any circumstance under the guise of "cybersecurity"? Why is there no open public review for people to proclaim that under no circumstance do they plan to give up civil liberties for sake of a bad us government cybersecurity plan? I for one do not plan to give up any form of "rights" just because the government has an inability to secure their own systems. I'm sure we all know the Thomas Jefferson quote for this.
Basically, my question is: why are we focused on balancing rights for security when we could spend more effort securing the existing government computer systems that we use, and it would be more effective? This is like pointing a finger at the washington monument and blaming it for the market collapse, and does not directly address the issue I just mentioned.
Rep. Langevin: No American should give up the liberties granted to him by our Constitution under any circumstances. I do disagree with your premise, however, that the Federal government is sacrificing the liberties of its citizens to ensure greater security of its networks.
Readers of Slashdot who share my concern about protecting privacy and civil liberties may be interested in reading the Privacy Impact Assessments (PIA) prepared by the Federal government for various IT systems that I mentioned in a previous response.
A) Are you concerned with biting off more than you can chew with the "Manage Identities" portion of the recommendation? (or, put another way, are you sure the government should really be doing any of those in the first place?)
A number of people are already uncomfortable with the idea of a national identity card (witness the problems that RealID is having these days)...your report goes even farther, though, by proposing a
government-issued identity card that consumers could use for purchases online. If I'm already suspicious of a national ID, why in the world would I want to use a government-issued online ID?
B) Also, your recommendations have some huge loopholes: point 17 says that you want to allow consumers to use strong government-issued credentials for online activities, but point 18 then says that there should be regulation preventing businesses from *requiring* the use of those credentials.In practice, one of these two lines will be pointless (companies will say that it's optional to do business with them, so it's not "required"). By way of example, it's illegal for a company to *require* an SSN for non-banking business, but just try to get water service in Maryland without giving it to them...you can't do it. Doesn't this sort of loophole make your "consumer protection" recommendations pointless?
Rep. Langevin: Government-issued identity sparks a wide range of emotions, but I have to be clear about one thing: the Commission did not recommend that the government issue strong credentials to individuals.
First, we recommended that strong authentication be mandatory for critical cyber infrastructures - energy, finance, and telecommunications. Second, we said that if people want to use their new strong credential (which does not necessarily have to be provided by the government) for commercial purposes, they should be allowed to do so when the other party in a transaction is willing to accept them. Finally, we said that as we are likely to see two classes of consumers emerge (those with strong digital credentials and those who have chosen not to have such credentials), the FTC should ensure that companies can't refuse low-risk online services to those without credentials. FTC rules can move companies to adopt a risk-based approach to authentication - low risk transactions can use weak or no authentication, high risk transaction can require more.
You are essentially already doing this if you use online banking services: you can browse the website without authentication, but you need strong authentication to access your account and engage in transactions. Banks issue the credential (not the government) but it is in a framework of rules and guidance issued by regulatory authorities. The Commission wanted to move the banking model to other critical sectors.
The real issue is how to construct a system that accommodates a minority that is afraid of strong authentication without blocking adoption for critical infrastructure or high value transactions.
9) Single Platform Vulnerability
It is no secret that our nations national security is threatened by the current single platform strategy. The lack of operating system diversity creates a fatal environment in which a single system flaw can expose all govt facilities and networks. As it stands today a single serious vulnerability could be exploited to blackout most if not all of our govt infrastructure. How do you intend to address this serious problem?
Rep. Langevin: We can do our best to build security in. Currently, most vendors deliver software with a very wide set of features and functions enabled including some that can result in less secure operations if not properly configured by the purchaser. However, as software systems become increasingly complex the difficulty of securely configuring these systems and maintaining that secure configuration has become a major technical and operational challenge.
The Federal government, taken as a single organization, is the largest buyer of most information technology products. Federal acquisitions rules provide a large mechanism for the government to shape private sector behavior. The CSIS Commission recommended that the Federal government require that the IT products it buys be securely configured upon delivery. Today, this effort is known as the Federal Desktop Core Configuration (FDCC). The FDCC is an OMB mandate that requires all Federal agencies to standardize the configuration of settings on operating systems and for applications that run on those systems. The FDCC is aimed at strengthening Federal IT security by reducing opportunities for hackers to access and exploit government computer systems.
A carefully crafted acquisitions regime, combined with an expanded FDCC initiative could help drive the market towards more secure configurations. The secure configurations mandated by the Federal government and produced in this collaboration with industry would be available for use by state and local government organizations as well as the private sector. A collaborative effort between government and industry to resolve software vulnerabilities and to deliver secure products could result in lower overall costs over the life of a system, even if secure configurations initially resulted in a higher price.
10) Secure what?
Besides sensitive government computers, which for whatever reason need to be connected to the WWW, exactly what part of the US portion of the Web needs to be secured and why?
Rep. Langevin: I am focused specifically on Federal information networks and critical infrastructure networks, such as infrastructure that is used to operate energy utilities and banking and finance and telecommunications. Ineffective cybersecurity leaves us vulnerable to attacks on our informational infrastructure, and in an increasingly competitive international environment, such attacks undercut America's economy and security and put the nation at risk.
Thanks to everyone who took the time to participate in this thread. Obviously, we weren't able to cover everything here in one Q&A, but if you would like to contact me with additional thoughts, please send me an email noting your interest in cybersecurity.