In cyberspace, the best defense is a good offense.
Sky marshals, metal detectors and multiple identification checks may increase security in the corporeal world, but guarding the nation’s information superhighway requires different tactics. And in the information age, homeland security must extend into the digital realm, or even a tiny crack could allow adversaries into some of the most important systems in the world today.
Creating and maintaining defensive information operations is part of the mission for the new U.S. Department of Homeland Security. Although the department is still in the organizational stages, the cybersentinels charged with this mission grasp the magnitude of their work, understand the problems they face and are armed with knowledge and experience.
In his position as cyberprogram director for the department, Marcus Sachs is one of the architects of the plans to safeguard the U.S. information infrastructure. He comes to his position from the White House National Security Council where he was the director for communication infrastructure protection and is enthusiastic about taking on the challenges of his new job.
The Homeland Security Department has two information security sections. Steve Cooper, chief information officer, leads the team in charge of securing the department’s own systems. He will examine how each of the 22 agencies that is now part of the new department protects its systems, and he will draw on lessons learned to design the security for the department’s networks.
Sachs’ group is responsible for protecting U.S. cyberspace. His mission differs from Cooper’s because his team must work with the private sector, academia, and state and local governments—groups that expect a free and unregulated Internet but want the government to secure it.
Sachs was one of the key designers of the National Strategy to Secure Cyberspace (SIGNAL, April, page 33). “That road map is just filled with neat ideas, and there are a couple of prongs you can take away from it. One is best practices for businesses, and this is where we continue to do a lot of work,” he explains. For example, if a company has a good network operations center, the department would combine its best practices with others and make them available to other organizations.
The National Reliability and Interoperability Council (NRIC), a Federal Communications Commission advisory group, is tasked with publishing best practices. The Homeland Security Department will work with the NRIC task force to ensure that the information distributed for cybersecurity is clear and succinct, Sachs offers.
Leading by example is another way the government can help ensure information security, and Sachs admits that, in the past, government agencies have not excelled in this area. However, departments have improved. “The last big Internet event was Slammer, and the government and U.S. Defense Department largely were unaffected by it. We had a couple little nuisance infections here and there, but in general it went right around us because in the last couple of years we very quietly have gotten very serious about securing our networks,” he notes.
Sachs attributes some of this success to e-government initiatives, which faced institutional resistance but have made a big difference. “The part we have to do, the follow-through on the swing, is to take what we’ve learned now, analyze it, publish it and make it part of a best-practices mindset that says, ‘OK, when it came through, the Slammer Worm didn’t affect government at all. Why? Here are the specific reasons that we were minimally impacted.’ We need to publish that and get it out where people can see it,” he explains.
The initial national security strategy approach was to divide cyberspace into five groups. The first two were individual users and small businesses, which were identified as key areas where cybersecurity had to start. However, critics of the original plan maintained that other federal agencies, not the White House, should issue security strategies for individuals and small businesses. “They had a point. So, we backed away from that and came up with five straightforward priorities, the first of which is a national cyber-response capability and an education program, and that’s what’s in the current strategy,” Sachs explains. The department will identify items that apply to homeland security and design a plan to put them into practice. It also will assist other agencies in carrying out responsibilities that fall into their domain.
Part of the challenge of securing cyberspace during the past several years has been identifying which government agency should handle the job. “The actual defenders of cyberspace are the users—the individuals, the corporations, the universities—everybody who is connected to it. The government cannot defend cyberspace. It just isn’t going to happen unless they’re [the citizens are] willing to let go of the no-regulation mindset.
“The point we make when we go out and make speeches is that we—in government—don’t want to go down that road any more than anyone else because we are also private citizens, and we like the advantages of having an unregulated Internet. On the other hand, we may get to a point five or 10 years down the road where we are critically dependent on the Internet and, for national security purposes, we may have to take over parts of it just to ensure its operation,” he says.
Although the department will have a network operations center to monitor its own networks, the creation of a center to monitor all of the government’s networks is only in the talking stage. If such a center is created, its primary purpose will be to monitor the heartbeat of the public telecommunications sector that supports the federal government, Sachs says.
“The department needs a way to measure what is going on in the public arena but does not want to tap communications because of privacy and legal concerns. If the department builds its own center that oversees the federal government’s equities, it may be able to deduce other problems. So, if you’re picking up on problems in your world—the part you’re paying for—odds are very good those problems are being picked up elsewhere,” Sachs says. Information can then be correlated and shared. This capability could be in place in one to two years.
The Homeland Security Department will work with the information sharing and analysis centers (ISACs) through the NRIC, which receives computer network reports that have been stripped of identifiers from the ISACs. The department will have to determine how to coordinate this information with data from many sources, including state and local governments. Today’s threat of terrorist attacks compounds the coordination issue because physical security also must be monitored, Sachs relates.
The department faces several challenges in establishing its cyberspace protection section. First, it must determine how to set up information flow, ascertaining what data is important then turning it around to share quickly. Second, the department must be able to detect problems rapidly. Sachs says this will require some type of modeling capability or artificial intelligence that can help analysts interpret activity. he government would work with companies that have experience in this area to leverage their expertise.
Third, the department must maintain trust and confidence with the private sector. “Over the years, we’ve had this ebb and flow where the private sector is willing to share information with the government. Then the government blows it, and they [companies] won’t share for a while, and we have to rebuild it. It has to be not only built but also sustained. We’ve got to get people to believe that it’s okay to tell us what’s going on. Then we, as stewards of that information, have to know how to handle it properly. If we betray their trust, they need to know that we have some internal process for cleaning up the damage, learning from our mistakes and teaching those individuals not to do that again,” he shares.
Sachs identifies two major threats to cyberspace security: clueless users and overworked security personnel. To address the first, safety must be built into the networks, which is a concept that technology developers are addressing. To tackle the second threat, personnel in charge of the security of systems must be given adequate resources. “If the exposures go away, and your vulnerabilities go away, it really doesn’t matter what the threats are. If you’re not exposed to them, they’re not going to bother you. If you’re less exposed than your neighbor, the threat won’t mess with you. They’re going to go after the easy pickings,” he advises.
Many companies want the department to enumerate threats so they can protect themselves. However, Sachs points out that, even with all the obvious signs leading up to the events of September 11, 2001, the government was unable to predict the attacks. Instead of trying to determine the threats, firms should invest in reducing exposures and vulnerabilities and patching systems.
Stephen Northcutt, director of training, SANS Institute, Bethesda, Maryland, adds that one of the most significant milestones in information systems security occurred last year when several key organizations collaborated to develop the first gold standard for hardening information systems. Representatives from groups such as the Defense Information Systems Agency and the National Institute of Standards and Technology created security tests for various systems.
The Center for Internet Security, Hershey, Pennsylvania, coordinated the effort and offers the tests free of charge on its Web site. Systems are scored on a scale from one to 10. For example, a score of four indicates that security should be improved, whereas a score of eight or more denotes that a system is well protected. “For the first time, there is a line in the sand,” Northcutt says. “It doesn’t solve all of the problems, but it’s a good start.”
Northcutt says federal agencies have improved security efforts in other ways as well. In 1997, for example, they had not determined how to respond to security breech incidents. However, by 2001 when the Code Red virus attack was launched, incident response plans had improved “phenomenally.” Network monitoring and advisories disseminated by the Federal Computer Incident Response Center helped organizations “dodge a major bullet,” he says.
This degree of progress is important, Northcutt contends, because the nature of threats to information security is changing. “If you look at attacks like the Morris Worm or Code Red, so far you haven’t seen anything that is a nation-state attack,” he says. But worm targeting is improving, and if a nation-state saturates the Internet with 10 different never-before-seen worms, the effects could be more substantial than in past incidents, he adds.
Although future virus attacks could cost billions of dollars, loss of Internet access is not yet a life-threatening event, Northcutt allows. However, in the next two to four years as fields such as medicine rely more heavily on it, a malicious incident could have serious consequences. “Today, it’s just an Internet snow day,” he notes.
To meld current information security programs successfully within the federal government, Northcutt emphasizes that the new department will have to address “turf wars” between the various agencies that have been brought under its domain and agrees with Sachs that it must keep the trust of industry and academia. While information security central control would be ideal, he points out that it is not possible because the information backbone is not owned by the United States or any other government. “The government can respond to attacks, and it can be proactive. But it can’t put a blanket around all U.S. Internet protocol addresses,” he points out.
The private sector can help provide homeland security on the cyberfront in a number of ways, Northcutt states. First, he agrees with Sachs that companies must reduce their own vulnerabilities. In addition, and this applies to the government and private sector alike, organizations must demand that personnel securing the systems also meet certain standards in technical expertise and experience.
Although the Homeland Security Department is not yet in a position to purchase security products, Sachs says it wants to know what companies are working on as well as about new and emerging technologies. Because the department is still in the organizational stage, a sales pitch is inappropriate at this time; however, homeland security personnel attend trade shows to learn about current capabilities.
“From the world that I’m working in at DHS where I’m not purchasing security products, that’s kind of the tack I want to take. I want to know what’s available so that when somebody calls and says, ‘How do I secure my system?’ I can say, ‘Well, there are five companies out there that have exactly what you’re looking for, and here’s their contact information,’” Sachs says, adding that his goal would not be to promote particular products but rather to share information.