Building a Culture of Security

August 2007
By Maryann Lawlor
E-mail About the Author

One of the DHS’ priorities in cybersecurity is to increase awareness of system vulnerabilities and network threats. In recognition of September as Cyber Security Awareness Month, the DHS participated in a vendor fair that took place at the U.S. State Department.
Cooperation is a primary element of protection in cyberspace.

The commander of national cybersecurity has issued a call to arms to both private-sector and government organizations in the battle against cunning adversaries bent on wreaking havoc on U.S. critical infrastructures. During the past year, many sector-specific government agencies, including the U.S. Department of Homeland Security, have been working hand-in-glove with their industry counterparts to draft specific battle plans. Among the top priorities in the telecommunications and information technology sectors is conducting a national vulnerability assessment of all infrastructure. Similar plans also were designed for the other 15 component sectors covered by the department’s National Infrastructure Protection Plan.

Leading the effort in the information technology and communications sectors is Gregory Garcia, assistant secretary for cybersecurity and telecommunications, U.S. Department of Homeland Security (DHS), Washington, D.C. Garcia has been in this post for less than a year, but based on his experience in both the government and business sectors, he believes organizations recognize that information and system security is critical to their operations. However, they still need to understand the business case for investing time, talent and treasure before they will make substantial commitments, he asserts. The key to understanding, Garcia says, is the trite yet true phrase “We are only as strong as our weakest link.” And, as the number of links grows, so do potential weak spots.

Garcia says that assessment plans not only raise the awareness of vulnerabilities in the public and private sectors but also help make the business case for increasing investments in security. Once systems assessments are complete, sector members will determine which vulnerabilities would result in the most dire consequences if exploited and commit the resources to mitigating those flaws. “That isn’t to say that there aren’t many companies that have already put in the necessary investments, including the software vendors. We live in a supply-and-demand society, and when customers demand security, the suppliers are going to provide the solution. That’s the way it’s going to be,” he states.

In the software industry, many companies have released products prematurely in an effort to be the first to offer a capability. As a result, security holes are uncovered after they are on the market—often by hackers or customers—and patches have to be widely and quickly distributed. Garcia predicts that the demand for strong security will affect this business practice.

“Security doesn’t come cheap, and you have to exchange some convenience for security, and that includes in some cases time-to-market. Years ago, the priority was on speed-to-market, the next cool application, speed, speed, speed, and there was less demand for security. But now as awareness is growing, organizations are beginning to see that their networks, their data, their intellectual property, their employees’ privacy, their customers’ privacy—all of these things are dependent on secure systems, and [security] becomes simply a cost of doing business,” he says.

In today’s omniconnected world, it is not enough for organizations simply to ensure that their own systems are secure. Security must be a priority for all players in a supply chain. “As a customer, that means demanding strong security from your suppliers whether it’s software, hardware or systems. That means as a business partner demanding that your business partners have contractual obligations to ensure that they maintain good security practices to the extent you allow them into your intranet for doing supply chain management for example,” Garcia states.

But technology is only one piece of securing information systems; people and processes are equally important, he points out. All companies need to take basic steps, including hiring someone to be in charge of information security who will design a security plan. Once this plan is in place, a vulnerability assessment must be conducted to ensure the plan’s soundness. In addition, Garcia asserts that all personnel—from administrative assistants to the chief executive officer—must be trained in the plan so they can comply with it.

In the process area, Garcia recommends that organizations use a security auditor from outside the firm or agency to test both the systems and the employees for compliance with the security plan. “Then, when you see what vulnerabilities continue within your organization, go back and recalibrate your security plan. So it’s a cycle,” he states.

Some organizations that do not put these practices into place can be lulled into a false sense of security, Garcia observes. They do not believe they need technical protection or security planning because they’ve never been attacked. In reality, the opposite is more likely true: Many attacks and system penetrations have occurred; companies are just not aware of them because they do not have the intrusion detection technology in place to alert them. “You could be robbed blind and not know it,” he submits.

Several years ago, security experts suggested that companies be rewarded in some way for demonstrating that they were adequately protecting their systems. Reduced insurance rates, lower interest small business loans or tax breaks would be offered as incentives to businesses to better defend their systems. This is an approach that Garcia wants to take a closer look at, but he points out that before these programs could be put into place a set of best practices would have to be determined and implemented to establish who would qualify for the rewards.

“The challenge is in finding best practices that are detailed enough to be meaningful but generalized enough to be able to apply across all sectors. Different sectors have different risk profiles, different needs for security, so very quickly you can see that you can have security practices that are two pages or 200 pages in length depending on the level of granularity,” he notes. A generalized set of best practices could still be useful because it could collectively raise the security bar across the country, he adds.

Garcia considers complacency one of the biggest threats to infrastructures nationwide. “A lot of these threats wouldn’t exist if we really were nationally strong with our cyber and communications infrastructure,” he states. “That said, the adversaries who want to do us harm are very sophisticated and they often conduct very targeted attacks. Some of those attacks come in the form of botnets and those in turn create denial-of-service attacks that can bring down networks such as we saw in Estonia.” Garcia is referring to the attacks on Estonia’s government Web sites that took place in May.

U.S. adversaries in cyberspace today span the spectrum from hackers to nation-states to hactivists with different motives but generally the same aim: gaining money or information. The DHS is paying as much attention to the motives and techniques as to the identities of the attackers because this information offers clues about how to protect systems. The proliferating use of botnets is making it more difficult to peg a specific enemy, but many lessons are learned from examining motives and techniques, Garcia explains.

Another source of threats against U.S. systems is the globalization of manufacturing. While Garcia recognizes the value of the global supply chain and the innovation that it brings to the marketplace, he says it introduces vulnerabilities, particularly when companies have operations worldwide. “We need to be vigilant that the people who are working for these companies do not present the insider threat that could introduce malicious code into the software or hardware in a [manner] that finds its way back to the U.S., whether in the federal government or in commercial enterprises,” he relates.

Managing this danger is the responsibility of the private sector, and firms must have detailed processes in place to vet employees. They also must ensure that their business processes are secured with very clear access controls for certain information in the areas of software development and hardware manufacturing. “It gets difficult particularly all along the supply chain. Once a safe product leaves the factory floor somewhere abroad, it still has to go through several stops before it makes its way to the U.S., and each one of those stops is a potential vulnerability. It’s a difficult issue. It’s not something that is easily regulated,” Garcia admits.

The increase in the number of security breech incidents is one indication of the extent of the threat. An incident can be any type of attack from a probe to a phishing attack to a denial of service to a virus and everything in between. In fiscal year 2005, for example, approximately 5,000 incidents were reported to the U.S. Computer Emergency Readiness Team (US-CERT). In fiscal year 2006, this number increased by nearly five times to 24,000 incidents reported. And through the first eight months of fiscal year 2007, US-CERT had already received almost 21,000 reports of incidents. Phishing appears to be one of the burgeoning attack forms. For instance, of the 2,800 incidents reported for May 2007, 1,400 were phishing attempts, Garcia shares. “These numbers don’t necessarily mean that there have been more attacks; they do mean that there is a lot more awareness and a lot more reporting,” he adds.

Statistics such as these often influence policy and doctrine as well as spending priorities. As the DHS looks at evolving threats that are technologically difficult to address, such as botnets, it can decide to spend more research time and funding to deal with them. The data may indicate the need to delve into heuristics such as predictive security to see the activity on networks and predict what may happen next.

In addition to securing their own systems, Garcia has a number of suggestions for how businesses can enhance overall system security. Several industries have Information Sharing Analysis Centers, which are trusted environments where companies that are competitors share their experiences with threats, vulnerabilities and break-ins. “Companies understand they really get out of it what they put into it. There is strength in numbers, and there is strength in having a network of defenders because we know all too well that there is a network of adversaries who are in many cases better organized than we are,” he shares.

Firms also should become involved in their industry sector coordinating councils. Members of the councils include companies and associations that are what Garcia calls “self-interested patriots” because they understand that the security of the country depends on the security of each one of them and that their livelihoods depend on having a secure business model.

“Organizations need to come together, join in implementing the sector-specific plans, which is to do the vulnerability assessment and to take the steps to mitigate the vulnerabilities. We are building a culture of security, a collective march toward a more secure infrastructure. Participate in this process. The more companies that participate, the stronger we’ll be,” Garcia states.

Web Resources
U.S. Department of Homeland Security:
DHS National Cyber Security Division:
Ready Business: