Cybersecurity Expert: Less Talk, More Action

Deember 2009
by Maryann Lawlor
E-mail About the Author

When it comes to cybersecurity, the time for talk is over and the time for action is way overdue, according to one cybersecurity expert. Policies and procedures have been talked to death through books, symposia and even movies. Technical solutions are available, but each is sitting in its own silo where it isn’t likely to be the most effective. And as for information sharing about cyber incidents and threats, not only does it not occur, but the environment isn’t conducive to it.

These are the opinions expressed by Zal Azmi, cybersecurity expert and senior vice president, Cyber Solutions Group, CACI, who also says that in the meantime, cyberthreats continue to grow and most government and industry leaders aren’t putting much thought into a response plan once a cyberattack hits. And it will hit, Azmi states, it is just a matter of time. The indications that he’s correct are the incidents in Estonia and Georgia. He maintains that these were only preludes—the real strike has yet to come.

“What is the action plan? Even though we are standing up the cyberspace organizations—like U.S. Cyber Command, the Navy’s Cyber Fleet and the U.S. Air Force’s 24th Air Force—when are we going to take action?” Azmi asks. While many policies and procedures have been written, there are not enough people working on the implementation. “I say we should think big, start small and scale fast.”

Azmi uses President Obama’s recent approach to deciding what action to take in Afghanistan as an example of how the U.S. government and industry should strategize about ways to protect cyberspace. For six weeks, the president considered the situation, consulted experts, spoke with his top military advisers and chose a deadline for when the plan would be assessed. These are the same tactics that should be employed to create a plan of action against cyberattacks, Azmi recommends.

This plan should include metrics so that at some designated point in time, leaders can measure what’s been accomplished and determine if the plan is working. “So, for example, at the end of 2010, the accomplishments and the plan would be reviewed to determine whether the goals have been met,” he adds. “We are not there. There are plenty of policies, but we don’t have a comprehensive plan.”

Azmi is not convinced that senior U.S. leaders appreciate the seriousness of existing cyberthreats. And while military leaders are willing to call cyberspace the fifth domain, they have not designated a U.S. Defense Department leader to protect it as they have for air, sea, land and space. “There should be one person who is on the same level as Defense Department leaders who designates the roles and responsibilities for protecting cyberspace,” he proposes.

The Clinger-Cohen Act of 1996 and the Federal Information Management Security Act (FISMA) of 2002 were a good start to approaching cybersecurity problems, but they were only “paper exercises,” Azmi states. Although FISMA required agencies to test and account for the security of the information technology in their organizations, little if any testing was done to ensure that the systems were actually secure. That said, Azmi does commend the Government Accountability Office for bringing attention to the cybersecurity issue and following up by publishing which agencies were far below average when it came to securing their systems.

Although the primary issue is the security of cyberspace, another concern is the amount of money being handed over to agencies for information technology security that doesn’t end up being used for that purpose. Azmi relates that oftentimes when an organization runs short of funds in another area, cybersecurity and research and development funds are seen as good places to siphon what is needed to fill the gap. Millions of dollars that were intended to be spent securing cyberspace have been spent on other projects. This must be investigated and stopped, he adds.

Government is not the only entity that has to pull its act together when it comes to cybersecurity. Azmi notes that companies are reluctant to share information about the attacks they’ve suffered because doing so could inadvertently lead to divulging intellectual property or revealing weaknesses in their systems.

To overcome these grounds for information hogging, Azmi recommends that a portal be established where organizations could share information freely about cyberattacks. This information also would be extremely useful to software developers who could use it to patch security holes or offer specific solutions, he notes.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.

Share Your Thoughts:

This guy is pretty speak up! What do you think about the state of cybersecurity?

This is right on. It seems that the interest is in building the cyber fort, the big plasma screen, and the command stucture while there is no action.

Thanks for commenting, Jim! Have to admit that this is one of the few cyber professionals willing to on the record with some straight talk. Please invite your colleagues to join in the conversation as well.

Maryann: Yes he is out spoken but almost 100% on point. I would point to the USMC as an exception to the rule. Their approach to "enterprise" cyber security is down to the trooper level and seems to be focused while others are still seeking the golden BB. The one shot to stop the problem - a dream if there ever was one.

From all I've heard, I have to agree. Seems like there are many, many, many discussions going on about the cybersecurity problem but no one to lead the charge on the action side. Maybe Schmidt will solve at least a bit of this problem.

I concur with Azmi, especially his point about the time for talk being over and the time for action being overdue. His reference to both Estonia and Georgia as live fire testing is very good support for this opinion. I also support his view that theres a lot of paper out there but not enough directed professionals. If we are to think big, thats fine, but he is dead on that in order to scale and move fast, we need focus. That focus should be based on a national strategy, which requires us as a nation to decide that cyberspace is the virtual face of warfare. From that orientation, all the parts that Azmi points out will flow: metrics, incentives, partnerships, education, etc. Thinking of cyberattacks as being just crime or just nuisances or actions about which we can do nothing is not helpful at all. This strategy begins with its ultimate goal: Détente. We and our allies and our adversaries had (and still have) a substantial nuclear arsenal. Weve not had an all-out nuclear exchange, because we understood the boundary conditions that led us to détente. Ultimately, we have to answer the question: What is the virtual face of détente?

It's clear that you've given this topic a lot of thought, Keith. Thanks for commenting. You've made excellent points! Hope someone is listening!

Think the new Obama Administration Cyber Coordinator needs to be asked to speak at the next Solutions Series event and give us his solutions to this problem.

I have heard the Obama Administration Cyber Coordinator, Howard Schmidt, speak and I believe he has a slightly different take on the subject, one which some may disagree. I believe he looks at the current state of cyber security as one of violation of cyber crime laws and of foreign intelligence gathering and less as cyber warfare. His view is one that needs to be heard and discussed.

Just because it is different does not mean it is wrong. Cyber crime is a major issue that also needs to be addressed. Security software that really provides security also needs to be addressed. Running around saying the sky is falling and we are at 'war' but dong nothing about it (that the common 'man' can see) does not provide a real solution, or a constructive discussion, an action plan to develop a real solution