IT Built for Speed to Market, Not Security

Ex-NSA CIO Explains Why Key IT Systems Remain at Risk

By , August 16, 2010.
IT Built for Speed to Market, Not Security


See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

quiz: Who's more responsible for putting key IT systems at risk: Vendors seeking profit or buyers who ignore reality? The answer: both.

Much of the components employed to build key government and private IT systems came from commercial vendors. "Those IT systems are commercial systems, which were built with basically market penetration and speed time to market as the major objective in the design and development of the products; they were not built with security as the number one criteria," Preston Winter, the former chief information officer and chief technology officer at the National Security Agency, says in an interview with (transcript below). "They are going to continue to have flaws."

Some companies - Winter cites Microsoft, as one - are beginning to make significant efforts to write more secure code in their wares. But Winters, CTO/public sector at the IT security and compliance provider ArcSight, doesn't blame vendors entirely for the situation. "In large measure, even the buyers whose systems are at risk don't necessarily put security at the top of the priority list," he says. "As we go around and talk to CISOs and CTOs and CIOs, in some ways the biggest problem they have is explaining to their CEOs and CFOs why it is necessary to spend money on protection. People just don't understand the threat."

And, he says, such attitudes have bottom-line ramifications. "If you look at the cost of cleanup, if you look at the cost of damage, if you look at the cost of the liability problems that ensure when you have a major data breach, if you look at all of that and you look at the problems to brand name and the public trust and all that kind of thing, I don't think that there is any argument that (cybersecurity) is a good investment, but then I came out of national security where any breach is unacceptable."

In the interview, with's Eric Chabrow, Winter also addresses the:

  • Acceptance of the fact that systems will be penetrated, so steps must be taken to battle cyber threats from within their systems and
  • Improving attribution - the ability to identify those breaching systems - through international cooperation, not just technological improvements.

Winter's most recent government post was that as associate deputy director for information integration at the Office of the Director of National Intelligence, where he established a national program to integrate and share information across the intelligence community. Winter served more than 25 years at the NSA, beginning in 1982, holding senior positions such as deputy chief of defensive information operations, chief of customer response, chief of the NSA Commercial Solution Center as well as CIO and CTO. At NSA, Winter created the agency's first integrated technology service provider organization and its first multi-mission industrial relations office to develop and nurture strong partnerships with industry. He also was responsible for NSA communications and reporting policy to customers.

ERIC CHABROW: Please assess the quality of the technology our adversaries employ to infiltrate American government and business critical IT assets.

PRESCOTT WINTER: There are two or three major parts to the answer to that. One is that for a very long time our major universities have been turning out lots of Ph.D.s and if you look at the logs you will discover that three-quarters of those folks are foreign nationals. When you talk about the level of expertise that foreign governments bring to bear in doing whatever they do in the network environment, whether it's stuff that we can put up with or stuff that we have to worry about, you have to recognize that the world is a shrinking environment, that the level of expertise is increasingly equal and shared around the world, and it really gets down to how effectively people use the expertise, which is now pretty much a global commodity.

That is when you get down to how effectively organizations are run and how effectively policy structures engage expertise and a lot of other things that are very subtle determiners of sort of who leads and who follows in this game. The longer term course of the educational processes and the openness in society, penetration of the Internet, the fact that so much technology is increasingly being designed and built and operated overseas means that there is a definite leveling effect here and we don't necessarily have the upper hand in all cases. We certainly are highly competitive and in some specialized areas probably still well in front, but it is very clear that the world is catching up with us in a lot of areas.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Compromise Sought on Cyber Info-Sharing Bills

How badly does the president want Congress to enact cyberthreat information-sharing legislation?...

Latest Tweets and Mentions

ARTICLE Compromise Sought on Cyber Info-Sharing Bills

How badly does the president want Congress to enact cyberthreat information-sharing legislation?...

The ISMG Network