Risk Assessments

Google Attack: Prelude to More Intrusions
Can technology replace the IT security professional to safeguard government information systems?

Zalmai Azmi, the former Federal Bureau of Investigation chief information officer, thinks so, at least in some situation, and could fill the gap caused by a shortage in government of qualified IT security personnel.

The amount of data governments need to monitor is massive, so tools are available to not only monitor but help analyze the data to identify vulnerabilities. "We are providing a technical solution that will eliminate the need for a lot of cyber professionals because we just don't have enough of them," Azmi, senior vice president for global strategic law enforcement and national security at the IT services firm CACI International, said in an interview with GovInfoSecurity.com.

Azmi said resource-poor agencies are faced with the dilemma of deciding, say, which two of 10 vulnerabilities to address. Technology and the right methodology can help, he said. "If you have limited funding, then the decision is pretty much made for you where you spend that security money," Azmi said. "You can't spend it on all 10 vulnerabilities but you have adequate money that actually enables you to address those two."

In the first of a two-part interview, Azmi also addresses:

  • How the attacks from China on Google and other corporate IT infrastructures just scratch the surface in regards to infiltration into America's critical information systems and networks.
  • The need for IT organizations to pay more attention to their security-sensitive systems rather than treating all information systems equally.
  • The effectiveness of the Federal Information Security Management Act.

In the Part 2 of the interview, Azmi discusses the use of milestones and matrixes to effectively manage agency cybersecurity initiatives.

Azmi joined CACI in November 2008 after serving five years as CIO of the FBI where he guided the bureau through its largest-ever technology upgrade. Before joining the FBI in 2003, Azmi served as CIO for the Executive Office of the United States Attorneys, where he created the organization's first IT security office. A Marine veteran - he served as a communications and intelligence specialist - Azmi has been twice deployed to Afghanistan as well as detailed to an intelligence agency.

Azmi holds a master in information systems from George Washington University, a bachelor in IS from American University and several IT certifications including information security management and program management.

GovInfoSecurity.com's Eric Chabrow interviewed Azmi.

ERIC CHABROW: We are speaking a week after Google and other companies revealed attacks emanating from China on their IT infrastructures, including the hacking of Gmail e-mail accounts of active and supporting human rights in China. How serious of a threat do these attacks pose the federal government and the nation's critical IT infrastructure?

ZALMAI ASMI: Eric, actually this is a very serious threat to our national security, mainly because we are seen these types of acts in different areas of our infrastructure. We have seen it in power grids, we have seen it in our financial systems, we have seen it in the federal government systems and now we see this intrusion in Google, which is a major ISP.

Since all of the networks are interconnected, it is a serious threat to other programs, other organizations, other systems that are connected to the Google network. I personally view this as a serious threat posture, also concerned that these kind of intrusions may be just a prelude to determining some of the weak points in our national security program related to cyber and that may become a point of exploitation for future intrusion into our systems.

CHABROW: How seriously do you think government leaders are taking cybersecurity and will the Google/China episode be a wake up call for them?

ASMI: I believe we are leaning a lot about our adversaries' capabilities so I think the senior leadership, senior management is taking this very seriously. Now that we do have a cybersecurity coordinator, I think in his new role he will be making sure that different government entities, departments and leaderships are fully aware of the threats that cyber poses to our national security and Google should be a wake up call and this is one intrusion that is probably not going to stop here. Adversaries will continue to go after other sectors of our computer grids and try to find more vulnerability and more ways to actually get into our systems.

It is part self education on part of leadership that they need to understand and realize that cybersecurity is important and it poses a great threat to our national security, but it is also the job of information security officers and information security experts to make sure that the message gets out and also to make sure they understand the adversaries and their techniques and their capabilities so they can fortify our defenses and take care of our protocol network presence points.

CHABROW: Is there any doubt in your mind that the Chinese government was behind these attacks?

ASMI: I don't have a lot of details about the type of intrusion and how it was executed. From what is in the news it has been a sophisticated intrusion into the system because not only they were able to get into Google's system but they were also able to open some of the e-mails or get access to some of the e-mails. So it looks like it is pretty sophisticated and may not be the work of some hacker who is really not interested, because most of your hackers, I would call it low end, are not very sophisticated, their motivation is financial.

This intrusion was not, at least in my mind, was not motivated by financial gains and that is why I would say that it was probably a state sponsored attack but I cannot verify it, confirm that, without forensic data and information.

CHABROW: What are some of the things that government should be doing now to help mitigate this?

ASMI: This is a very broad question. There is so much you can do in cyberspace, obviously I have talked about this on a number of occasions about fortifying our own defenses, by being proactive, securing your own networks, building adequate security in our applications and our databases and in our mail systems, and then continuously monitoring; we have point of presence, a self awareness or a continuous awareness of our environment that is very, very critical to our success.

The key here comes to investments in the security of the infrastructure investment and the right hardware and software and the investment on the right training for our people. We do need to make sure that not only our cybersecurity professionals know how to defend and protect our networks but also users of the network are aware that there are inherent risks when they are getting on the Internet, when they are conducting business. So that training piece is really a critical part of this and I think that is where the focus should be for the government, basically the right investments in the right technologies and in the training of the special services and the cybersecurity professionals but also employees and also the public sector for that matter.

CHABROW: You work for a company where some of your employees are the cybersecurity professionals. I am assuming that your company pays more than the average IT security professional in government. What are the challenges you face at CACI and then compare that with the challenges the government faces in finding enough qualified people to do the job?

ASMI: I think that is a challenge, not having enough qualified people to address the cyber challenge. That is one of the reasons actually our focus is a little bit different. We are not focusing human resources or cybersecurity professionals as we are focusing on cybersecurity solutions, because technology would be the best way to help us with our protection of our data and critical infrastructure and notes.

Look at the amount of data that is being collected on a daily basis if we are monitoring our network. There is so much data in there it is unbelievable. So how many IT professionals or cyber professionals do we need to analyze that data? That is one of the reasons why we are looking at the technology to actually be able to collect that data from multiple sensors, from multiple logs, from multiple data feeds and sort of correlate them and actually have the intelligence to tell the cyber professionals that, "Oh, by the way, you have out of these 10 vulnerabilities, the highest priority goes to these two, you have got to fix these two first.

So what we are achieving in this methodology is one, we are providing a technical solution that will eliminate the need for a lot of cyber professionals because we just don't have enough of them. We really need to supplement them with technology; that is one. Number two is the system correlates that data and tells you what your highest vulnerabilities are. And number three, if you have limited funding, then the decision is pretty much made for you where you spend that security money. You can't spend it on all 10 vulnerabilities but you have adequate money that actually enables you to address those two.

So our focus in CACI is on integrating technical solutions into the infrastructure, into the networks, into the applications to enable the cyber professionals that actually easily secure their data in networks, but also have situational awareness of what is going on in the network at any given time. You have probably seen the data on our cybersecurity training and how many professionals are being trained and the data is available about the universities and engineers and all of that, and quite frankly, the goals of how are we going to look at this, we are not going to have enough people to be able to sort of secure our infrastructure end to end, and that is why we need to rely on technology.

CHABROW: Regardless of who is providing this service or they do it themselves, please address how you see the government approach the situational awareness and what are some of the things they should be doing?

ASMI: Eric, this is a tough question because one size does not fit all. The priorities are different within the Department of Transportation or the Department of Education than it is let's say within Homeland Security. While every department has probably hundreds of systems, not all of their systems are probably mission critical or of the highest level of sensitivity.

The key in here is that agencies must have a plan that they can determine the level of the criticality of their systems and based on the criticality of their system, of the information that it houses, or the security that it provides, they need to focus it that way. That is where the focus is basically; okay, which systems I am going to secure first? What are my top priorities?

If you recall, in 1996 when FISMA (Federal Information Security Management Act) came out, one of the recommendations - later on revamped in 2003 - was that we should certify at least 30 percent of our network assets every year. Basically, every three years the entire network and network assets will be certified. Our view it when I was in the Bureau (FBI) was that we will certify those systems that were national security systems and critical, we will test and sort of take care of the vulnerabilities every year after every time we applied a patch to it. That is one of the recommendations I would make to the CISOs and CIOs because they will not have adequate resources to secure all of their applications, but they need to have tiered approach to get infrastructure and information technology assets on what are the top priorities and how do you like to address the security for each on those tiers.

CHABROW: Congress is looking at legislation, there have been bills introduced to reform and update FISMA. Have you seen any of that legislation and have you heard anything or seen anything that makes you feel the approach Congress is taking is the one that you feel it should be taking as it relates to situational awareness?

ASMI: I believe we are on the right track. It's probably time for FISMA to be re-looked at and revamped. It has been restructured a couple of times, or it has been updated a couple of times, and again, with all of the threats that we are facing, I think it is again time to revamp that program.

FISMA used to be a scorecard that we provided to OMB to show the posture of our security. But I think we need to put some rigor behind that and I think that is where Congress is going. So, it's not as much reporting, but it is also actual conducting security and vulnerability assessments and for some of our systems maybe even penetration testing to make sure nobody can get into it. I believe we are on the right track.

Around the Network