IT Built for Speed to Market, Not Security
Ex-NSA CIO Explains Why Key IT Systems Remain at RiskMuch of the components employed to build key government and private IT systems came from commercial vendors. "Those IT systems are commercial systems, which were built with basically market penetration and speed time to market as the major objective in the design and development of the products; they were not built with security as the number one criteria," Preston Winter, the former chief information officer and chief technology officer at the National Security Agency, says in an interview with GovInfoSecurity.com (transcript below). "They are going to continue to have flaws."
Some companies - Winter cites Microsoft, as one - are beginning to make significant efforts to write more secure code in their wares. But Winters, CTO/public sector at the IT security and compliance provider ArcSight, doesn't blame vendors entirely for the situation. "In large measure, even the buyers whose systems are at risk don't necessarily put security at the top of the priority list," he says. "As we go around and talk to CISOs and CTOs and CIOs, in some ways the biggest problem they have is explaining to their CEOs and CFOs why it is necessary to spend money on protection. People just don't understand the threat."
And, he says, such attitudes have bottom-line ramifications. "If you look at the cost of cleanup, if you look at the cost of damage, if you look at the cost of the liability problems that ensure when you have a major data breach, if you look at all of that and you look at the problems to brand name and the public trust and all that kind of thing, I don't think that there is any argument that (cybersecurity) is a good investment, but then I came out of national security where any breach is unacceptable."
In the interview, with GovInfoSecurity.com's Eric Chabrow, Winter also addresses the:
- Acceptance of the fact that systems will be penetrated, so steps must be taken to battle cyber threats from within their systems and
- Improving attribution - the ability to identify those breaching systems - through international cooperation, not just technological improvements.
Winter's most recent government post was that as associate deputy director for information integration at the Office of the Director of National Intelligence, where he established a national program to integrate and share information across the intelligence community. Winter served more than 25 years at the NSA, beginning in 1982, holding senior positions such as deputy chief of defensive information operations, chief of customer response, chief of the NSA Commercial Solution Center as well as CIO and CTO. At NSA, Winter created the agency's first integrated technology service provider organization and its first multi-mission industrial relations office to develop and nurture strong partnerships with industry. He also was responsible for NSA communications and reporting policy to customers.
ERIC CHABROW: Please assess the quality of the technology our adversaries employ to infiltrate American government and business critical IT assets.
PRESCOTT WINTER: There are two or three major parts to the answer to that. One is that for a very long time our major universities have been turning out lots of Ph.D.s and if you look at the logs you will discover that three-quarters of those folks are foreign nationals. When you talk about the level of expertise that foreign governments bring to bear in doing whatever they do in the network environment, whether it's stuff that we can put up with or stuff that we have to worry about, you have to recognize that the world is a shrinking environment, that the level of expertise is increasingly equal and shared around the world, and it really gets down to how effectively people use the expertise, which is now pretty much a global commodity.
That is when you get down to how effectively organizations are run and how effectively policy structures engage expertise and a lot of other things that are very subtle determiners of sort of who leads and who follows in this game. The longer term course of the educational processes and the openness in society, penetration of the Internet, the fact that so much technology is increasingly being designed and built and operated overseas means that there is a definite leveling effect here and we don't necessarily have the upper hand in all cases. We certainly are highly competitive and in some specialized areas probably still well in front, but it is very clear that the world is catching up with us in a lot of areas.
The other really significant factor in the way adversaries come at us is the transition from older style threats to what is often loosely called the advanced persistent threat. The term is a little bit of a buzzword in like most buzz words it has become a little bit shapeless as a result. When you look at the advanced persistent threat it strikes me that any organization, government or private sector, that has strategically important information, needs to consider itself a target. You need to consider yourself a target for adversaries who are going to use that world-class skill that I talked about a minute ago. They are going to come at you in a very persistent way and they are going to use all kinds of tricks to get into you that you might not have thought of.
If they are nation states particularly they are probably going to find ways to in effect blend the different types of intelligence gathering mechanisms that we know in this country as SIGINT and HUMINT and so forth. You need to be on your toes and you need to be aware that you are facing attacks that could come at you in lots of different domains and there are two or three examples of this kind.
We see for example all of the social engineering that goes on with the creation of spearphishing attacks, the use of various kinds of expectations on the part of the target as to what is a legitimate communication and what is legitimate information and the ability of the adversary to twist those legitimate expectations to serve the purposes of an attack.
This is, I think, a new development in the last couple, three or four years; it is not necessarily a new development in the deep world of government against government, but it clearly is, I think, a bit of a shocker to people on the outside. That whole aspect of the situation has changed significantly and people simply need to be on their guard.
CHABROW: How would you assess the ability of our government and the operators of the critical infrastructure here in the United States to respond to this increased knowledge and abilities from abroad?
WINTER: We have a lot of work to do. I am not sure I am quite in the camp that says that instant national death is possible in 15 minutes like some of the more sensational portrayals have suggested, it is very clear that an adversary that was really intent on doing deep harm could do so.
On the other hand, there has been an increased awareness of the problem for some time and if you look at the DoD systems for example, while the number of attacks has definitely gone way up, I think that the ability to respond has also improved significantly. If you look at the simple statistics, in 2006 DoD systems presumably were hit something like 6 million times, there was a report not long ago to the effect that DoD systems are now being hit 6 million times a day. So you have a 365 fold increase in the level of attack and you can argue about exactly by what we mean by DoD systems, is this Pentagon only, is this stuff in the field, is it command, is it everything else, but it is very clear that how ever you map these things that there has been an enormous increase.
In contrast though, note the fact that the Defense Department has been living with this increased level of stress now all of those years, it is doing an increasingly effective job of protecting itself I think in a lot of ways. The birth of Cyber Command and the expectation that we will defend ourselves in cyberspace effectively is part of the response.
We also see specific evidence that we are doing better in the actual online environment. We scored a significant success recently working with a couple of our integrated folks at European Command in actually stopping a red team attack. If you are at all aware of the history of the red team attack, you know that since the first big red team in 1997, the eligible receiver in 1997, the red teams have been largely unchallenged. To actually stop one of the red teams cold could pick up all their invasions and intrusions and to identify what they were up to and to basically stop the exercise is an enormous improvement.
CHABROW: You are hitting on a point that I would like to explore. Is it a new mindset in which it may be impossible to stop infiltrations into key stems but there is a way to control what goes on within that key system, having an understanding of what's going on and that is how you defend yourself?
WINTER: I think that the change from what I would call an older style of approach, sort of the perimeter defense approach, what we call Enterprise Threat and Risk Management. That really means that you have to assume that your walls are going to be breached. You have to assume that they are going to get in. So the art form here is to figure out who is in your network, good or bad, figure out what they are doing, identify whether it is consistent with or contrary to all the policies that you have to put in place to protect all of your information and systems, and then finally once you determine that somebody's in there and they are doing something that you don't like that is contrary to policy, figure out how to stop it and figure out how to stop it quickly so that they don't do more than acceptable levels of harm.
That is a new model. That is an entirely new prospect and it requires new kinds of skills, new monitoring and control technologies and new kinds of responses.
CHABROW: Let's talk a little bit about attribution; let me define that as the ability to understand who is making these infiltrations, who is attacking the systems. If I understand the state of the art right now with the more sophisticated attackers, we may be able to tell what country they are from but actually identifying the specific attacker is difficult, would you agree with that?
WINTER: Absolutely, it may be beyond difficult, it may be virtually impossible in most cases.
CHABROW: Impossible in the sense of the any time in the future or in the near future?
WINTER: I don't know that it's going to be impossible in the longer term as we get better handles on where information comes from, better cooperation in the international environment, better assistance from foreign partners and so forth. In a lot of cases, we will have a better ability to pinpoint these things.
When Estonia was attacked in April or May 2007, the computers that were attacking them were identified as being in something like 176 different countries and a very large number of those in the U.S. Part of the success in the response, the defense, was actually to work with the U.S. and with Finland as it turned out to identify flows of traffic that had large quantities of the attacking malware, denial of service attacks, and actually have the carriers in those places begin to throttle that stuff and cut down the volume of the attack.
There will be lots of ways that appear in the future and many of those are issues of international policy and coordination, they are not just technology.
CHABROW: Let's switch topics a bit. What do you see now as the greatest threats facing American IT systems and what can be done about them?
WINTER: To begin with I am not sure American IT systems are any different than anybody else's. Most of the time those stand round and carry all the sensitive information which is of interest to critical adversaries. Those IT systems are commercial systems, which were built with basically market penetration and speed time to market as the major objective in the design and development of the products, they were not built with security as the number one criteria. They are going to continue to have flaws. I would have to give high marks to some of the companies, Microsoft among them, that have begun to take this threat very seriously and spent a lot of time and effort in learning how to write better-secured code.
If you extend just beyond the IT into some of the other critical infrastructure areas, we still have a lot of work to do looking at a lot of the basic control systems, SCADA (system control and data acquisition) and things like that, but I think that there is a growing awareness that this is a serious problem and some of the right kinds of things are beginning to happen.
CHABROW: Are you seeing enough IT vendors creating products today that are secure, or is that still something that has to be more emphasis placed on it?
WINTER: I think it's a roadmap to the future. I don't think this is necessarily going to be an easy score across the goal line for all of those reasons. In large measure, even the buyers whose systems are at risk don't necessarily put security at the top of the priority list. As we go around and talk to CISOs and CTOs and CIOs, in some ways the biggest problem they have is explaining to their CEOs and CFOs why it is necessary to spend money on protection. People just don't understand the threat.
If you look at the cost of cleanup, if you look at the cost of damage, if you look at the cost of the liability problems that ensure when you have a major data breach, if you look at all of that and you look at the problems to brand name and the public trust and all that kind of thing, I don't think that there is any argument that this is a good investment, but then I came out of a national security where any breach is unacceptable.
In the government, particularly in the national security community, the design tolerance for any breach of data is zero.
CHABROW: There still isn't a feeling among many organizations of the strategic importance of security, they don't see the need to make the kind of investments that you feel maybe they should and because of that there are software and some hardware vendors out there that may not be creating enough of their products to be secure enough.
WINTER: I would agree with that, absolutely. And, I think it goes beyond just the basic security of the products. It also goes to how they are deployed and implemented and used. One of the fundamental truisms of good security is that you can take a pretty good product but if you deploy it badly and configure it wrong you are basically going to have trouble. Ultimately, you simply have to be able to have the expertise when the thing is deployed to get it right or it is going to be a problem for you even though it was a pretty good product to start with.