This week, I attended the Symantec Cyber Symposium. It was a well organized and first class event. At a time when there is a bit of a glut of cyber events, this one stood out.
Senator Warner Surprises at Symantec Symposium
The opening keynote address at the June 16th Symantec Cyber Symposium was given by freshman Senator Mark Warner (D-VA). My expectations were frankly not high, but I was pleasantly surprised. I did not know that before going into politics, Warner was one of the co-founders of Nextel. He was actually quite comfortable addressing a very competent tech audience, and set a great tone for the event.
He began by noting that politics aside, the Obama Administration had set a huge message to the country and the world about the importance of technology. They did this by the significant appointments they have made (CTO, CIO, and soon coming Cyber Coordinator), and the release of the new Cyber report with a full Presidential address. Warner also said that as the Governor of Virginia, he had learned that the only way to effect change across multiple government organizations was by technology, procurement, and HR. So, Obama was tackling the first of those legs.
Warner also pointed out the cyber security had three key embedded issues that must be wrestled to completion. The first is the development of real public / private partnerships. This must go beyond symbolism and advice and achieve real collaboration. The second is information sharing. He warned that if the Cyber Coordinator gets too wrapped up in the classified NSC (he meant NSS) environment, it would fail. Lastly he said that the President must deal with Identity Validation, and that he would do so. Recognizing that this was a third rail issue for many, he said it just had to be done, or we would never achieve security. He also warned that we could do it now, with reasoned debate, or do it after an “event” when there would be a rush to do “something” and emotions would trump reason.
He ended with short comments on the need for Smart Grids to improve our energy efficiency, and for a serious upgrade of Heath Care IT.
Security Standards Panel at Symantec
The 16 June Symantec Cyber Symposium began its panel discussions with a very interesting topic which concerns many in the Private sector; Standards. The panelists were Eric Hopkins of the Senate HLS & Gov’t Affairs Committee, Ron Ross of NIST, and Tony Sager of NSA. Together they gave an excellent presentation.
Hopkins led off with a quick notation about the new FISMA reform bill. He said that they were working to synchronize the numerous cyber related bills be put forth right now, and the needed improvements for FISMA. He said that it would most assuredly morph into a comprehensive Cyber Bill.
Ross’s comments were more wide ranging. He reminded the audience that the threats were growing in number, sophistication, and power, and that they were aimed at the private sector as much as the government. He also said that NIST, DoD, and the IC were collaborating on an effort to collapse the different federal security standards to make them all uniform and equal. He likened it to a Goldwater – Nichols Act for standards. Eventually they will also have a Certification &Accreditation process that is agile and updated continuously, rather that every three years as it is now. He noted that the old (present) methodology of “get penetrated then patch it” was no longer acceptable. We have to build in both security and privacy protections to enterprise architecture, or we will never get ahead of the threats.
Sager was direct and to the point. He said that we could build the most secure systems in the world, but they would end up being completely without functionality. That would not do today. He also categorically stated that we are never going back to the world of “US Only Technology”. Those thinking along that line should drop it.
The last comments were actually not directly tech related, and that is telling. Ross said that it is not just a matter of good secure technology, but that it was education/training, procedures, and leadership that would get us through this. Sager added that a “well managed network was a tough target”, and that we should have that as a goal today.
The Future of the CNCI
The final panel of the Symantec Cyber Symposium looked at the future of the Comprehensive National Cybersecurity Initiative. Their conclusion was that the CNCI was not comprehensive enough, and did not focus nationally. The panel had two folks presently in Govt (Susan Alexander, OSD, ASD-NII, and Bill Vajda, Joint Interagency Cybersecurity Task Force), one on the way back into Govt (Bruce McConnell soon to be counselor for DHS), and one former (Bill Crowell, former Dep Dir, NSA).
Alexander discussed the desire of DoD to make this a year of Leap Ahead technology. Crowell noted that while productivity had increased by more than 50% due to digital capabilities, “we are completely dependant on a system that was never meant to be secure.” McConnell spoke next and emphasized that we were beginning a migration from CNCI toward the new policy outlined in the recently released 60 day Review Study. He said that any new policy must define roles, must develop agreed upon rules, and must inject the realism of risk management into the debate. Vajda made the point that the CNCI really had not been national, but stayed exclusively federal in orientation. That needed to be changed with the new policy.
Questions lead them to state that we would probably keep the heavy R&D emphasis of CNCI, but that the Einstein program would eventually be dropped due to its complexity. All emphasized the need for education and increased public awareness. No one had a good answer for how we would pursue cyber security in the international realm. One suggestion was the establishment of a US Cyber Representative modeled on the US Trade Rep. That way they would be part of the Executive Office of the President, but not in the White House. All seemed concerned that the new Cyber Coordinator not develop an operational focus as that was inappropriate inside the WH.
The final word came that we needed to accept that we needed to do “trusted transactions on untrustworthy networks”. We were simply not going to eliminate the doubts in many elements of the present networks.