Amit Yoran
(Credit: Amit Yoran)West Point graduate Amit Yoran went from security work in the Air Force, the Defense Department, and private industry before being tapped as director of cybersecurity for the Department Homeland Security.
He joined DHS in September 2003 and left about a year later, the first of several cybersecurity directors to have a short tenure. Now, the 38-year-old is chief executive of security firm NetWitness.
During the first week of National Cyber Security Awareness month, Yoran talked to CNET News about his efforts getting a federal cybersecurity program off the ground, how no organization is safe from attack and why he is "anti-user." Here is the edited interview.
Q: The big question on everyone's mind is when will the administration appoint a new cybersecurity czar and who will it be? Do you have any comments on that?
Yoran: (Laughs) Apparently, they'll report it when they're good and ready. I don't have any particular comment on that.
There's been a lot of talk about the structure. Do you think the position should report to the White House or an agency like the National Security Agency? Should the official snoops be in charge of protecting security and privacy?
Yoran: (Laughs) Is that a biased question? No. In my mind clearly the right thing to do is to put a coordinator at the White House. NSA has a key role in cyber, but they've got their mission focus and there's a number of other departments. And agencies that have other priorities and activities in cyber that are relevant and need to be coordinated at the White House level.
Audio
Amit Yoran
This is an edited audio version
of the interview with CNET's Elinor Mills.
Download mp3 (11.2MB)
You resigned as director of DHS' national cybersecurity division after only one year. Why?
Yoran: I had a specific start-up job or requirement that was asked of me--to help them get the US-CERT operation up and running and help get some of their cyber programs off on the right foot. After a year we had established some of those programs and (decided that) my interests lie elsewhere. We were as productive as we could be in a short period of time.
Do you think your division was given adequate attention and resources?
Yoran: At the time I don't think they were inadequate meaning when you're just starting something from scratch even if you have hundreds of millions of dollars at your disposal, I don't think that you can prudently and effectively spend it. I don't think you can be effective or responsible with large resources like that on day one. Until you know where you can add value, what the programs and activities you can undertake are, you aren't particularly resource-constrained. I do think over time some of these activities require greater funding. I just don't know if that was a shortfall while I was there.
You weren't the only to leave sooner than people might have expected. Former cybersecurity director Rod Beckström resigned in March and Melissa Hathaway resigned as acting director in August. What's going on here?
Yoran: Well, this is a very complex topic and dealing with it is a careful balancing act between an understanding of business, an understanding of technology and an understanding of how...to prioritize your programs and this was a national level of activities. So it doesn't particularly surprise me that we've had a high turnover of leadership, a fast pace of leadership turnover in this area. That doesn't mean that all the programs and activities start and stop with changes of political appointees.
The 60-day review that President Obama commissioned came out in May with the message that the country is not prepared to respond to cyberattacks. What's your opinion of the report?
Yoran: I would concur the nation is not prepared to adequately address cyberattack...The report, like cyber, has so many nuances some of which I agree with and some of which I don't agree 100 percent, but I think the observations being made were accurate.
You were a member of the commission that worked on a report that came out last December, right? Are the reports really all that different?
Yoran: There were a lot of similarities and there was a lot of alignment between observations made by the CSIS (Center for Strategic and International Studies) commission and ultimately 60-day review that Melissa Hathaway conducted for the White House. But that shouldn't be very surprising. It's not the same document...You've got a lot of the same expertise...a lot of the same types of analysis done...It also is reasonably well aligned with a lot of earlier presidential strategy and docs around cyber.
It doesn't seem like there's a lot of change after years of this. Do you get a sense we're treading water at all?
Yoran: I'm not certain treading water is the right analogy. It seems like we're making progress, progress is being made, but cyber is not a stagnant environment. It's not like a network router (which) behaves as you command it so you change the network or the architecture. In cyber you have a continuous sort of evolution, not only of technologies, but also you have an adversary game theory-type activity. What you think is secure today is based on your current knowledge and your knowledge expands and the adversaries change their techniques and methods. The landscape has changed so it would actually require a lot of swimming to stay in place versus treading water, I guess is how I would characterize it...Our adversaries are advancing their techniques and we're also deploying a lot of technologies and process and capabilities to help better protect ourselves. Overall, I don't think we're better protected, that we're better off or less exposed today than we were years ago.
You said "progress is being made." Can you elaborate?
Yoran: So in the last two years or more, the Bush administration carrying on into the Obama administration the primary national federal effort is really being driven by what they call CNCI, "Comprehensive National Cybersecurity Initiative." It remains highly classified as an initiative and series of programs. Work is under way. CNCI is more than people just talking about cyber. There is work being done. Unfortunately, a lot of it is behind the scenes.
What is the state of cybersecurity today?
Yoran: The organized crime, the criminal element today, is organized. They've got capability and because there is money on the line they've got phenomenal intent and focus and persistence. Last year, the FBI director said that more money was made using online cybercrime than by drug trafficking in the U.S. It's a mind-boggling number to people who aren't familiar with it...About 30 percent of the cybercrime today uses anti-forensic techniques, so you're literally not going to find them even if you know to look for them...The FBI also said that over 100 foreign governments have structured offensive cyberwarfare organizations as part of their network security and intelligence infrastructure. So the industry and the IT world is getting decimated by the cybercriminals and the nation-state activity is even more advanced than that. The technologies we're using to protect ourselves, that we're relying on, the dirty secret within the IT security world is that they're incapable almost by definition of dealing with the advanced threats of cybercrime or nation states.
Yoran: The challenge faced by the government departments and agencies is 98 or 99 percent similar to the challenge faced by enterprise IT environments which is very blatantly the IT security industry is not equipped to deal with the advanced threats. If we think we're monitoring systems and if we think we're protecting our systems using the products we have then we're uninformed about the threat, or misleading ourselves or just plain loony.
And the most advanced threats being specifically what?
Yoran: Custom exploits. Custom malware. The same concerns that thought leaders in the industry have been predicting or projecting from a few years ago or maybe even five years ago as conceptually possible are now an every day occurrence. Attacks being embedded in the application layers. Attacks being embedded into the content of applications or behavior of applications. It's by infiltrating and compromising the supply chain of an enterprise, be it in the hardware supply chain or more likely the services supply chain...
So a lot of attacks also use social engineering. Which attack vector is more successfully exploited, social engineering or the one targeting vulnerabilities?
Yoran: That's great question. I think that the attack surface is so large. Whether you're going into a supplier, whether you are socially engineering an employee, or whether you're doing some sort of spear phishing type of exercise. The attack surface is so large and the IT security industry's ability to adequately protect a complex enterprise is so poor that I believe we have to have a shift or a change of paradigm in how we think about security. We have to believe, and I would say almost every security industry leader that I respect today, we have to believe that our defenses are imperfect and that our adversaries, criminal or otherwise, are already on the inside and that no matter what we do to protect ourselves they're still going to get inside.
Yoran: How do you live, how do you operate in an organization's IT environment, and how do you enable the organization to still accomplish their mission knowing that their IT systems are already living in a state of compromise? The bad guys are already inside. I don't care if it came in through social engineering or through a new exploit I didn't know about or a piece of malware they just wrote or by bribing someone on the cleaning crew to get into an environment. In order to succeed today you have to operate under the assumption that the compromise is already on the inside.
So then is it a matter of just minimizing the damage?
Yoran: Unfortunately I think that is a good part of it. You've got to understand where they are. Minimize the damage, containment, prioritize your limited resources, and focus efforts on the core assets, the most important assets of the enterprise. The data, the database, the brain, whatever you deem to be most sensitive in your business. Intellectual property.
Which is more important for curtailing threats--user education or technical countermeasures or something else?
Yoran: I'm a (laughs) I'm a believer in anti-user. Users are part of the problem, not part of the solution. (Laughs)
But you have to deal with them still. They are part of the equation.
Yoran: I typically advise folks to get rid of their users as the best defense but they usually don't have that as an option. I don't think user education is very effective. There's definitely a benefit to it. Is the marginal return worth the cost? I don't know. If you have some cost-effective programs it does make sense. Any security architecture which relies on the awareness or education of the user population is flawed by design. I'm a security professional. I've been doing it security for the past 18 years or so and some of the spear phishing and other methods are so slick, so well engineered and so sophisticated that I could easily see myself falling victim to them. Having an alert user, that's valuable. Can you put any confidence in a security program that requires any end user awareness or education? No.
How did you get into computer security?
Yoran: Originally through gaming way, way back when, before it was called gaming, video games. I had my first introduction to computer security as a comp science student at West Point. There was an information security course that was taught and I found it to be a very fascinating topic.
Where did you go from there?
Yoran: On graduation from West Point, I inter-service transferred and served for five years in the Air Force...because it was in the leading edge of adopting technology and focusing on computer security. In the early days, I started with an organization that became the DOD CERT team, the Department of Defense's Computer Emergency Response Team and worked there for a number of years and then got out in the '98 time frame and started a company called RipTech, a managed security services company, knowing absolutely nothing about business. It was 1998 I figured how hard can this be? Everybody's making a couple of billion dollars and so I jumped into the business world...Symantec bought RipTech in 2002 and in 2003 I went into DHS as the cyberguy, the national cybersecurity director, really trying to help the government get the federal effort off on the right foot I did that for a year or so and got out of the government in late 2004 and since then have been involved in a series of IT security business mostly as an investor or board member until 2006 when I organized a management buy out of NetWitness and focused on bringing its product and technology to market.
So tell me about that. What is it?
Yoran: NetWitness at its core is a network forensic engine. The government started the development effort almost 10 years ago, looking at packet switched data networks, trying to be able to rapidly produce intelligence about what's happening on a data network because they clearly saw the evolution of technology in this direction. The company that was developing the product was a services company and really not very well suited to bring this technology to success as a product. So I got some investors together and we basically did a management buy out of the developers, the patents, the patent filings they applied for and we had a series of additional capabilities we wanted to add to the product...
Do you do online banking?
Yoran: I do, because laziness drives so much of my behavior. Absolutely not the right thing to do, but I'm lazy.
Defcon founder Jeff Moss, aka Dark Tangent, is one of the newest members of the Homeland Security Advisory Council.
(Credit: Defcon)Jeff Moss, founder of the Black Hat and Defcon hacker and security conferences, was among 16 people sworn in on Friday to the Homeland Security Advisory Council.
The HSAC members will provide recommendations and advice directly to Secretary of Homeland Security Janet Napolitano.
Moss' background as a computer hacker (aka "Dark Tangent") and role as a luminary among young hackers who flock to Defcon in Las Vegas every summer might seem to make him an odd choice to swear allegiance to the government. (Although before running his computer conferences, Moss also worked in the information system security division at Ernst & Young.)
I'd like to hear some of the banter as he rubs elbows with the likes of former CIA (Bill Webster) and FBI directors (Louis Freeh), Los Angeles County sheriff, Miami mayor, New York police commissioner, governors of Maryland and Georgia, former Colorado Sen. Gary Hart, and the president of the Navajo Nation.
In an interview late on Friday, Moss, who is 39, said he was surprised when he got the call and was asked to join the group.
"I know there is a newfound emphasis on cybersecurity and they're looking to diversify the members and to have alternative viewpoints," he said. "I think they needed a skeptical outsider's view because that has been missing."
Asked if there was anything in particular he would advocate, Moss said: "There will be more cyber announcements in coming weeks and once that happens my role will become more clear. This meeting was focused on Southwest border protection... With things like Fastpass and Safe Flight, everything they are doing has some kind of technology component."
Moss, who is genuinely humble, said he was "fantastically honored and excited to contribute" to the HSAC and not concerned with losing any street cred among what some would call his fan base. He did concede that his new position would give him an unfair advantage in Defcon's "Spot The Fed" contest in which people win prizes for successfully outing undercover government agents.
Security consultant Kevin Mitnick, who spent five years in prison on computer-related charges and was once the FBI's most-wanted cybercriminal, praised Moss' diplomacy, but said: "I'm surprised to see Jeff on the list. I would have expected (crypto/security guru and author) Bruce Schneier to be on the council."
Moss "is a great crowd pleaser" and "he's just bad enough for them to say 'we're crossing the ranks,'" said journalist and threat analyst Adrian Lamo, who served two years of probation for breaking into computer networks. "But the reality is he's as corporate as hiring someone out of Microsoft."
As the financial meltdown continues, there has still been plenty of attention on cybersecurity within the Beltway. Note these three events last week in Washington.
Budget increases. President Obama's proposed 2010 budget includes $42.7 billion for the Department of Homeland Security with cybersecurity spending included in this sum. Additionally, the budget allocates $355 million to the National Cyber Security Division. There are a few additional items that affect cybersecurity.
A new cybersecurity report. A new report from Dartmouth College's Institute for Information Infrastructure Protection (I3P) was delivered to U.S. Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine), who serve as the chairperson and ranking member of the Senate Committee on Homeland Security and Government Affairs, respectively. The report recommends a coordinated response across the government and the private sector, coordinated metrics to assess progress, and an increasing focus on cybersecurity education.
The National Institute of Standards and Technology (NIST) is revising its "Guide to Enterprise Telework and Remote Access Security," first published in 2002. While NIST is a federal government entity, this is an excellent set of guidelines for any organization providing remote access to its network for employees and third parties. NIST is asking for comments to this new publication, NIST 800-46 Revision 1, by March 27.
As a security professional, I am always worried that security concerns will be ignored when times get tough. It is nice to see that the Obama administration recognizes the scope of cybersecurity issues and is willing to fund efforts to address these problems rather than take the old "security by obscurity" approach.
The administration of President Barack Obama will be hiring a new national cyber adviser, according to the agenda for homeland security released on his first full day in office.
Janet Napolitano sworn in at her confirmation hearing.
(Credit: U.S. Department of Homeland Security)The Agenda for Homeland Security, released Wednesday, lists goals for defeating terrorism and improving intelligence gathering, as well as for protecting the nation's information networks and critical infrastructure.
The top item under protecting information networks is to strengthen leadership on cyber security by establishing a "position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy."
Other items include: supporting an initiative to develop next-generation secure computers and networking for national security applications, and deploying secure hardware and software to protect critical cyber infrastructure; establishing "tough new standards for cyber security and physical resilience;" developing systems to protect trade secrets from being stolen online from U.S. businesses; shutting down "untraceable Internet payment schemes;" and securing personal data stored on government and private systems and requiring companies to disclose data breaches.
The homeland security agenda also calls for ensuring that "security is considered and built into the design of new infrastructure, so that our critical assets are protected from the start and more resilient to naturally-occurring and deliberate threats throughout their life-cycle."
Also on Wednesday, former Arizona Gov. Janet Napolitano was sworn in as secretary of the Department of Homeland Security.
Regardless of whether you favor Barack Obama or John McCain, you have to admit that the next president will inherit a monumental mess.
Each candidate has been scrambling to explain how he plans to right the financial ship, reign in growing health-care costs, improve education, and balance the budget. Yikes!
As if this wasn't enough, the new president and Congress also have an obligation to figure out how to proceed with a strategic plan for IT and information security.
Now I understand that economic, social, and national security issues should have precedence, but the fact is that the federal government is sort of treading water on a number of highly visible strategic initiatives regarding information security. The issue here isn't new legislation or initiatives, however. It is finishing work that has already been started.
Here are a few examples:
1. The Comprehensive National Cyber Security Initiative (CNCI). This effort grew out of presidential and Department of Homeland Security directives with the goal of standardizing security practices and appointing DHS as the overseer of critical information security infrastructure across all federal agencies. It is estimated that CNCI will ultimately cost around $18 billion to $30 billion. But for now, DHS is asking for $200 million in 2009. As of this writing, these funds have not been allocated to the project.
2. The next revision of the Federal Information Security Management Act (FISMA) of 2002. Back in 2002, FISMA was passed in order to provide a set of guidelines and requirements for federal agencies. Each agency was then graded on a FISMA report card with the results presented to Congress and the public. Several agencies (alarmingly, including DHS) received an "F", while others saw FISMA as nothing more than a series of check boxes with no teeth. To improve the efficacy and benefits of FISMA, the Senate is currently working on the FISMA Act of 2008 (S.3474). As of now, this bill remains in committee.
3. A national information privacy act. The Personal Data and Privacy Act (S.495) has been languishing in the Senate for years. In lieu of national personal-privacy legislation, 42 states have enacted their own laws leading to a messy situation for any organization doing business across the country. Some states like Nevada and Massachusetts now mandate data encryption to protect data confidentiality, but individual laws remains vague and unique.
These examples pale in comparison to the federal train wreck around Homeland Security Presidential Directive 12 (HSPD-12), a well-intended but unfunded effort to standardize identity technologies for federal workers and contractors. In my opinion, the lack of federal funding has rendered HSPD-12 a bad joke inside the Beltway.
As a private citizen, I can't help but lament the tremendous amount of wasted effort here, especially in the face of increasingly dangerous information security threats. Bills are discussed but not passed. Some legislation gets passed and is either ignored or treated as a mere check-box item. Other bills are passed and never funded.
Unfortunately, these examples are a microcosm of a broken, wasteful system. Regardless of who becomes our next president, I'll judge progress in Washington by the government's ability to pass and fund legislation, meet regulatory compliance mandates, improve information security, and strive for constant improvement. I, for one, will be watching carefully.
(Credit:
Andy Purdy)
On Wednesday, HBGary announced that Andy Purdy has joined their advisory board.
Purdy, while a member of the White House, co-drafted the 2003 edition of the National Strategy to Secure Cyberspace, then joined the Department of Homeland Security. There, he served on the tiger team that helped to form the National Cyber Security Division (NCSD) and the U.S. Computer Emergency Readiness Team (US-CERT). He went to head both organizations and was dubbed by the media as the "cyberczar" of the United States until DHS appointed Greg Garcia as assistant secretary for cybersecurity and communications.
In 2006, Purdy oversaw the first large-scale mock cyberattack, code-named Cyber Storm. A second mock attack, under Garcia, was held earlier this year.
In August, HBGary has announced a partnership with McAfee to provide forensic tools for its enterprise offerings. HBGary specializes in monitoring information systems for external and internal threats.
WASHINGTON--Is the idea of widespread biometric data collection still too spooky to win over the American public?
At some level, it's already becoming commonplace: California and some other states demand fingerprints from driver's license holders. The Verified Identity Pass program includes iris scans, as does the U.K's border control system. And prisoners have their blood forcibly drawn for a DNA sample.
But more widespread use of biometrics, especially by the government, raises substantial privacy concerns that may alarm many Americans and prove difficult to resolve, panelists at a conference here said Tuesday.
"How would I transact business, if I knew someone was following me everywhere and watching me?" asked Scott Hastings, president of the IT consulting firm Deep Water Point, who previously worked in the federal government for 23 years. "We need to grab hold of that and decide how that's going to modify our behavior."
Hastings sat on a panel at a forum on identity management hosted by the Information Technology Association of America.
"Will there be underground transactions? Will it affect our economy?" he asked. "When people (become aware of) the electronic footprints they leave behind, there will be a reaction."
Homeland Security's US-VISIT program is moving from collecting two fingerprints to 10 at U.S. borders.
(Credit: Stephanie Condon/CNET )The increasing sophistication of identity management has had clear benefits, Hastings said. He noted how the rollout of the Department of Homeland Security's immigration and border management system--United States Visitor and Immigrant Status Indicator Technology--has virtually erased the once-prominent problem of document fraud at U.S. borders. The US-VISIT program, implemented in 2003, involves the collection of biometric data such as fingerprints to monitor for criminals and terrorists at the borders.
US-VISIT is the world's first large-scale biometrics program, according to director Robert Mocny. He said the program has stopped 2,400 criminals based on biometrics alone.
The program is currently transitioning from collecting two fingerprints to a 10-fingerprint standard. Mocny said US-VISIT is also pursuing other forms of biometric identification, such as iris-scanning technology.
"The biggest challenge since day 1 with any service has been the privacy and security aspect of it," said Chase Garwood, chief information officer of US-VISIT. He said the program extends to non-U.S. citizens many of the same protections afforded to citizens.
Protecting Americans' privacy at other borders presents an additional challenge, pointed out Mary Dixon, director of the defense manpower data center for the Defense Department.
Governments in Japan, Australia, the European Union, and other places have begun collecting biometric data at their respective borders as well. The United Arab Emirates has been utilizing iris scans for some time, Mocny said.
"As biometrics increases worldwide, consistent standards are essential," Mocny said. "We can transform the way the world travels."
He said that in order to make the collection of identifiable information palatable for consumers, it has to be noninvasive and familiar to people.
Some panelists suggested that younger generations are more accepting of handing over their personal information, but Dixon took issue with that point.
"They might share" their information online, she said, "but it's their decision whom they share with--they don't want the federal government collecting all of their information."
Conor White, chief technology officer of security systems vendor Daon, said consumers are growing more comfortable with the use of biometrics on an everyday basis, as evidenced by products like the Registered Travelers card, which identifies travelers who pose a minimal security risk.
"People are doing it because they recognize the security and convenience trade-off," he said.
CNET's Declan McCullagh contributed to this report.
- prev
- 1
- next
