Remember that magical, silver bullet I spoke of when discussing the U.S. cyber security plan and the future of cyber security? Well, there still is no such item in existence yet; and there likely never will be one key solution. Securing cyberspace is a global problem that can not be addressed by one plan such as this. However, if this plan is properly implemented, enforced and refactored it should be able to lead by example. It is always said that the Internet has no borders, which is an inherit problem to tackling cyber crime. Remember, this is a serious problem that spans our globe. If other governments followed suit to such an example, borders may indeed start to rise – but it will likely from a noticeably different public Internet than the one we know today.

The recently formed European Electronic Crime Task Force is an example of some of these ingredients beginning to mesh. This task force is currently composed of both the U.S. Secret Service and Italy’s policing and postal services. These components were chosen as a core with experience/resources in monitoring and defense, and the initiative goes further to openly accept contributions from other private IT operators and academic institutions. This is yet another example of the required collaboration with the private sector which I mentioned in my previous post, and indeed welcome news. While this is just another small step forward, it does help lay the groundwork required to begin effectively tackling such a large, international problem. To further refine this, more components are needed (on an international scale) – and an active effort should be placed forward from all private sectors and all other accepted sources. Then, this initial groundwork can be expanded, detailed and re-factored in an effort to generate a global, authoratative task force. I think it is very important what unfolds in the coming months, years in terms of this development; too much complication and confusion can place this framework and the state of cyber security in general in a very fragile state. Going back to the U.S. cyber security plan, I have taken the broadly laid out five points outlined by President Obama and prioritized them respectively from 1 to 5 below with comments:

1) A response plan in collaboration with local and state governments, private sector
This chimes in precisely on what I believe is the No. 1 driver towards effective cyber security. You can not have one individual person, regardless of their knowledge and experience, in charge of security – whether it is a government entity, or an enterprise IT administrator. The key is collaborating with existing resources to put all of the wheels in motion. Not only will this help with the response plan, it will directly help with proactive defense. I firmly believe part of this response plan should also be monitoring and reducing attack windows. Attacks blossom off their success because they are allowed to continue undetected months after a breach – President Obama even admitted so when his own sensitive data was compromised between a three month period (August to October).

2) An open and transparent strategy that includes metrics (milestones, progress measurements through performance)
This is a very general statement that really applies to any projects through their lifecycle. However, I believe it is very important to act on this, perform reviews regularly through existing channels (see point #1 – collaboration) to address current issues and those that are on the horizon.

3) National cyber security awareness campaign from boardroom to classes
Education is a vital piece to understanding the problems of the future, and I think educating all levels on these matters is always a good and effective proactive measure. Many succesful attacks that have been launched to date have been done through social engineering, preying on victims who simply are unaware of existing threats.

4) Private-public partnership strengthening without dictating private sector
One of the major areas which is to be addressed is protecting critical infrastructure. Yet, this section of the plan seems to place that responsibility on the private sector itself. If there is no enforcement on what is seen to be one of the most important areas to safeguard, then I think a true opportunity is being missed to develop security around this area. The private sector has been perfectly happy using legacy protocols that serve their function, and I do not think that security will be brought to the forefront without any enforcement. As I mentioned previously, one of the main problems today with SCADA networks vulnerable attack are the fact that they are not closed circuit. They are not closed circuit because they have been bridged to the public internet, and therefor the threat landscape, since it is less overhead and easier to manage. With no enforcement of policy, these networks will continue to be vulnerable to attack.

5) Research and development
Research and development is what got us into this mess in the first place: security was not placed in mind, and growth was important. Thus, software quickly became complex and integrated, allowing cyber criminals to attack. Even though it was not mentioned, I believe the key to R&D is in the secure development lifecycle – think of all the prevalent problems that could be easily addressed through design (XSS, buffer overflows, etc).

On May 29th, 2009, U.S. President Barack Obama held a conference at which he discussed a cyber security plan following an earlier 60 day review released in April. While there has been much debate and discussion on this initiative which is yet to take development with the announcement of a cyber “czar”, I think one the more important aspects to recognize is that this is a step forward.

Is it a step forward because this is the one answer, the silver bullet launched from the U.S. to stop cyber terrorism and information warfare in its tracks? Certainly not – last I heard zombies were unaffected by such silver bullets. Rather, it is a government-led initiative that naturally will gain a high profile as it develops which in turn, will help bring cyber security to the table. And it’s about time. The problems which this plan aims to address have been around for quite some time, and have been well known in the security field: critical infrastructure operating off legacy, vulnerable protocols now linked to public networks, software with more vulnerabilities than function. Yet, voices calling to fix these problems continue to echo in cyberspace unanswered. This is for various reasons including authority, confusion, underestimation and budget.

Think of Operation Cyber Storm (II). This exercise, headed up by the DHS, has been conducted several times and lessons from the outcomes of these tests should be well in motion. With that said, it is vital to take the first step forward and lead such a plan that takes security seriously, which is exactly what is unfolding today — this is commendable. There has been much debate on whether or not the DHS or the NSA should hold authority (which has led to a turf war) over cyber security. This turf war was fueled off accusations that the NSA was controlling the NCSC/DHS through policies and politics that bypassed the mentality of true network security, on top of a lack of funding. This is why I believe that funding and authority, although crucial elements, should only be part of the puzzle. These elements have yet to be detailed when the cyber “czar” takes their throne, and will certainly be required for any plans to be put into action. However, many components need to gel together for this to work – including those from the private sector.

As I previously mentioned, we are already aware of the many security problems existing today in cyberspace. Solutions from security devices, consolidated network intelligence services and the “cloud”, software patches, policies and education have been put in their place – but not nearly on the level that they should be. On top of funding and authority, I believe that collaboration will become the key item to drive forward: how the plan implements the aforementioned existing solutions and works with the private sector. Thus, it should be equally important that the newly appointed cyber coordinator has an open minded understanding and focus on this collaboration. This is a pragmatic approach that will help with defense, response, and education.