Adam Shostack is co-author of The New School of Information Security, security specialist at Microsoft (though he doesn't speak on behalf of Microsoft here) and ringleader of the popular Emergent Chaos blog. Forrester Research senior analyst Andrew Jaquith is former senior project manager at Symantec and former program director and cofounder of @stake.
Readers can also listen to the full audio of this conversation HERE.
Cybersecurity Coordinator: Can Schmidt Get the Job Done? Howard Schmidt as White House cybersecurity coordinator. What are your first impressions?
Jaquith: I have two thoughts on this. The first is that the position has been notoriously difficult to keep people in. You saw what happened with Amit Yoran and Mellissa Hathaway. It's a tough job with tough expectations and very little authority, so I'd say congratulations to Howard. I'm glad he's stepping up and I think he is someone with a stature and a pedigree. He's done the job before. I hope he will take some of what he learned during his first go-around and apply it in his second go-around. But fundamentally it's a pretty tough job and I find it hard to believe that anyone could fulfill the expectations of the role given the tools available to him.
My second thought is that Howard needs to clue up a little bit in terms of some of his current thinking. I did see the predictions he expressed [in the article "Ten 2010 IT Security Predictions"] and I think it's great that he has a perspective. On the other hand, a lot of the things he voiced weren't so much predictions as much as they were concerns. "We're concerned about social networking." Well, sure, we've known that for awhile. "We're concerned about smart phone malware." I would argue that this is a tempest in a teapot and something that will never come to pass in the way most security vendors and security practitioners think it will. But, you know, good for him for expressing an opinion about something that's been expressed before. To me, though, there just wasn't much by way of real forward-looking predictions. I think he's fighting many of the last wars in 2010, and I'm hoping we can get a little more vision out of Mr. Schmidt.
Shostack: Yeah but come on, isn't that what security professionals always do? Fight the last war?
Jaquith: (Laughing) Well.
Shostack: The response is always, "SSL and firewalls, SSL and firewalls."
Jaquith: That's true. We do tend to fight the last war. We're rarely out in front of the next one. There's very little reconnaissance happening. What do you think of Howard's elevation?
Shostack: Well, I think your first point is spot-on. Everyone is saying that without the authority you can't get anything done in this world. I'm sympathetic to that view. But I think there's a lot Howard could do in this role and it really ties back into the transparency that the President even included in his inaugural address. The federal government is a collection of some of the largest enterprises out there and they vary a lot in how they operate and what they do. As a result -- and I believe some of this is because of FISMA [Federal Information Security Management Act] -- each of these agencies is reporting on a regular basis to US-CERT [United States Computer Emergency Readiness Team] all the incidents it has. Wouldn't it be a spectacular act of transparency to put that data out there and say, "Here are the incidents that are occurring," and let us study that? I think that would be a transformative step that I expect he has the authority to drive, and it's in alignment with the president's own goals for his administration with initiatives like Data.gov, so there's even a place for the data to live. And he has the opportunity to talk about the situation as it is. A lot of the problem is that everyone wants to push the problems under the rug and not say "Here's what's hitting the enterprises." If Howard comes out with the authority that comes with the position and says, "We're having a lot of trouble doing this and we believe everyone else is having an equal amount of trouble, let's talk about it," he can have an impact that doesn't require him to force anyone's hand or to push things.
Jaquith: A couple thoughts: It's pretty interesting. I believe the first thing you said was, Let's use the power of the bully pulpit and some of the authority vested in the position to compel or require federal agencies to centrally report the incidents and to put that out in public so that people in the private sector and the research community can take a look at it and learn from it, but also so we have an example of what collaborative security incident data-sharing is all about. That's something you don't see in a big way at the federal level or even in the private sector - having something that the private sector can work with and understand. You also mentioned -- and I'd like to spend a little time on this -- figuring out ways to bridge the gap between the private-sector expertise out there and the federal level. What I think about the divide between the public and private sector is this: It's not just that they're governed by different statutes and codes of conduct, it's different languages. When I think federal, I think FISMA and FIPS [Federal Information Processing Standards] and SCAP [Security Content Automation Protocol] -- acronyms people in the private sector look at and say "What the hell is that?" There are words like accreditation and certification that have absolutely no meaning in the private sector. People like us look at that and say "Why would I be involved in federal government security at all? It's just a bunch of paper pushing." To me, it seems like maybe if we can have some other examples out there that are derived from the public experience, then we can start to start to stimulate a dialogue and break down some of these linguistic cultural barriers that prevent us from having workable best practices that apply from one sphere to another. Am I putting words in your mouth?
Shostack: I think that is a side effect I'm looking forward to. I do want to comment on your comment that this would compel reporting -- the reporting is already happening under current law. But yeah, when I look at a lot of what the federal government does, there's an awful lot of what I might look at as applied policy. What are we trying to achieve? What is the management oversight -- what are we doing to ensure a degree of accountability? But these guys are also operating firewalls, IDSes [intrusion detection systems], encryption programs, they're training their users, managing user accounts and access controls across tremendously complex systems. What if -- with all sorts of requirements -- we can learn from them and they can learn from us? But the first step has to be talking about what's happening. As long as we look at what they say and it's all about SCAP, FISMA and the related acronym soup, it's very hard to build bridges. But if we can actually get down to brass tacks, we can say, "Oh look, you guys are dealing with this problem and how it that working out for you? Of the 50-odd firewall brands in use in the federal government, which ones are the most effective at stopping attacks? Is there a correlation between firewall brand and the number of attacks that make it through?"
Jaquith: Yup. Makes sense to me. So, what's your bottom line, Adam? Is it that Schmidt is a good appointment? Bad appointment? How do you handicap his chances of success?
Shostack: Schmidt's a good appointment. As you pointed out, it's a hard position to work in. I think the big question is, what do you want out of success? Is he going to make the problem go away? Nope. We're always going to have cybercrime. We're always going to have people hacking into federal computers. If the question is if he will make things better, I think the key question for me is if he is going to decide to do some of the same things we've always done or is he going to ask why some of those things did not take off or succeed. I'm optimistic that he's going to bring in that new thinking. I give him a 60 percent chance of success.
Jaquith: Wow. Not bad. My bottom line: He's a fair choice at best. I'd like to see someone who is a little more of a visionary who's not rehashing last year's vulnerability stories. But that aside, I think the best thing he could do is pick a series of themes to riff on. This is a little like the Obama campaign itself: Pick a couple things to really execute on and just do it. So, for example, are you going to secure the federal agencies? OK, fine. There's a lot of ways you can do that. Are you going to work in the consumer space and make consumers more aware and, as a result, less affected by what's happening out there? Are you going to work to provide some consistency among the different agencies? Probably not, but that's certainly an angle you could go on as well. I think for me the answer is: Pick an objective, one or two things you can do well, and go with it. Otherwise, it's going to be a very watered-down role without a lot of authority or results to show for it. I give him a 50-50 chance at succeeding. Unsuccessful means flaming out and leaving within a year or a year-and-a-half.
Shostack: That would be longer than any previous czar has made it through the role. (Both laugh.)
Data Breaches: Will Awareness Drive Improvement? You and I have been looking a lot at some of the data breach incidents that have popped up and some of the centralized and consolidated areas. Are these things good for security? Are they driving corporate budgets and awareness? Or do you think these things are just ushering in another era of snake-oil sales of stuff that's advertised as fixing the problem? Would people stampede to buy full-disc encryption as spray-on auditor repellent as opposed to as a security measure?
Shostack: In the short term, your cynical view is not inaccurate. But people have always been jumping on the latest security technology bandwagon and the latest threat story as a way to move what they have. That's a natural part of business. Unless the story is Tiger Woods, you attach your brand to the story.
Jaquith: I think you're right. Or, more accurately in the case of Tiger Woods, you detach your brand from the story.
Shostack: I think that in the longer term, the theme for me is really around transparency. We've had people doing the same thing over and over again. Anyone in the trenches knows there have been problems we can't get a good handle on. We need to be grappling with a different set of issues. To me, the great thing about something like the Verizon Report, like DataLoss DB, is that whatever biases or weaknesses they have, they are big enough sets of data -- and I would love to see the Verizon folks release more of their underlying data -- but there are really enough there, enough cross-organizational study, that we can get a handle on the fact that, yeah, lost and stolen laptops are in fact a big deal. Are they being exploited? Well, we really don't know and we argue about it because you have to disclose the incident but there's no way to track between the incident and the impact. If my Social Security number is on a tape that falls off the back of a truck, we can argue until we're blue in the face because there's no insight into what happens. I'm not exactly sure how we're going to get transparency on that end of things. But without that sort of understanding, you know, a lot of people talk about how we need risk management in security, we need a risk-of-harm trigger before we tell people. I think the risk-of-harm trigger is the lawyer's full-employment act because 1.) You're going to pay a set of lawyers to argue about it, and 2.) The minute you make the call, you're going to expose yourself to litigation from someone who doesn't like the call that you made. In the end, though, notifying people has turned out to be not a bad thing. If you look at the Ponemon Institute's numbers and you look at the expected current cost versus the future cost: The current costs are declining and the future costs are going up. What do you think?
Jaquith: Well, I actually think the spate of data breach disclosure laws are fantastic because you start to get some real transparency. I use a lot of the DataLoss DB guys' information pretty regularly, and one thing we recommend clients do when trying to justify a security initiative is using a database like that to find examples of peers who have had similar trouble and use that to justify an initiative. When you find those real concrete examples, it's easier to visualize the scenario and makes the danger more clear and present. Another thing that has been very interesting about the breach disclosure laws is that in a bass-ackwards way, it's pushing the United States closer to the European Union in how it handles personal information, making it less of a commodity that can be owned and moved around by marketers, turning it into a commodity that's a little more toxic. It may mean we sidestep into an E.U. data-protection regime.
Shostack: Bottom line: To take this to the next level, what do you think that would be?