DHS has a vision for stronger information security

It was not all corporate talk at the RSA Conference Europe 2009 this week in London. Attending one of the roundtables was Philip Reitinger, U.S. Department of Homeland Security (DHS) Deputy Under Secretary for the National Protection and Programs Directorate. He is the DHS lead on all cyber operations, policy and coordination with interagency, international and private sector partners.

The reality is that with the proliferation of dangerous online threats, the average citizen can ultimately have an effect on homeland security and the US government is making an effort to build a better defensive system. The DHS started with the announcement that they are hiring information security professionals, but they didn’t stop there. They are also trying to raise awareness and raise the bar when it comes to understanding the perils of Internet use, and as Reitinger’s visit to London shows, they are serious about spreading the message worldwide. I must say, a serious approach like this was long overdue.

As Reitinger pointed out, their goal is to hire 1,000 people over the course of three years. The emphasis is on recruiting highly ethical people that pass a long clearance process. The specific standards are naturally not disclosed, but Reitinger noted that these good guys should be able to put on the “black hat” while still keeping the interest of the public in mind. In other words, the US government is looking for an army of honorable infosecurity professionals that will be able to simulate attackers’ mindset and consequently implement successful defenses.

When addressing the issue of the number of experts that the DHS plans to hire, Reitinger emphasized that, in the end, it’s not about bulk but about capability. Although, the more top-quality people the government has working for them, the more we can expect them to be able to do.

When it comes to raising awareness of the dangers lurking in the virtual world, a huge drawback is the fact that the age of the Internet inverted the traditional teacher-student roles. Most of the time kids are far more knowledgeable about computers than their parents. But, at the same time, they’re ignorant about most of the risks.

Therefore it’s crucial for parents to educate themselves on new technologies so that they can offer better guidance to their children. This is especially important since the misuse of certain aspects of the Internet (such as social networking sites) can lead to the dissemination of sensitive data than can harm not only the child, but the entire family.

Prioritizing between the government, the enterprise and the end users is impossible. All are crucial elements that construct an exceedingly co-dependent ecosystem and all have to be brought to a higher level of security at the same time in order to make any progress. Companies have to mitigate the risks involving their intellectual property. End users should be taking care of their sensitive data. The government must think about a multitude of serious points.

Reitinger said that right now security is too hard. I agree, but I also wonder if it will ever become easier.

At the moment, the government is taking the individual operational centers that have cyber responsibilities and co-locating them so that they can work together as effectively as possible. In the near future, they also plan on co-locating US CERT, the National Coordinating Center and the National Cyber Security Center. The difference this time around is that the government is not doing this entire shift on its own – the private sector will be invited from day one. The idea is to build communication channels that will create, given the type of issues at hand, an underlying benefit for everyone involved.

A sentence stuck with me after the briefing. Reitinger said that we must treat cyber security as a science and make sure we have the correct data and the proper amount of data in order to make the right decisions. Indeed, too many people tend to approach security like religion and base their actions on what they believe it’s true, instead of what’s really happening.

Sadly, we don’t have a rigorous, up-to-date statistical analysis about the current state of network security, online crime, application security, and so on. A variety of vendors release surveys and provide research papers, but these can differ greatly from one another and tend to emphasize significant problems in the area that specific company is invested in. There’s nothing wrong with trying to drive sales but this kind of research doesn’t really assist in the formation of a clear global threat overview since it’s based on experience and it’s not exact statistical information.

The main problem with obtaining rigorous data is the fact that no one wants to admit to compromises as well as other failures. This is where breach notification laws come in, and help everyone to see the big picture – even if it’s an ugly one. This is definitely a start, but unfortunately still miles away from Reitinger’s vision. I wonder if we’ll ever be able to build a system that provides us with this kind of information and what the costs of such an endeavor may be.

Dangers lurking in the digital world have changed during the years as reputation-fueled attacks were replaced by greed and turned into full-scale organized cyber crime. The risk and threat profiles have increased regardless of the state of the economy. Since the value has moved online, the criminal activity has moved online, too. The key thing here is to focus on what’s most important right now: regular patching of vulnerabilities, updating software, moving beyond the username/password to two-factor authentication, and so on.

Both the private sector and the public at large may be hesitant to cooperate with the government for a number of reasons. However, the question remains – can anyone achieve proper security on their own?




Share this