DHS's Mission to Build Safe InternetTop Cybersecurity Executive Outlines New Net Ecosystem
The deputy undersecretary of the Department of Homeland Security's National Protection and Programs Directorate - the highest cybersecurity position in DHS - led a team that last month published (see DHS Envisions a Healthy Cyber Ecosystem a white paper entitled Enabling Distributed Security in Cyberspace.
Without moving to this new computing environment, functioning in today's Internet-tied world could be threatened, Reitinger says in an interview with Information Security Media Group (transcript below). "Unless people really start to really pay attention to the threat and how we need to drive fundamental change, we're in a world that is going get worse from day to day and month to month and year to year," he says. "And, we're going to be in a place eventually where your television is going to complain that it's being attacked by your refrigerator and isn't able to operate anymore. None of us wants to live that world."
The DHS white paper explores technical options for creating a more secure and resilient network of networks, and explores how three security building blocks - authentication, automation and interoperability - can enhance vulnerability prevention and cyberdefense. And, Reitinger says he sees the paper as the beginning of a broad, technical conversation with others in government, the private sector and citizens on achieving what he characterizes as the "new normal."
"The truth about Internet right now is that offense wins," Reitinger says. "If somebody wants to break into your computer, and they have the time and resources to apply, they will be able to get in. If you want to defend your computer completely, you better not connect it to the Internet, not use it, not even power it on. So we got to get to a different place."
In the interview, Reitinger delves into the importance of the three building blocks of the new Internet ecosystem.
The conversation with Reitinger continued, and in part 2, (see Danger Seen In Slashing Infosec Spend), the DHS executive says cutting IT security spending could prove dicey as Congress and the White House look for ways to slash the federal budget.
Before joining DHS in 2009, Reitinger serves as Microsoft's chief trustworthy infrastructure strategist, responsible for helping improve the protection and security of the critical information technology infrastructure. At that job, he worked closely with government agencies and private partners on cybersecurity protection programs to build trustworthy computing systems worldwide.
While at Microsoft, he served as a member Federal Emergency Management Agency National Advisory Council, advising the FEMA administrator on aspects of cybersecurity related to emergency management. FEMA is a unit of DHS.
Reitinger is an expert on computer crime and policy, and previously was the executive director of the Department of Defense's Cybercrime Center, charged with providing electronic forensic services and supporting cyber investigative functions. Before joining DoD, Reitinger served as deputy chief of the Computer Crime and Intellectual Property division at the Department of Justice.
Reitinger holds a law degree from Yale Law School and a bachelor degree in electrical engineering and computer science from Vanderbilt University.
Distributed Security in Cyberspace
ERIC CHABROW: Last month, the department issued a paper entitled "Enabling Distributed Security in Cyberspace" that outlines a cyber ecosystem which can be defended through three security building blocks, automation, interoperability, and authentication. Please briefly summarize the paper's main points?
PHILIP REITINGER:: The thing that we want to achieve in the paper is a broader, technical and public conversation about how we move to, if you will a new normal.
The truth about the Internet right now is that offense wins. If somebody wants to break into your computer and they have the time and resources to apply, they will be able to get in. If you want to defend your computer completely, you better not connect it to the Internet, not use it, and not even power it on. So we've got to get to a different place.
We are no longer in the world where people just use their computers for sending e-mail and writing documents and watching a silly video online. It is important to be able to fill out your March Madness brackets, but that is not the key here. The key is that we depend on computers for everything that we do now. For having the power stay on, for having our transportation systems flow, for being able to communicate at the most basic level, including call emergency services if you are in trouble.
We in that kind of world can not continue to depend on an ecosystem, an Internet, an electronic communication ecosystem that is fundamentally insecure. We need to change the game and get to an environment where we can depend on communications and information technology to be there when we need them.
The paper is about a series of what may seem to be small changes, things like making authentication more broadly available so we can make effective judgments; increasing automation so that both we and our devices can operate at the speed of attacks, because attacks now promulgate very quickly, as we like to say in this space, at machine speed.
Increasing inoperability, so we can collaborate effectively together not just on a person-toperson level, but on a device-to-device level. The only barriers to our working together or having our devices work together on our behalf are those that we choose to have as opposed to those who are imposed on us by policy.
If we do all those things, those differences work together to create what amounts to a kind difference. An Internet ecosystem that is capable of like the human body, defending itself and responding to the broad set of instructions that come from many people to work together to achieve a different level of security.
No Single Switch to Flick
CHABROW: Is this something that would be just issuing a series of best practices or would there be some fundamental changes that government would be actively involved in, private sector would be actively involved in, some kind of collaboration?
REITINGER:: I think there needs to be a series of some small, some big changes over time. It's not a single switch you flip and say, "Now we're there." It's the long, hard work of building these mechanisms into the ways we work together and to the ways our devices work together.
For example, one of the things that we need is much broader use of strong authentication, in a way that actually enhances privacy. What I mean by that is: It's possible right now for you to strongly identify yourself or for your device to strongly identify itself, but what we don't have is the broad ways to do it cheaply so that if you are setting up a business, it's really easy for you to strongly authenticate anybody who wants to get access to your system in a way that doesn't require significant effort by you. It's just too hard.
Automation, we've got the seeds of allowing devices and people to work with devices in a very much automated way. In particular the National Institute of Standards and Technology, along with a number of partners including both DHS and the National Security Agency, and many people in the private sector has worked to advance something called the Security Content Automation Protocol that allows for us to set particular types of policy, or security content it's called, for devices in a way that is portable across whatever vender you want to use. We've got to continue to do that sort of work so that if anybody who is running a network and say, "Well, I want to implement this policy," and they could do so, and it didn't matter what technology they are using, they could get it done rapidly and easily.
There are similar things true for inoperability. Inoperability is about making sure that we and our devices can work together effectively across vendor platforms.
CHABROW: What is Homeland Security's role in this?
REITINGER:: Part of this is the convener of the conversation. We think this is a fundamental change that needs to take place and the paper is actually talking about an Internet ecosystem that is in many ways, I don't know if I would say immune from, but opposed to command and control.
It's a highly distributed system that doesn't involve one entity saying thou shall do and suddenly it's secure. It is lots of different devices and people working together to make sure we achieve the ends that we want. We want to, one, start the conversation, two, work with our partners and government and industry to make sure we are moving down that path. For example, we all need to work together in standard bodies to continue to expand international standards that will support security to be broadly automated and inoperable like it's already done in Security Content Automation Protocol. We want to look towards and drive ourselves towards living in a world where authentication, inoperability and automation are together.
Let me tell you one thing that we would like to be able to do. Right now the U.S. Computer Emergency Readiness Team, or it's commonly known as U.S.-CERT, and that is our operation center for information technology. So if something bad happens or is about to happen, and we will publish some advice to people, ways they can mitigate it, or things that they should look for. So right now, it's maybe it's a page or two pages or three pages of text that for example, an individual where a systems administrator can read and say, 'Oh, this interesting. I better load this information into my firewalls or my intrusion detection systems, or I want to look for something on my computers to see if there is something bad that is happening."
We want to get out of that game. Not that we don't want to warn people, but we don't want to give them a document anymore except the explanatory text. We want to give them a bunch of bits, what we would think of as an XML blob, sensible mark-up language, so a set of text that they could just say and they can read the piece that goes with it and say, "Oh, this important." And you could just run that XML blob, give it to your firewall, give it to your computers, give it to your intrusion detection systems, and then they can start to look for the things that they should look for.
And, once more, if we build this ecosystem out, any of those devices could then say for example, "Oh, something bad just about happened." A firewall could spot an attack on the way based on that data and say, "I've got an alert, something bad has happened." And, that firewall or the device that is operating on could pass that data back to the system's administrator, who is running that network, or to DHS or to some other entity so we could have real situational awareness about what is happening on our networks.
Advice for IT Security Practitioners
CHABROW: Our site of course goes out to people who are in government, CISOs and others in those positions who help defend IT. We also have sites that go out to healthcare as well as banking. To our readers, what do you want from them?
REITINGER:: I think this is something that they ought to pay attention to. For people involved in making decisions about where they are going to put their resources and where they should help drive technology as a participant, I want them to think about these issues. I want them to think about the fact, "Well, you know, if I were able to strongly authenticate people" - say, I'm an online banking site - "and I didn't have to worry about some particularized solution, but I could go out and say I just want to people to be able to strongly authenticate themselves, and I could depend on a broad ecosystem that would enable them to do that."
I could just say you have to strongly authenticate yourself. I wouldn't have to give them technology. I wouldn't have to program my devices any differently. I could just turn a bit, I could flip a computer switch and be able to accept that, starting to demand that, starting to install that, starting to look for ways to enable strong authentication is important, starting to make demands not only on their information services providers but also on government to move in this direction so that we can enhance the overall security of the ecosystem.
CHABROW: You said it's not flipping a switch. These are small changes or individual changes that are made. Do you see a timeframe for this happening where we are in this new ecosystem?
REITINGER:: I think it needs to happen more quickly than more slowly. I don't think this is ever going to be a place where we get to the endpoint where we say, "Well, we crossed the finish line, problem solved." We need to make progress regularly and the progress is being made. Secretary of Commerce earlier in the year went out to California and discussed with Howard Schmidt, the cybersecurity coordinator, The National Strategy for Trusted Identities in Cyberspace. That is a piece taking us down the road for strong authentication. The ongoing work around Security Content Automation Protocol, NIST, and all the companies that are working with it, moves us down the road. We need to worry not about saying when we're going to get there, but are we making progress day to day and month to month and year to year?
CHABROW: Will there be another report or some kind of document once we get to this point?
REITINGER:: There are going to be a number of steps. One of the things that we've committed to do in the paper is we asked for feedback. I would urge your listeners, particularly those who are interested in the technology, to send us comments. Send an e-mail to Cyberfeedback@DHS.gov. We will take that and we've committed to publishing a follow up paper. So let me add that as an "ask" to your listeners. Read the paper. Tell us what you think. Tell us where you think it hits the mark and tell us where you think it doesn't, and send us data, send us information and we're going to publish a new paper. We've also committed to preparing based on the feedback we get and other discussions, an action plan that we intend to move forward on.
We're thinking about a variety of things from different ways that we can pilot this activity, how we can move forward to spread the Security Content Automation Protocol. For example, how we could take the National Strategy for Trusted Identities in Cyberspace, which tends to focus a little bit more on people and start to say, "Yeah, now how do we extend that to devices?" Because one of the things about the Internet that is really interesting that I'm sure some of your listeners have thought about, everything on the Internet is as I say, action at a distance.
Even if I'm talking to you on the phone, Eric, as opposed to face to face, if we were face to face I could recognize you. When I talk to you over the phone, you know we've talked before I know your voice, I have a pretty strong idea it's you. But when we are talking online, it's really hard to do any of those things, particularly if there is not a biometric element to it, if I'm not looking at the video from you and I'm not listening to your voice over an IP voice connection. You could be anybody. It's the same with software and devices. Anybody can lie about who they are and on the Internet it's really very easy to do that. It's hard to touch and feel things. While I may have loaded a piece of software, even on my home computer while I'm sitting there typing, I can't touch it and feel it. I don't know if it's been changed in some way.
Unless we can strongly authenticate things online, we don't really know who we are talking with or what device we are speaking to, so we can't make effective decisions about whether to trust that or not. It's easy to get lost in the technology pieces of this. We talk about inoperability and automation and authentication and having more healthy devices, and it may appear like its too far off or too ethereal to make a difference, but these things make a real difference.
We actually do depend on these devices on the Internet and even not even just so much anymore, just for our power and for our phones, but we depend on them for our television. And unless we can solve this problem, unless people start to really pay attention to the threat, and how we need to drive a fundamental change, we're going to be in a world that gets worse from day to day and month to month and year to year. We're going to be at a place eventually where your television is going to complain that it's being attacked by your refrigerator and isn't able to operate anymore. None of us wants to live in that world so it's really important to pay attention of even to the technical elements of discussion and tell us what you think.