Inside the protection business

Shannon Kellogg, EMC’s director of information security policy, has long been involved in industry and government cybersecurity issues. Before EMC bought RSA Security in 2006, he was that company’s director of government and industry affairs.He’s a member of the board of directors of the National Cyber Security Alliance, which he helped to establish. Kellogg also is a member of the Center for Strategic and International Studies’ Commission on Cybersecurity, which develops recommendations for government and critical infrastructure defense.Kellogg sat down with FCW to discuss the formidable threats government faces and the complex challenges in its path to neutralizing those risks. : There’s a lot more attention being paid by all of us to the issues surrounding e-espionage and the risks associated with that. The fact is that organizations are being infiltrated and losing more data at the same time as they produce more data than probably ever before.: I think it’s actually a combination of both. You’ve got a thriving business [in the cyber underworld] where organizations and individuals exchange toolsets in order to make a profit. That criminal underground has been tapped into by other actors who are conducting other types of breaches and penetrations, including entities either potentially sponsored by states or affiliated with states.: We’ve seen things shift to different types of espionage, and not just by governmental entities and criminal syndicates. It’s all types of actors who are trying to gain information on different types of organizations that they can use for different advantages in one place or another. I think there’s still a couple of years of growth if not more in this area of e-espionage, and I think it’s going to get more complex and more challenging. The international nature of it is going to be a real challenge for organizations.: You can’t just expect to deploy one kind of technology and combat these threats. Just as these threats are multifaceted, you have to have a multilayered approach in terms of how you are addressing the risk you identify. If you are treating this as just a perimeter problem, you lose. If you are only going to approach it as an access control problem, you lose.The bad guys are continually developing tools and trying their best to stay ahead of the innovators and technology leaders on this. The good news is that because of the R&D and the partnerships that a lot of us have, we are building more and more security into the products and platforms that we provide for our customers. : I think many of the things that have happened in government around the issue of personally identifiable information protection, the Veterans Administration case and other big security breaches have got the attention of a l ot of government employees.Secondly, the Federal Information Security Management Act (FISMA) did the job it was supposed to do in terms of elevating this issue up to the senior executive level, making agencies more accountable for the issue of information security, and making employee training a requirement.But we are still seeing a limited understanding of the threats, especially as those threats change.: FISMA has changed the way a lot of agencies and executives have focused on information security, plus it’s also provided a legal framework under which agencies can work.But one of the major problems is that, even when you have federal agencies that score high on FISMA and get good grades, when you peel back the onion and talk with some of the security professionals in many of those agencies, then guess what, the level of [security] incidents is often pretty high, even if they score well on FISMA.So in its current state, FISMA is not achieving the objective of improving overall information security in these agencies and lowering the risk that agencies and security professionals have to face. We have to lighten the load on the certification and accreditation process, so you still have a basic compliance process that agencies are operating within but, at the same time, enables the chief risk officers within those agencies to do what they need to do from an operational point of view.I’ve had security professionals in very substantial federal agencies look me in the face and say they’ve spent 85 percent to 90 percent of their budget on FISMA, so how the heck are they supposed to do everything else, including address the real risks they have to deal with? To me that’s the No. 1 issue and challenge that we have to deal with.: It has to be all linked. When you talk about the Cybersecurity Initiative, there’s a strong focus on securing government systems, and that’s absolutely critical. But you still have FISMA; you can’t just throw it out.: There are two challenges. If you don’t change FISMA, you’ll still have a lot of focus there, so agencies will still put that as a priority. Then you’ve got to do all of these things that are tied into the president’s initiative, and you’ve got to have all of the people and the planning and resources to do that. And there’s also many different agencies involved in this effort, so you’ve got a tremendous amount of coordination needed across the government. : I, and I think many others, have not yet figured out the best model in terms of the facilitating organization or what the ultimate interface is.The thing that we have to figure out is how to get information that is actionable and specifically tied to a significant threat or risk for an organization and get it in real time into the hands of the government partner in this case so it can get that information into the broader community to mit gate that specific risk.And by the way, share information that’s actionable back with the appropriate people who should receive it so it can be utilized in order to better secure the commercial system that had the original risk and vulnerability.We have to figure out how to do that. I think that’s another big challenge.: I hope and pray that we have a model that is working a lot more effectively than it is now. We’ve made progress in that partnership versus where we were five or six years ago, but looking five years ahead, things are only going to get more complex. And the international aspects of this are only going to get more complex. We are already behind in many ways, in terms of a country looking overall at the protection of our infrastructure and our systems, and we have a lot of catching up to do. It’s absolutely critical that we nail this, and nail it sooner rather than later.